The following information relates to installation of ThinLinc on an SELinux-enabled platform.

Overview

ThinLinc is designed to run with reference SELinux policy and users in the unconfined context. It is possible to use ThinLinc with other policies and more restricted contexts, but will most likely require modifications to your policy to accommodate ThinLinc.

The local system policy will optionally be modified by tl-setup during installation. The SELinux module and other policy changes performed can be examined in /opt/thinlinc/share/selinux. Execute the command /opt/thinlinc/share/selinux/install to reapply ThinLinc's policy changes.

NOTE: The ThinLinc policy module is distributed in source form and therefore requires the reference policy build environment. ThinLinc setup will attempt to install this automatically on most distributions, but you may be required to install it manually.

ThinLinc can't start sessions (No agent server was available)

If ThinLinc is installed onto a partition that is mounted with the nosuid mount option and SELinux is active, ThinLinc will fail to start user sessions. The connecting user will get an error message saying "ThinLinc login failed (No agent server was available)". The vsmagent service will write the following errors to /var/log/vsmagent.log:

subprocess: execvp: Permission denied
tl-session: tl-xinit exited with status=71

Because of the nosuid mount option, SELinux will deny the vsmagent to transition from the initrc_t to thinlinc_agent_t SELinux context required for correct operation. To work around this problem, remove the nosuid mount option from the partition where ThinLinc is installed and restart the vsmagent service.