Summary: | cannot start sessions on SELinux systems when pam_limits is used | ||
---|---|---|---|
Product: | ThinLinc | Reporter: | Pierre Ossman <ossman> |
Component: | VSM Agent | Assignee: | Pierre Ossman <ossman> |
Status: | CLOSED FIXED | ||
Severity: | Normal | CC: | astrand, samuel |
Priority: | P2 | Keywords: | derfian_tester, relnotes |
Version: | pre-1.0 | ||
Target Milestone: | 4.6.0 | ||
Hardware: | PC | ||
OS: | Unknown | ||
Acceptance Criteria: |
Description
Pierre Ossman
Setting it to permissive also gives this AVC:
> type=AVC msg=audit(1448980249.850:1384880): avc: denied { sys_resource } for pid=19241 comm="tl-session" capability=24 scontext=unconfined_u:system_r:thinlinc_session_t:s0 tcontext=unconfined_u:system_r:thinlinc_session_t:s0 tclass=capability
This change to our policy gets things working:
> Index: thinlinc.te
> ===================================================================
> --- thinlinc.te (revision 30989)
> +++ thinlinc.te (working copy)
> @@ -107,8 +107,8 @@
> userdom_spec_domtrans_all_users(thinlinc_session_t)
> userdom_signal_all_users(thinlinc_session_t)
>
> -allow thinlinc_session_t self:capability { kill chown dac_override fowner setgid setuid };
> -allow thinlinc_session_t self:process { getcap setsched setexec };
> +allow thinlinc_session_t self:capability { kill chown dac_override fowner setgid setuid sys_resource };
> +allow thinlinc_session_t self:process { getcap setsched setexec setrlimit };
> allow thinlinc_session_t self:fifo_file rw_fifo_file_perms;
>
> miscfiles_read_localization(thinlinc_session_t)
Also happens on Fedora 23. Checked the reference policy that explicitly adding these permissions is the correct way to go. So everything is done here. I can't reproduce this error on CentOS 7 with the fix from comment #5 applied. I've verified that the errors happen when the fix is not applied. I've tested the fix without errors using these limits: core, nice, nproc, nofiles, data, fsize, stack, cpu, as, maxlogins, priority, msgqueue. |