In principle, we should re-open bug 3791, but I refuse to delay the release any more due to stupid SELinux. In any case, this is what I get: Error: Could not configure SELinux for ThinLinc. The error was: Updating default context mappings... Updating root context mappings... Could not find template type. Using default fallback. Compiling thinlinc policy module... make: Entering directory `/tmp/tmp7tZrdz' Compiling targeted thinlinc module /usr/bin/checkmodule: loading policy configuration from tmp/thinlinc.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 6) to tmp/thinlinc.mod Creating targeted thinlinc.pp policy package rm tmp/thinlinc.mod.fc tmp/thinlinc.mod make: Leaving directory `/tmp/tmp7tZrdz' Installing thinlinc policy module... libsepol.print_missing_requirements: thinlinc's global requirements were not met: type/attribute xauth_home_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!
I think this can be solved easily. Will probably move otherwise...
The actual policy was easily fixed. Unfortunately we also used it in a file pattern, which are way less flexible. A hackish workaround has been committed in r26180. Long term we might want to ignore ancient versions of refpolicy (like RHEL 5 uses). Tester should make sure that the RHEL 5 works (of course), but also that the xauth stuff is present on newer systems.
# cat /etc/issue Red Hat Enterprise Linux Server release 5.4 (Tikanga) Kernel \r on an \m # /opt/thinlinc/share/selinux/install Updating default context mappings... Updating root context mappings... Compiling thinlinc policy module... make: Entering directory `/tmp/tmpkDXEhD' Compiling targeted thinlinc module /usr/bin/checkmodule: loading policy configuration from tmp/thinlinc.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 6) to tmp/thinlinc.mod Creating targeted thinlinc.pp policy package rm tmp/thinlinc.mod.fc tmp/thinlinc.mod make: Leaving directory `/tmp/tmpkDXEhD' Installing thinlinc policy module... libsepol.print_missing_requirements: thinlinc's global requirements were not met: type/attribute xauth_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!
(In reply to comment #3) > Installing thinlinc policy module... > libsepol.print_missing_requirements: thinlinc's global requirements were not > met: type/attribute xauth_t > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! Fixed in r27476 through r27478. Not sure how the hell I was testing on the first attempt. Now it works on RHEL 5, and a more modern system gets proper access and context: [ossman@ossman]$ ls -Z /var/opt/thinlinc/sessions/ossman/last/Xauthority -rw-------. ossman ossman unconfined_u:object_r:xauth_home_t:s0 /var/opt/thinlinc/sessions/ossman/last/Xauthority
Installation succeeds but sessions cannot start: 2013-06-03 02:49:27 INFO vsmagent: VSM Agent version 4.0.0post build 3970 started 2013-06-03 02:49:27 INFO vsmagent: My public hostname is 172.16.217.128 /opt/thinlinc/libexec/tl-session: error while loading shared libraries: libpam.so.0: failed to map segment from shared object: Permission denied
The rabbit hole goes deep with this one. The problem in comment 5 is caused by the fact that you have to explicitly allow dlopen() and friend with older refpolicy. That's easily fixed, but after that it just breaks even more. Turns out that the domain transition from tl_session to tl_xinit isn't working, so everything is running in the restricted thinlinc_session_t context. I can't see any obvious reason why this breaks, but we cannot justify spending more time on this for this old platform. We'll revert most/all of the changes and move this bug forward.
For future reference, these were the needed lines to get PAM working: # We need to be able to load PAM modules # (only needed with older refpolicy as the newer does this for all domains) optional_policy(` libs_use_ld_so(thinlinc_session_t) libs_use_shared_libs(thinlinc_session_t) ')
Workaround reverted in r27484. Still kept some changes though.
RHEL 5.10 x86_64 and ThinLinc 4.2.0 - the SELinux module won't even install. tlsetup.log: > 2014-06-03 13:48:22,254: Output (stdout): > 2014-06-03 13:48:22,255: Updating default context mappings... > 2014-06-03 13:48:22,255: Updating root context mappings... > 2014-06-03 13:48:22,255: Compiling thinlinc policy module... > 2014-06-03 13:48:22,255: make: Entering directory `/tmp/tmph-TIpN' > 2014-06-03 13:48:22,255: Compiling targeted thinlinc module > 2014-06-03 13:48:22,255: /usr/bin/checkmodule: loading policy configuration from tmp/thinlinc.tmp > 2014-06-03 13:48:22,255: make: Leaving directory `/tmp/tmph-TIpN' > 2014-06-03 13:48:22,255: Output (stderr): > 2014-06-03 13:48:22,256: Could not find template type. Using default fallback. > 2014-06-03 13:48:22,256: thinlinc.te:55:ERROR 'syntax error' at token 'ubac_constrained' on line 118821: > 2014-06-03 13:48:22,256: > 2014-06-03 13:48:22,256: ubac_constrained(thinlinc_user_t) > 2014-06-03 13:48:22,256: /usr/bin/checkmodule: error(s) encountered while parsing configuration > 2014-06-03 13:48:22,256: make: *** [tmp/thinlinc.mod] Error 1 > 2014-06-03 13:48:22,256: SELinux configuration failed with error code 2
We "solve" this by documenting that older policies are not supported.
http://www.cendio.com/resources/docs/platforms/selinux.xhtml updated in r29275.
Looks ok.
