Some organisations want to use SELinux support for levels and categories (MLS and MCS). This apparently requires modifications to ThinLinc to work properly as ThinLinc components might run at levels where the users are prevented access.
Some notes of experiences of enabling MLS on RHEL/CentOS 6: - Red Hat has this concerning disclaimer in their MLS chapter " It is not recommended to use the MLS policy on a system that is running the X Window System. "[1] - You can't log in as root over SSH when MLS is active. You have to enable the ssh_sysadm_login boolean and uncomment a line in /etc/selinux/mls/contexts/users/root to get this working. [1] https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/enabling-mls-in-selinux.html
ThinLinc problems: 1. Can't run ./install-server (from root's home directory at least) as it errors out with "permission denied". 'bash install-server' works fine though. 2. tl-setup fails to configure the firewall: 2013-09-30 13:39:21,516: Creating firewall service 'tlwebadm' using ports 1010:TCP 2013-09-30 13:39:21,516: Enable firewall service 'tlwebadm' 2013-09-30 13:39:21,783: Failed to enable firewall service tlwebadm 2013-09-30 13:39:21,784: Failed to stop iptables. 2013-09-30 13:39:21,784: Failed to stop ip6tables. 2013-09-30 13:39:21,784: Failed to start iptables. 2013-09-30 13:39:21,784: Failed to start ip6tables. 2013-09-30 13:39:21,784: 2013-09-30 13:39:21,784: Creating firewall service 'tlmaster' using ports 9000:TCP 2013-09-30 13:39:21,785: Enable firewall service 'tlmaster' 2013-09-30 13:39:22,006: Failed to enable firewall service tlmaster 2013-09-30 13:39:22,006: Failed to stop iptables. 2013-09-30 13:39:22,007: Failed to stop ip6tables. 2013-09-30 13:39:22,007: Failed to start iptables. 2013-09-30 13:39:22,007: Failed to start ip6tables. 2013-09-30 13:39:22,007: 2013-09-30 13:39:22,007: Creating firewall service 'tlagent' using ports 904:TCP 2013-09-30 13:39:22,007: Enable firewall service 'tlagent' 2013-09-30 13:39:22,229: Failed to enable firewall service tlagent 2013-09-30 13:39:22,230: Failed to stop iptables. 2013-09-30 13:39:22,230: Failed to stop ip6tables. 2013-09-30 13:39:22,230: Failed to start iptables. 2013-09-30 13:39:22,230: Failed to start ip6tables. 2013-09-30 13:39:22,230: 2013-09-30 13:39:22,230: Enable system firewall service 'ssh' 2013-09-30 13:39:22,448: Failed to enable system firewall service ssh 2013-09-30 13:39:22,449: Failed to stop iptables. 2013-09-30 13:39:22,449: Failed to stop ip6tables. 2013-09-30 13:39:22,449: Failed to start iptables. 2013-09-30 13:39:22,449: Failed to start ip6tables. 2013-09-30 13:39:22,449: 2013-09-30 13:39:22,449: failed to configure firewall. 3. tl-setup crashes when configuring services: 2013-09-30 13:43:34,732: Installing services... 2013-09-30 13:43:34,732: Installing service 'vsmserver'... 2013-09-30 13:43:35,183: Installing service 'vsmagent'... 2013-09-30 13:43:35,570: Installing service 'tlwebadm'... 2013-09-30 13:43:36,049: Starting services... 2013-09-30 13:43:36,049: Starting service 'vsmagent'... 2013-09-30 13:43:36,112: Traceback (most recent call last): 2013-09-30 13:43:36,113: File "/opt/thinlinc/modules/thinlinc/tlsetup/services.py", line 185, in Ii11Ii1I 2013-09-30 13:43:36,113: O00oO = II1i1Ii11Ii11 ( ) 2013-09-30 13:43:36,113: File "/opt/thinlinc/modules/thinlinc/tlsetup/services.py", line 153, in II1i1Ii11Ii11 2013-09-30 13:43:36,113: if not iiI1IiI ( "vsmagent" ) : 2013-09-30 13:43:36,113: File "/opt/thinlinc/modules/thinlinc/tlsetup/services.py", line 104, in iiI1IiI 2013-09-30 13:43:36,113: close_fds = 1 ) 2013-09-30 13:43:36,114: File "/opt/thinlinc/modules/subprocess.py", line 593, in __init__ 2013-09-30 13:43:36,114: errread, errwrite) 2013-09-30 13:43:36,114: File "/opt/thinlinc/modules/subprocess.py", line 1079, in _execute_child 2013-09-30 13:43:36,114: raise child_exception 2013-09-30 13:43:36,114: OSError: [Errno 13] Permission denied
1. seems to be Red Hat specific and per design. They lock down root's home directory a lot more than normal users'. Executes just fine in a normal user's home directory. 2. and 3. are apparently somewhat expected. You have to use the helper "run_init" when starting/stopping services. Unfortunately it requires a password by default, so we can't easily call it from tl-setup. We could be more graceful about it though. Added bug 4825 about this.
Next thinlinc problem: thinlinc-login cannot access the socket that vsmserver creates. This is because most stuff created in /tmp is not accessible by users. We should probably start using a more sane directory under /var/run, like most other daemons. Bug 4826 has been added for this.
With bug 4826 and a lot of tweaks to the policy, I can now get functioning communication via thinlinc-login. Next it fails to open a PAM session: Oct 4 16:34:06 dhcp-254-176 tl-session: pam_selinux(thinlinc:session): conversation failed Oct 4 16:34:06 dhcp-254-176 tl-session: pam_selinux(thinlinc:session): No response to query: Would you like to enter a security context? [N] Oct 4 16:34:06 dhcp-254-176 tl-session: pam_selinux(thinlinc:session): Unable to get valid context for tltest Seems like pam_selinux wants to blab with the user. This does not happen with ssh though, so I need to check what it does.
(In reply to comment #7) > > Seems like pam_selinux wants to blab with the user. This does not happen with > ssh though, so I need to check what it does. That was just a fallback path. The real problem was problems with the policy where I needed to specify more access for tl-session.
I can now get a ThinLinc session. It is slightly broken though as some programs aren't allowed to write to xinit.log (e.g. metacity which promptly crashes because of this...). Not sure what the proper way is to fix this...
This project is abandoned. We will commit the general fixes that were done and leave full SELinux support for the future.
All fixes have been committed. Tester should verify that ThinLinc still works in enforcing mode. You should also check that nothing runs under the initrc_t context.
Doesn't work properly on RHEL 6. Need to have another look.
(In reply to comment #14) > Doesn't work properly on RHEL 6. Need to have another look. Fixed in r28257. No idea why I wasn't seeing this problem on Fedora 19.
Tested using build 4312, works as expected. ThinLinc processes has correct context. $pstree -Z | grep thinlinc |-python-thinlinc(`unconfined_u:system_r:thinlinc_agent_t:s0') |-python-thinlinc(`unconfined_u:system_r:thinlinc_webadm_t:s0') | `-tlstunnel(`unconfined_u:system_r:thinlinc_webadm_t:s0') |-python-thinlinc(`unconfined_u:system_r:thinlinc_master_t:s0') |-python-thinlinc(`unconfined_u:system_r:thinlinc_webaccess_t:s0') | `-tlstunnel(`unconfined_u:system_r:thinlinc_webaccess_t:s0')
(In reply to comment #16) > Tested using build 4312, works as expected. ThinLinc processes has correct > context. > > $pstree -Z | grep thinlinc > > |-python-thinlinc(`unconfined_u:system_r:thinlinc_agent_t:s0') > |-python-thinlinc(`unconfined_u:system_r:thinlinc_webadm_t:s0') > | `-tlstunnel(`unconfined_u:system_r:thinlinc_webadm_t:s0') > |-python-thinlinc(`unconfined_u:system_r:thinlinc_master_t:s0') > |-python-thinlinc(`unconfined_u:system_r:thinlinc_webaccess_t:s0') > | `-tlstunnel(`unconfined_u:system_r:thinlinc_webaccess_t:s0') Everything works as expected, tested RHEL6.
