5733 – cannot start sessions on SELinux systems when pam_limits is used

Bug 5733 - cannot start sessions on SELinux systems when pam_limits is used

Summary: cannot start sessions on SELinux systems when pam_limits is used

Status:	CLOSED FIXED

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	VSM Agent (show other bugs)
Version:	pre-1.0
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	4.6.0
Assignee:	Pierre Ossman

URL:
Keywords:	derfian_tester, relnotes

Depends on:
Blocks:

Reported:	2015-12-01 15:26 CET by Pierre Ossman
Modified:	2016-04-12 12:25 CEST (History)
CC List:	2 users (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio

2015-12-01 15:26:00 CET

On at least RHEL 6 you can break ThinLinc by setting something like this in limits.conf:

> ossman	soft	nofile	10240
> ossman	hard	nofile	10240

This results in a SELinux AVC:

> type=AVC msg=audit(1448978618.493:1384265): avc:  denied  { setrlimit } for  pid=7296 comm="tl-session" scontext=system_u:system_r:thinlinc_session_t:s0 tcontext=system_u:system_r:thinlinc_session_t:s0 tclass=process

And pam_limits complains in syslog:

> Dec  1 15:03:38 castro tl-session: pam_limits(thinlinc:session): Could not set limit for 'nofile': Permission denied

And finally tl-session fails to open the session:

> 2015-12-01 15:03:38 WARNING tl-session: pam_open_session failed: 6 (Permission denied)

Comment 1 Pierre Ossman cendio

2015-12-01 15:31:15 CET

Setting it to permissive also gives this AVC:

> type=AVC msg=audit(1448980249.850:1384880): avc:  denied  { sys_resource } for  pid=19241 comm="tl-session" capability=24  scontext=unconfined_u:system_r:thinlinc_session_t:s0 tcontext=unconfined_u:system_r:thinlinc_session_t:s0 tclass=capability

Comment 2 Pierre Ossman cendio

2015-12-01 15:40:04 CET

This change to our policy gets things working:

> Index: thinlinc.te
> ===================================================================
> --- thinlinc.te      (revision 30989)
> +++ thinlinc.te      (working copy)
> @@ -107,8 +107,8 @@
>  userdom_spec_domtrans_all_users(thinlinc_session_t)
>  userdom_signal_all_users(thinlinc_session_t)
>  
> -allow thinlinc_session_t self:capability { kill chown dac_override fowner setgid setuid };
> -allow thinlinc_session_t self:process { getcap setsched setexec };
> +allow thinlinc_session_t self:capability { kill chown dac_override fowner setgid setuid sys_resource };
> +allow thinlinc_session_t self:process { getcap setsched setexec setrlimit };
>  allow thinlinc_session_t self:fifo_file rw_fifo_file_perms;
>  
>  miscfiles_read_localization(thinlinc_session_t)

Comment 4 Pierre Ossman cendio

2015-12-02 10:54:14 CET

Also happens on Fedora 23.

Comment 6 Pierre Ossman cendio

2015-12-02 11:08:07 CET

Checked the reference policy that explicitly adding these permissions is the correct way to go. So everything is done here.

Comment 8 Karl Mikaelsson cendio

2015-12-03 12:27:06 CET

I can't reproduce this error on CentOS 7 with the fix from comment #5 applied. I've verified that the errors happen when the fix is not applied. I've tested the fix without errors using these limits: core, nice, nproc, nofiles, data, fsize, stack, cpu, as, maxlogins, priority, msgqueue.

Note You need to log in before you can comment on or make changes to this bug.