Bug 5733 - cannot start sessions on SELinux systems when pam_limits is used
Summary: cannot start sessions on SELinux systems when pam_limits is used
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: VSM Agent (show other bugs)
Version: pre-1.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.6.0
Assignee: Pierre Ossman
Keywords: derfian_tester, relnotes
Depends on:
Reported: 2015-12-01 15:26 CET by Pierre Ossman
Modified: 2016-04-12 12:25 CEST (History)
2 users (show)

See Also:
Acceptance Criteria:


Description Pierre Ossman cendio 2015-12-01 15:26:00 CET
On at least RHEL 6 you can break ThinLinc by setting something like this in limits.conf:

> ossman	soft	nofile	10240
> ossman	hard	nofile	10240

This results in a SELinux AVC:

> type=AVC msg=audit(1448978618.493:1384265): avc:  denied  { setrlimit } for  pid=7296 comm="tl-session" scontext=system_u:system_r:thinlinc_session_t:s0 tcontext=system_u:system_r:thinlinc_session_t:s0 tclass=process

And pam_limits complains in syslog:

> Dec  1 15:03:38 castro tl-session: pam_limits(thinlinc:session): Could not set limit for 'nofile': Permission denied

And finally tl-session fails to open the session:

> 2015-12-01 15:03:38 WARNING tl-session: pam_open_session failed: 6 (Permission denied)
Comment 1 Pierre Ossman cendio 2015-12-01 15:31:15 CET
Setting it to permissive also gives this AVC:

> type=AVC msg=audit(1448980249.850:1384880): avc:  denied  { sys_resource } for  pid=19241 comm="tl-session" capability=24  scontext=unconfined_u:system_r:thinlinc_session_t:s0 tcontext=unconfined_u:system_r:thinlinc_session_t:s0 tclass=capability
Comment 2 Pierre Ossman cendio 2015-12-01 15:40:04 CET
This change to our policy gets things working:

> Index: thinlinc.te
> ===================================================================
> --- thinlinc.te      (revision 30989)
> +++ thinlinc.te      (working copy)
> @@ -107,8 +107,8 @@
>  userdom_spec_domtrans_all_users(thinlinc_session_t)
>  userdom_signal_all_users(thinlinc_session_t)
> -allow thinlinc_session_t self:capability { kill chown dac_override fowner setgid setuid };
> -allow thinlinc_session_t self:process { getcap setsched setexec };
> +allow thinlinc_session_t self:capability { kill chown dac_override fowner setgid setuid sys_resource };
> +allow thinlinc_session_t self:process { getcap setsched setexec setrlimit };
>  allow thinlinc_session_t self:fifo_file rw_fifo_file_perms;
>  miscfiles_read_localization(thinlinc_session_t)
Comment 4 Pierre Ossman cendio 2015-12-02 10:54:14 CET
Also happens on Fedora 23.
Comment 6 Pierre Ossman cendio 2015-12-02 11:08:07 CET
Checked the reference policy that explicitly adding these permissions is the correct way to go. So everything is done here.
Comment 8 Karl Mikaelsson cendio 2015-12-03 12:27:06 CET
I can't reproduce this error on CentOS 7 with the fix from comment #5 applied. I've verified that the errors happen when the fix is not applied. I've tested the fix without errors using these limits: core, nice, nproc, nofiles, data, fsize, stack, cpu, as, maxlogins, priority, msgqueue.

Note You need to log in before you can comment on or make changes to this bug.