Bug 6988 - ThinLinc does not work correctly/have full functionality when installed to a nosuid mount
Summary: ThinLinc does not work correctly/have full functionality when installed to a ...
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Other (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Peter Åstrand
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-14 10:28 CEST by Karl Mikaelsson
Modified: 2017-06-20 12:40 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Karl Mikaelsson cendio 2017-06-14 10:28:42 CEST 
When /opt is mounted nosuid and SELinux is active, users can't start sessions. The end user gets an error message saying "ThinLinc login failed (No agent server was available)". The following error messages are logged to /var/log/vsmagent.log:

> subprocess: execvp: Permission denied
> tl-session: tl-xinit exited with status=71

We can see that vsmagent is running with a bad SELinux context (we expect system_u:system_r:thinlinc_agent_t:s0):

> # ps -efZ | grep vsmagent
> system_u:system_r:initrc_t:s0   root      16954      1  3 19:18 ?        00:00:00 python-thinlinc /opt/thinlinc/sbin/vsmagent

We can see security_bounded_transition errors in the audit log from when vsmagent wants to transition from initrc_t to thinlinc_agent_t.

> type=SYSCALL msg=audit(2017-06-07 18:01:56.344:41000) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x223e9b0 a1=0x2249ec0 a2=0x2241e80 a3=0x7ffe476377d0 items=0 ppid=40882 pid=40883 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=vsmagent exe=/usr/bin/env subj=system_u:system_r:initrc_t:s0 key=(null)
> type=SELINUX_ERR msg=audit(2017-06-07 18:01:56.344:41000) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:initrc_t:s0 newcontext=system_u:system_r:thinlinc_agent_t:s0

SELinux doesn't seem to allow processes on nosuid mounts to transition to other context, so the workaround for this is to remove the nosuid mount flag for /opt.

> # ps -efZ | grep vsmagent
> system_u:system_r:thinlinc_agent_t:s0 root 16800     1  0 19:16 ?        00:00:00 python-thinlinc /opt/thinlinc/sbin/vsmagent
> # mount -o remount,nosuid /opt
> # systemctl restart vsmagent
> # ps -efZ | grep vsmagent
> system_u:system_r:initrc_t:s0   root      16954      1  3 19:18 ?        00:00:00 python-thinlinc /opt/thinlinc/sbin/vsmagent
> # mount -o remount,suid /opt
> # systemctl restart vsmagent
> # ps -efZ | grep vsmagent
> system_u:system_r:thinlinc_agent_t:s0 root 17001     1  3 19:18 ?        00:00:00 python-thinlinc /opt/thinlinc/sbin/vsmagent


======================================================

When /opt is mounted nosuid, users can't use setuid helper programs to mount their local drives into their session. This should happen no matter whether or not you're using SELinux. The same workaround as above should be valid.
Comment 1 Karl Mikaelsson cendio 2017-06-15 09:55:22 CEST 
(In reply to comment #0)
> When /opt is mounted nosuid and SELinux is active, users can't start sessions.

Wrote about this on Platform Specific Notes, in the SELinux section.
Note You need to log in before you can comment on or make changes to this bug.