Comment 1 Pierre Ossman 2018-04-16 15:33:58 CEST

This line in strace matches the AVC timestamp, and is probably the culprit:

> [pid 12248] 14:07:27.690973 access("/run/user/500/bus", F_OK) = 0

/run/user/500 is only accessible by the user so it would require a DAC override to access that directory by tl-session (which runs as root).

I don't know what generates this access(), but I would guess pam_systemd as I think it's the only module that fiddles around with dbus.

Comment 2 Pierre Ossman 2018-04-16 15:48:59 CEST

I could confirm that the issue is with /run/user/500/bus as doing chmod o+rwx on the directory made the AVC go away.

Comment 3 Pierre Ossman 2018-04-16 16:13:26 CEST

Reported to Fedora:

https://bugzilla.redhat.com/show_bug.cgi?id=1567988

Hopefully they can provide some insight.

Comment 4 Pierre Ossman 2018-04-16 16:23:15 CEST

Should have checked our policy closer. We already have dac_override so I guess we should just add dac_read_search as well. I can see some upstream changes to that effect as well.

Comment 6 Pierre Ossman 2018-04-19 10:34:46 CEST

Works fine with the change. Tester should check that an AVC is generated with ThinLinc 4.8.0 but not with trunk.

Comment 8 Karl Mikaelsson 2018-04-20 13:41:24 CEST

(In reply to comment #6)
> Works fine with the change. Tester should check that an AVC is generated with
> ThinLinc 4.8.0 but not with trunk.

On my Fedora 27 workstation with ThinLinc 4.8.1-5456.x86_64:

> $ sudo ausearch -i -c tl-session | tail -n 1
> type=AVC msg=audit(2018-03-27 09:36:50.829:19081) : avc:  denied  { dac_read_search } 
>   for  pid=26015 comm=tl-session capability=dac_read_search scontext=system_u:system_r:thinlinc_session_t:s0
>   tcontext=system_u:system_r:thinlinc_session_t:s0 tclass=capability permissive=0

After upgrading to ThinLinc 4.9.0-5758, I can't produce new AVC messages on login.