Bug 7150 - SELinux AVC when creating session on Fedora 27
Summary: SELinux AVC when creating session on Fedora 27
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: VSM Agent (show other bugs)
Version: 1.3.1
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.9.0
Assignee: Pierre Ossman
Keywords: derfian_tester, relnotes
Depends on:
Reported: 2018-04-16 15:28 CEST by Pierre Ossman
Modified: 2018-04-20 13:41 CEST (History)
2 users (show)

See Also:
Acceptance Criteria:


Description Pierre Ossman cendio 2018-04-16 15:28:44 CEST
I'm getting this AVC whenever a new session is created on Fedora 27:

> type=AVC msg=audit(1523880447.690:3845): avc:  denied  { dac_read_search } for  pid=12248 comm="tl-session" capability=2  scontext=system_u:system_r:thinlinc_session_t:s0 tcontext=system_u:system_r:thinlinc_session_t:s0 tclass=capability permissive=0

An strace however shows no EPERM or EACCESS, so it isn't entirely clear what is going on. Some googling finds this issue:


However we don't trigger unix_chkpwd so it's not that specific bug. The symptoms are very similar though, so it's probably something along the same lines.
Comment 1 Pierre Ossman cendio 2018-04-16 15:33:58 CEST
This line in strace matches the AVC timestamp, and is probably the culprit:

> [pid 12248] 14:07:27.690973 access("/run/user/500/bus", F_OK) = 0

/run/user/500 is only accessible by the user so it would require a DAC override to access that directory by tl-session (which runs as root).

I don't know what generates this access(), but I would guess pam_systemd as I think it's the only module that fiddles around with dbus.
Comment 2 Pierre Ossman cendio 2018-04-16 15:48:59 CEST
I could confirm that the issue is with /run/user/500/bus as doing chmod o+rwx on the directory made the AVC go away.
Comment 3 Pierre Ossman cendio 2018-04-16 16:13:26 CEST
Reported to Fedora:


Hopefully they can provide some insight.
Comment 4 Pierre Ossman cendio 2018-04-16 16:23:15 CEST
Should have checked our policy closer. We already have dac_override so I guess we should just add dac_read_search as well. I can see some upstream changes to that effect as well.
Comment 6 Pierre Ossman cendio 2018-04-19 10:34:46 CEST
Works fine with the change. Tester should check that an AVC is generated with ThinLinc 4.8.0 but not with trunk.
Comment 8 Karl Mikaelsson cendio 2018-04-20 13:41:24 CEST
(In reply to comment #6)
> Works fine with the change. Tester should check that an AVC is generated with
> ThinLinc 4.8.0 but not with trunk.

On my Fedora 27 workstation with ThinLinc 4.8.1-5456.x86_64:

> $ sudo ausearch -i -c tl-session | tail -n 1
> type=AVC msg=audit(2018-03-27 09:36:50.829:19081) : avc:  denied  { dac_read_search } 
>   for  pid=26015 comm=tl-session capability=dac_read_search scontext=system_u:system_r:thinlinc_session_t:s0
>   tcontext=system_u:system_r:thinlinc_session_t:s0 tclass=capability permissive=0

After upgrading to ThinLinc 4.9.0-5758, I can't produce new AVC messages on login.

Note You need to log in before you can comment on or make changes to this bug.