Bug 1647920 - ThinLinc unusable on Fedora 29
Summary: ThinLinc unusable on Fedora 29
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 29
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-08 14:39 UTC by Samuel
Modified: 2019-01-08 16:08 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-12-12 12:25:07 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Samuel 2018-11-08 14:39:24 UTC
Description of problem:

Since after I upgraded to Fedora 29 on the machine running my ThinLinc server I can no longer use the native client nor the web client. I can't use the web admin interface either. In all of the cases above it takes ~2 minutes to connect.

Seeing as I'm getting an USER_AVC in /var/log/audit/audit.log, I'm thinking its related to the selinux-policy upgrade that came with the Fedora 28->29 upgrade.

Version-Release number of selected component (if applicable): 3.14.2-41.fc29


How reproducible: 100%


Steps to Reproduce:
1. Install Fedora 29
2. Install the ThinLinc server
3. Try to connect


Actual results: Takes ~2 minutes and then eventually you connect


Expected results: Should connect immediately


Additional info:

Using strace to see what the processes are being blocked from doing, it seems like user lookup isn't working at all.

After I do 'setenforce 0' everything works fine.

The audit log says:

type=USER_AVC msg=audit(1541681954.605:398): pid=788 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.730 spid=1 tpid=5844 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:thinlinc_webaccess_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

And the above AVC appears right away as I try to connect.

Bug 1460244 might be related, but I'm not getting denies for msgtype=method_call, I'm only getting msgtype=method_return.

Comment 1 Samuel 2018-11-08 14:40:49 UTC
I have reproduced the problem on two different machines, on which both worked flawlessly on Fedora 28, and both showing the exact same problem after upgrading to Fedora 29.

Comment 2 Pierre Ossman 2018-11-08 16:08:51 UTC
This is also broken on Rawhide, so no recent fix it seems.

Oddly enough sesearch doesn't really list this as permitted on Fedora 28 either:

> $ sesearch -A -s init_t -t thinlinc_webaccess_t -c dbus -p send_msg
> $

Yet it still works.

There is very little difference between the f28 and f29 branches here:

https://github.com/fedora-selinux/selinux-policy

Perhaps it isn't a policy change but rather that systemd has started doing something new in Fedora 29? Or did dbus not properly enforce the rules before?



Still, thinlinc_webaccess_t has this policy:

> unconfined_domain(thinlinc_webaccess_t)

So it shouldn't really be prevented from anything. Explicitly adding:

> auth_use_nsswitch(thinlinc_webaccess_t)

does get things up and rolling. Is there perhaps a missing call to that somewhere? Or should unconfined_domain() have a rule too allow all dbus communication?

Still doesn't explain why Fedora 28 works though, because the rules for this seem to be the same...


Help? :/

Comment 3 Pierre Ossman 2018-12-10 11:12:59 UTC
Ping!

Could someone give us some guidance here? This will cause quite a bit of problems for our users. :/

Should we change the added policy? Or is this indeed a bug that we need to wait for you guys to fix?

Comment 4 Lukas Vrabec 2018-12-12 12:25:07 UTC
Hi, 

We don't ship policy for thinlinc. I don't know which package brings this policy but this SELinux macro will fix it:

init_dbus_chat(thinlinc_webaccess_t)

Could somebody add this macro there? 

THanks,
Lukas.

Comment 5 Pierre Ossman 2018-12-12 12:37:06 UTC
Sure, we can fix that.

However, is it really sane that this is needed when the unconfined_domain() macro is used? It doesn't really match the description given for that macro. Or should we file a bug with the upstream refpolicy?

Comment 6 Pierre Ossman 2019-01-08 13:59:34 UTC
I found some more commits on this theme upstream, and I've also reported the issue there:

https://github.com/SELinuxProject/refpolicy/issues/18

Comment 7 Pierre Ossman 2019-01-08 16:08:14 UTC
For reference, the bug went away as I updated the system and dbus-daemon got replaced by dbus-broker.


If I'm reading the code and traces correctly, dbus-broker does not do a check on replies so this bug is avoided.


Note You need to log in before you can comment on or make changes to this bug.