Bug 1062968
| Summary: | systemd failed to run vncserver due to permission issues | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Yevgeniy <yevgeniy.melnichuk> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | bphinz, cweyl, dominick.grift, dwalsh, erik.lavander, haser.sebastian, iarnell, kasal, lvrabec, mgrepl, perl-devel, ppisar, psabata, rc040203, tcallawa, twaugh, yevgeniy.melnichuk |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-01-02 12:41:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Yevgeniy
2014-02-09 10:43:58 UTC
> vncserver does not start. systemd prints out error message: Job for > vncserver@:1.service failed > Feb 09 11:34:39 beast.localdomain runuser[1361]: -bash: /usr/bin/vncserver: > /usr/bin/perl: bad interpreter: Permission denied This seems to be the issue. Permission denied is not really the cause, but just saying you can't run a script without an interpreter. The cause of 'Permission denied' is the 'bad interpreter' part. Why does /usr/bin/perl seem to be a bad interpreter? Check whether /usr/bin/perl is working correctly, has the right permissions and SELinux file context, etc. Changing component to perl as this seems to be where the problem lies. hi Tim, thx for the answer. i do not think, perl itself is the problem. as i said in my original comment, i can run vncserver from command line. running following command as root works fine: runuser -l user -c "/usr/bin/vncserver :1 following command works as well: perl -e 'printf "perl is working"' i assume PAM somehow prevents systemd from running /usr/bin/perl I don't think pam is involved, as it's already got as far as executing 'bash -c "/usr/bin/vncserver :1"' as we can see from the error message. The runuser session was started, so the auth phase was successful. It could potentially be something about the environment runuser is run from, so systemd may be causing this, either itself or as a result of SELinux context changes in rawhide. So you have SELinux in enforcing mode? Can you start the vncserver service after 'setenforce 0'? (In reply to Tim Waugh from comment #3) > So you have SELinux in enforcing mode? yes > Can you start the vncserver service after 'setenforce 0'? you are right! after "setenforce 0" i can start the systemd service. how should i approach a SELinux related issue? Changing component to selinux-policy for further analysis. Hi Yevgeniy, Could you attach AVC logs from /var/log/audit.log? Thank you. Hi Lukas, i ran "tail -f /var/log/audit/audit.log" and on a different terminal i ran "systemctl start vncserver@:1.service". Here is the output from tail: type=SELINUX_ERR msg=audit(1392234160.211:2339): security_compute_sid: invalid context system_u:unconfined_r:initrc_t:s0 for scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unconfined_exec_t:s0 tclass=process type=SYSCALL msg=audit(1392234160.211:2339): arch=c000003e syscall=59 success=no exit=-13 a0=2506b90 a1=2506cf0 a2=25059d0 a3=7fff5303e9b0 items=0 ppid=1490 pid=1491 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:initrc_t:s0 key=(null) type=CRED_ACQ msg=audit(1392234160.222:2340): pid=1493 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred acct="user" exe="/usr/sbin/runuser" hostname=? addr=? terminal=? res=success' type=USER_START msg=audit(1392234160.239:2341): pid=1493 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open acct="user" exe="/usr/sbin/runuser" hostname=? addr=? terminal=? res=success' type=SELINUX_ERR msg=audit(1392234160.281:2342): security_compute_sid: invalid context system_u:unconfined_r:initrc_t:s0 for scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unconfined_exec_t:s0 tclass=process type=SYSCALL msg=audit(1392234160.281:2342): arch=c000003e syscall=59 success=no exit=-13 a0=23f7e80 a1=23f7890 a2=23fcac0 a3=7fff343d4020 items=0 ppid=1493 pid=1499 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="bash" exe="/usr/bin/bash" subj=system_u:system_r:initrc_t:s0 key=(null) type=USER_END msg=audit(1392234160.284:2343): pid=1493 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_close acct="user" exe="/usr/sbin/runuser" hostname=? addr=? terminal=? res=success' type=CRED_DISP msg=audit(1392234160.284:2344): pid=1493 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred acct="user" exe="/usr/sbin/runuser" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1392234160.287:2345): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="vncserver@:1" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed here is a pastebin, if you prefer it over plain text: http://pastebin.com/FZn8eN6u Strange that this ends up with an unconfined_r? system_u:unconfined_r:initrc_t:s0 It almost seams like there is a runcon somewhere. type=SELINUX_ERR msg=audit(1392234160.211:2339): security_compute_sid: invalid context system_u:unconfined_r:initrc_t:s0 for scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unconfined_exec_t:s0 tclass=process Perhaps one of the binaries involved is labelled unconfined_exec_t? What does 'ls -Z /bin/bash /usr/bin/perl /usr/bin/vncserver' say? This is really weird issue. Basically it is caused by ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :' which means we have init_t @bin_t -> initrc_t But we don't want to see it in initrc_t but in unconfined_t. (In reply to Miroslav Grepl from comment #10) > This is really weird issue. Basically it is caused by > > ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :' > > which means we have > > init_t @bin_t -> initrc_t I meant init_t @shell_exec_t -> initrc_t > > But we don't want to see it in initrc_t but in unconfined_t. This works on F20 because of initrc_t -> unconfined_t transition which has been removed in F20. Well I guess we need to add it back in... What about this line?: type=SELINUX_ERR msg=audit(1409737379.032:620): security_compute_sid: invalid context system_u:unconfined_r:unconfined_service_t:s0 for scontext=system_u:system_r:unconfined_service_t:s0 context=system_u:object_r:unconfined_exec_t:s0 tclass=process Is this a policy bug? Yes this one is a bug in the policy. commit 32b0a182f80b0a9d1f9fa42117c51ddf189ff852
Author: Miroslav Grepl <mgrepl>
Date: Wed Sep 3 13:02:33 2014 +0200
Allow unconfined_r to access unconfined_service_t.
Hello all, I'm stuck at the same issue after a f20 to f21 upgrade. Is there anything I can do to get the vncserver service working properly? Seems this issue isn't fixed yet. Many thanks in advance. Could you attach version of your selinux-policy package? (In reply to Lukas Vrabec from comment #18) > Could you attach version of your selinux-policy package? I've the following version installed: selinux-policy.noarch 3.13.1-99.fc21 installed Since the last slinux-policy update it's working properly again. Thanks a lot for the fix and merry christmas. |