Bug 1418463
Summary: | selinux policy will not allow tigervnc-server to start | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Joe Wright <jwright> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | crash70, dominick.grift, dwalsh, hobbyos, jgrulich, lutingrong, lvrabec, markus.hillig, mgrepl, nicholas, pedrogfrancisco, plautrba, pmoore, rdieter, ssekidde |
Target Milestone: | --- | Keywords: | Desktop, Reopened, SELinux |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.1-36.fc28 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-07-29 03:23:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Joe Wright
2017-02-01 21:53:21 UTC
The out-of-the-box setup did not work for me on a brand new installation. VM ESXi guest 2X4 cores 8GB memory x86_64 cpu `sudo setenforce 0` allowed vncserver to start, confirming an selinux labeling problem. Also, the following fix from `journalctl -xe` permanently fixed the problem which survives reboot: # ausearch -c 'systemd' --raw | audit2allow -M my-systemd # semodule -X 300 -i my-systemd.pp This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. Re-opening, seems to be still valid. *** Bug 1401458 has been marked as a duplicate of this bug. *** selinux-policy-3.14.1-36.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1050fb248b selinux-policy-3.14.1-36.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. In fact selinux is still blocking tigervnc-server start in fedora 28. [l@HP14 ~]$ uname -a Linux HP14 4.19.10-200.fc28.x86_64 #1 SMP Mon Dec 17 15:46:19 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux [l@HP14 ~]$ rpm -q tigervnc-server tigervnc-server-1.9.0-3.fc28.x86_64 [l@HP14 ~]$ rpm -q selinux-policy selinux-policy-3.14.1-50.fc28.noarch [l@HP14 ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31 [l@HP14 ~]$ sudo systemctl restart vncserver@:1.service Job for vncserver@:1.service failed because a timeout was exceeded. See "systemctl status vncserver@:1.service" and "journalctl -xe" for details. [l@HP14 ~]$ sudo systemctl status vncserver@\:1.service ● vncserver@:1.service - Remote desktop service (VNC) Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: disabled) Active: failed (Result: timeout) since Tue 2018-12-25 23:42:29 CST; 40s ago Process: 7487 ExecStop=/usr/bin/vncserver -kill :1 (code=exited, status=0/SUCCESS) Process: 9188 ExecStart=/usr/bin/vncserver -autokill :1 (code=exited, status=0/SUCCESS) Process: 9183 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill :1 > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS) Main PID: 6553 (code=exited, status=0/SUCCESS) CPU: 6.794s Dec 25 23:42:24 HP14 systemd[1]: vncserver@:1.service: Start operation timed out. Terminating. Dec 25 23:42:24 HP14 com.redhat.imsettings[9218]: Exiting... Dec 25 23:42:24 HP14 com.redhat.imsettings[9218]: [ 1545752544.451080]: GLib-GIO[9305]: CRITICAL **: Error while sending AddMatch() message: The connection is closed Dec 25 23:42:24 HP14 com.redhat.imsettings[9218]: [ 1545752544.451379]: GLib-GIO[9305]: CRITICAL **: Error while sending AddMatch() message: The connection is closed Dec 25 23:42:24 HP14 com.redhat.imsettings[9218]: [ 1545752544.451716]: IMSettings-Daemon[9305]: INFO: Unloading imesttings module: gsettings Dec 25 23:42:24 HP14 com.redhat.imsettings[9218]: [ 1545752544.452020]: IMSettings-Daemon[9305]: INFO: imsettings-daemon is shut down. Dec 25 23:42:24 HP14 pulseaudio[9430]: PulseAudio information vanished from X11! Dec 25 23:42:29 HP14 systemd[1]: vncserver@:1.service: Failed with result 'timeout'. Dec 25 23:42:29 HP14 systemd[1]: Failed to start Remote desktop service (VNC). Dec 25 23:42:29 HP14 systemd[1]: vncserver@:1.service: Consumed 6.794s CPU time [l@HP14 ~]$ journalctl -xe ... Dec 25 23:42:25 HP14 kernel: [drm] ib test on ring 3 succeeded in 0 usecs Dec 25 23:42:25 HP14 kernel: [drm] ib test on ring 4 succeeded in 0 usecs Dec 25 23:42:29 HP14 systemd[1]: vncserver@:1.service: Failed with result 'timeout'. Dec 25 23:42:29 HP14 systemd[1]: Failed to start Remote desktop service (VNC). -- Subject: Unit vncserver@:1.service has failed -- Defined-By: systemd -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit vncserver@:1.service has failed. -- -- The result is failed. Dec 25 23:42:29 HP14 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=vncserver@:1 comm="systemd" exe="/usr/lib/systemd/systemd"> Dec 25 23:42:29 HP14 systemd[1]: vncserver@:1.service: Consumed 6.794s CPU time -- Subject: Resources consumed by unit runtime -- Defined-By: systemd -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- The unit vncserver@:1.service completed and consumed the indicated resources. Dec 25 23:42:29 HP14 sudo[9175]: pam_unix(sudo:session): session closed for user root Dec 25 23:42:29 HP14 audit[9175]: USER_END pid=9175 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limit> Dec 25 23:42:29 HP14 audit[9175]: CRED_DISP pid=9175 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acc> Dec 25 23:43:10 HP14 sudo[9822]: l : problem with defaults entries ; TTY=pts/0 ; PWD=/home/l ; USER=root ; Dec 25 23:43:10 HP14 audit[9822]: USER_ACCT pid=9822 uid=1000 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localus> Dec 25 23:43:10 HP14 audit[9822]: USER_CMD pid=9822 uid=1000 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/l" cmd=73797374656D63746C207374617475> Dec 25 23:43:10 HP14 sudo[9822]: l : TTY=pts/0 ; PWD=/home/l ; USER=root ; COMMAND=/usr/bin/systemctl status vncserver@:1.service Dec 25 23:43:10 HP14 audit[9822]: CRED_REFR pid=9822 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="> Dec 25 23:43:10 HP14 sudo[9822]: pam_systemd(sudo:session): Cannot create session: Already running in a session Dec 25 23:43:10 HP14 sudo[9822]: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 25 23:43:10 HP14 audit[9822]: USER_START pid=9822 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limi> Dec 25 23:43:10 HP14 sudo[9822]: pam_unix(sudo:session): session closed for user root Dec 25 23:43:10 HP14 audit[9822]: USER_END pid=9822 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limit> Dec 25 23:43:10 HP14 audit[9822]: CRED_DISP pid=9822 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="> lines 1291-1342/1342 (END) [l@HP14 ~]$ sudo setenforce 0 [l@HP14 ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31 [l@HP14 ~]$ sudo systemctl restart vncserver@:1.service [l@HP14 ~]$ sudo systemctl status vncserver@:1.service ● vncserver@:1.service - Remote desktop service (VNC) Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2018-12-25 23:50:49 CST; 1min 13s ago Process: 7487 ExecStop=/usr/bin/vncserver -kill :1 (code=exited, status=0/SUCCESS) Process: 9912 ExecStart=/usr/bin/vncserver -autokill :1 (code=exited, status=0/SUCCESS) Process: 9907 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill :1 > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS) Main PID: 9919 (Xvnc) Tasks: 180 (limit: 4915) Memory: 250.5M CPU: 6.182s CGroup: /system.slice/system-vncserver.slice/vncserver@:1.service ├─ 9919 /usr/bin/Xvnc :1 -auth /home/l/.Xauthority -desktop HP14:1 (l) -fp catalogue:/etc/X11/fontpath.d -geometry 1024x768 -pn -rfbauth /home/l/.vnc/passwd -rfbport 5901 -rfbwai> ├─ 9932 sh -c (/home/l/.vnc/xstartup; /usr/bin/vncserver -kill :1) >> '/home/l/.vnc/HP14:1.log' 2>&1 & ├─ 9933 /bin/sh /etc/xdg/xfce4/xinitrc -- vt ├─ 9946 dbus-launch --sh-syntax --exit-with-session ├─ 9947 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session ├─10034 /usr/libexec/imsettings-daemon ├─10038 /usr/libexec/gvfsd ├─10085 /usr/bin/ssh-agent /etc/X11/xinit/Xclients ├─10099 xfce4-session ├─10103 /usr/lib64/xfce4/xfconf/xfconfd ├─10106 gnome-keyring-daemon --start ├─10111 xfwm4 ├─10115 xfce4-panel ├─10117 Thunar --daemon ├─10119 xfdesktop ├─10120 /usr/bin/python3 /usr/bin/redshift-gtk ├─10121 xscreensaver -nosplash ├─10122 /usr/bin/ibus-daemon ├─10124 xfsettingsd ├─10127 /usr/bin/python3 /usr/bin/dnfdragora-updater ├─10128 /usr/libexec/geoclue-2.0/demos/agent ├─10142 /usr/libexec/ibus-dconf ├─10143 /usr/libexec/ibus-ui-gtk3 ├─10146 xfce4-power-manager ├─10147 /usr/libexec/ibus-extension-gtk3 ├─10152 /usr/bin/python2 /usr/bin/blueberry-tray ├─10156 /usr/libexec/ibus-portal ├─10158 /usr/bin/python2 /usr/lib/blueberry/blueberry-tray.py ├─10163 /usr/bin/pulseaudio --start ├─10167 nm-applet ├─10172 abrt-applet ├─10181 /usr/bin/python3 /usr/bin/seapplet ├─10196 /usr/libexec/at-spi-bus-launcher ├─10198 /usr/libexec/xfce-polkit ├─10208 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3 ├─10238 /usr/libexec/at-spi2-registryd --use-gnome-session ├─10245 /usr/lib64/tumbler-1/tumblerd ├─10269 /usr/lib64/xfce4/notifyd/xfce4-notifyd ├─10288 /usr/libexec/gvfs-udisks2-volume-monitor ├─10318 /usr/bin/redshift -v ├─10332 /usr/lib64/xfce4/panel/wrapper-2.0 /usr/lib64/xfce4/panel/plugins/libpulseaudio-plugin.so 16 10485793 pulseaudio PulseAudio Plugin Adjust the audio volume of the PulseAud> lines 1-52 Issue still found in F31 |