Bug 1662053

Summary:	selinux is still blocking tigervnc-server start in fedora 28
Product:	[Fedora] Fedora	Reporter:	lutingrong
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED EOL	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	high
Version:	28	CC:	dwalsh, lutingrong, lvrabec, mnabil.net, plautrba, zpytela
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-05-29 00:09:32 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description lutingrong 2018-12-25 16:08:16 UTC

Description of problem:
selinux is still blocking tigervnc-server start in fedora 28

Version-Release number of selected component (if applicable):
[l@HP14 ~]$ uname -a
Linux HP14 4.19.10-200.fc28.x86_64 #1 SMP Mon Dec 17 15:46:19 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

[l@HP14 ~]$ rpm -q tigervnc-server
tigervnc-server-1.9.0-3.fc28.x86_64

[l@HP14 ~]$ rpm -qa |grep selinux-policy
selinux-policy-3.14.1-50.fc28.noarch
selinux-policy-targeted-3.14.1-50.fc28.noarch

How reproducible:


Steps to Reproduce:
[l@HP14 ~]$ sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

[l@HP14 ~]$ sudo systemctl restart vncserver@:1.service 
Job for vncserver@:1.service failed because a timeout was exceeded.
See "systemctl status vncserver@:1.service" and "journalctl -xe" for details.

[l@HP14 ~]$ sudo systemctl status vncserver@\:1.service 
● vncserver@:1.service - Remote desktop service (VNC)
   Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: disabled)
   Active: failed (Result: timeout) since Tue 2018-12-25 23:42:29 CST; 40s ago
  Process: 7487 ExecStop=/usr/bin/vncserver -kill :1 (code=exited, status=0/SUCCESS)
  Process: 9188 ExecStart=/usr/bin/vncserver -autokill :1 (code=exited, status=0/SUCCESS)
  Process: 9183 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill :1 > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS)
 Main PID: 6553 (code=exited, status=0/SUCCESS)
      CPU: 6.794s

Dec 25 23:42:24 HP14 systemd[1]: vncserver@:1.service: Start operation timed out. Terminating.
Dec 25 23:42:24 HP14 com.redhat.imsettings[9218]: Exiting...
Dec 25 23:42:24 HP14 com.redhat.imsettings[9218]: [ 1545752544.451080]: GLib-GIO[9305]: CRITICAL **: Error while sending AddMatch() message: The connection is closed
Dec 25 23:42:24 HP14 com.redhat.imsettings[9218]: [ 1545752544.451379]: GLib-GIO[9305]: CRITICAL **: Error while sending AddMatch() message: The connection is closed
Dec 25 23:42:24 HP14 com.redhat.imsettings[9218]: [ 1545752544.451716]: IMSettings-Daemon[9305]: INFO: Unloading imesttings module: gsettings
Dec 25 23:42:24 HP14 com.redhat.imsettings[9218]: [ 1545752544.452020]: IMSettings-Daemon[9305]: INFO: imsettings-daemon is shut down.
Dec 25 23:42:24 HP14 pulseaudio[9430]: PulseAudio information vanished from X11!
Dec 25 23:42:29 HP14 systemd[1]: vncserver@:1.service: Failed with result 'timeout'.
Dec 25 23:42:29 HP14 systemd[1]: Failed to start Remote desktop service (VNC).
Dec 25 23:42:29 HP14 systemd[1]: vncserver@:1.service: Consumed 6.794s CPU time

[l@HP14 ~]$ journalctl -xe
...
Dec 25 23:42:25 HP14 kernel: [drm] ib test on ring 3 succeeded in 0 usecs
Dec 25 23:42:25 HP14 kernel: [drm] ib test on ring 4 succeeded in 0 usecs
Dec 25 23:42:29 HP14 systemd[1]: vncserver@:1.service: Failed with result 'timeout'.
Dec 25 23:42:29 HP14 systemd[1]: Failed to start Remote desktop service (VNC).
-- Subject: Unit vncserver@:1.service has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit vncserver@:1.service has failed.
-- 
-- The result is failed.
Dec 25 23:42:29 HP14 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=vncserver@:1 comm="systemd" exe="/usr/lib/systemd/systemd">
Dec 25 23:42:29 HP14 systemd[1]: vncserver@:1.service: Consumed 6.794s CPU time
-- Subject: Resources consumed by unit runtime
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- The unit vncserver@:1.service completed and consumed the indicated resources.
Dec 25 23:42:29 HP14 sudo[9175]: pam_unix(sudo:session): session closed for user root
Dec 25 23:42:29 HP14 audit[9175]: USER_END pid=9175 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limit>
Dec 25 23:42:29 HP14 audit[9175]: CRED_DISP pid=9175 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acc>
Dec 25 23:43:10 HP14 sudo[9822]:        l : problem with defaults entries ; TTY=pts/0 ; PWD=/home/l ; USER=root ;
Dec 25 23:43:10 HP14 audit[9822]: USER_ACCT pid=9822 uid=1000 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localus>
Dec 25 23:43:10 HP14 audit[9822]: USER_CMD pid=9822 uid=1000 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/l" cmd=73797374656D63746C207374617475>
Dec 25 23:43:10 HP14 sudo[9822]:        l : TTY=pts/0 ; PWD=/home/l ; USER=root ; COMMAND=/usr/bin/systemctl status vncserver@:1.service
Dec 25 23:43:10 HP14 audit[9822]: CRED_REFR pid=9822 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct=">
Dec 25 23:43:10 HP14 sudo[9822]: pam_systemd(sudo:session): Cannot create session: Already running in a session
Dec 25 23:43:10 HP14 sudo[9822]: pam_unix(sudo:session): session opened for user root by (uid=0)
Dec 25 23:43:10 HP14 audit[9822]: USER_START pid=9822 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limi>
Dec 25 23:43:10 HP14 sudo[9822]: pam_unix(sudo:session): session closed for user root
Dec 25 23:43:10 HP14 audit[9822]: USER_END pid=9822 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limit>
Dec 25 23:43:10 HP14 audit[9822]: CRED_DISP pid=9822 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct=">
lines 1291-1342/1342 (END)

[l@HP14 ~]$ sudo setenforce 0

[l@HP14 ~]$ sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

[l@HP14 ~]$ sudo systemctl restart vncserver@:1.service 

[l@HP14 ~]$ sudo systemctl status vncserver@:1.service 
● vncserver@:1.service - Remote desktop service (VNC)
   Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2018-12-25 23:50:49 CST; 1min 13s ago
  Process: 7487 ExecStop=/usr/bin/vncserver -kill :1 (code=exited, status=0/SUCCESS)
  Process: 9912 ExecStart=/usr/bin/vncserver -autokill :1 (code=exited, status=0/SUCCESS)
  Process: 9907 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill :1 > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS)
 Main PID: 9919 (Xvnc)
    Tasks: 180 (limit: 4915)
   Memory: 250.5M
      CPU: 6.182s
   CGroup: /system.slice/system-vncserver.slice/vncserver@:1.service
           ├─ 9919 /usr/bin/Xvnc :1 -auth /home/l/.Xauthority -desktop HP14:1 (l) -fp catalogue:/etc/X11/fontpath.d -geometry 1024x768 -pn -rfbauth /home/l/.vnc/passwd -rfbport 5901 -rfbwai>
           ├─ 9932 sh -c (/home/l/.vnc/xstartup; /usr/bin/vncserver -kill :1) >> '/home/l/.vnc/HP14:1.log' 2>&1 &
           ├─ 9933 /bin/sh /etc/xdg/xfce4/xinitrc -- vt
           ├─ 9946 dbus-launch --sh-syntax --exit-with-session
           ├─ 9947 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session
           ├─10034 /usr/libexec/imsettings-daemon
           ├─10038 /usr/libexec/gvfsd
           ├─10085 /usr/bin/ssh-agent /etc/X11/xinit/Xclients
           ├─10099 xfce4-session
           ├─10103 /usr/lib64/xfce4/xfconf/xfconfd
           ├─10106 gnome-keyring-daemon --start
           ├─10111 xfwm4
           ├─10115 xfce4-panel
           ├─10117 Thunar --daemon
           ├─10119 xfdesktop
           ├─10120 /usr/bin/python3 /usr/bin/redshift-gtk
           ├─10121 xscreensaver -nosplash
           ├─10122 /usr/bin/ibus-daemon
           ├─10124 xfsettingsd
           ├─10127 /usr/bin/python3 /usr/bin/dnfdragora-updater
           ├─10128 /usr/libexec/geoclue-2.0/demos/agent
           ├─10142 /usr/libexec/ibus-dconf
           ├─10143 /usr/libexec/ibus-ui-gtk3
           ├─10146 xfce4-power-manager
           ├─10147 /usr/libexec/ibus-extension-gtk3
           ├─10152 /usr/bin/python2 /usr/bin/blueberry-tray
           ├─10156 /usr/libexec/ibus-portal
           ├─10158 /usr/bin/python2 /usr/lib/blueberry/blueberry-tray.py
           ├─10163 /usr/bin/pulseaudio --start
           ├─10167 nm-applet
           ├─10172 abrt-applet
           ├─10181 /usr/bin/python3 /usr/bin/seapplet
           ├─10196 /usr/libexec/at-spi-bus-launcher
           ├─10198 /usr/libexec/xfce-polkit
           ├─10208 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3
           ├─10238 /usr/libexec/at-spi2-registryd --use-gnome-session
           ├─10245 /usr/lib64/tumbler-1/tumblerd
           ├─10269 /usr/lib64/xfce4/notifyd/xfce4-notifyd
           ├─10288 /usr/libexec/gvfs-udisks2-volume-monitor
           ├─10318 /usr/bin/redshift -v
           ├─10332 /usr/lib64/xfce4/panel/wrapper-2.0 /usr/lib64/xfce4/panel/plugins/libpulseaudio-plugin.so 16 10485793 pulseaudio PulseAudio Plugin Adjust the audio volume of the PulseAud>
lines 1-52


Actual results:
selinux is still blocking tigervnc-server start in fedora 28

Expected results:
tigervnc-server can start with selinux either enforced or permissive in fedora 28

Additional info:

Comment 1 Miroslav Grepl 2019-02-19 15:24:23 UTC

Hello lutingrong.

Did you try to execute it either as a permissive domain or in permissive mode ? 

So we know whether SELinux is a culprit or not.

Note: You mentioned "tigervnc-server can start with selinux either enforced or permissive in fedora 28" but not sure whether you tested it in permissive mode or not.

Comment 2 Ben Cotton 2019-05-02 19:23:34 UTC

This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 3 Ben Cotton 2019-05-29 00:09:32 UTC

Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 4 Mohammad 2019-11-06 15:00:29 UTC

Bug Still with fedora 30 when enabled SELinux the systemctl status vncserver@:1 times out
when disable SELinux then VNC-server works fine

$uname -a
Linux fedora 5.3.8-200.fc30.x86_64 #1 SMP Tue Oct 29 14:46:22 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
#sestatus
SELinux status:                 disabled