Bug 447631
Summary: | F9 cannot launch VNCServer with ENFORCING SELinux and error is not logged | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Brian Topping <topping> | ||||
Component: | vnc | Assignee: | Adam Tkac <atkac> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 9 | CC: | dwalsh, jeff, mats.ljunggren, ovasik, thoger, twaugh | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://forums.fedoraforum.org/showthread.php?p=1015374 | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.3.1-72.fc9 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-06-30 10:59:01 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Brian Topping
2008-05-20 21:33:55 UTC
Adding Dan to the CC list, as report suggests issue with SELinux policy. Fixed in selinux-policy-3.3.1-55.fc9.noarch Downloaded and installed. Package list: [root@blackrock .vnc]# yum list selinux-policy* Loaded plugins: refresh-packagekit Installed Packages selinux-policy.noarch 3.3.1-55.fc9 installed selinux-policy-devel.noarch 3.3.1-55.fc9 installed selinux-policy-targeted.noarch 3.3.1-51.fc9 installed Available Packages selinux-policy-mls.noarch 3.3.1-51.fc9 updates Then, configured for autorelabel and rebooted. Confirmed /.autorelabel was removed after reboot, connected to VNC. Still same behavior. VNC logs show: [root@blackrock /]# more ~topping/.vnc/blackrock.orb.org:1.log Xvnc Free Edition 4.1.2 Copyright (C) 2002-2005 RealVNC Ltd. See http://www.realvnc.com for information on VNC. Underlying X server release 10499901, Wed May 21 11:51:12 2008 vncext: VNC extension running! vncext: Listening for VNC connections on port 5901 vncext: created VNC server for screen 0 Failed to execute message bus daemon /bin/dbus-daemon: Permission denied. Will try again without full path. Failed to execute message bus daemon: Permission denied EOF in dbus-launch reading address from bus daemon SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/5603,unix/unix:/tmp/.ICE-unix/5603 ** Message: another SSH agent is running at: /tmp/ssh-gUYRUn5603/agent.5603 Could not launch dbus-daemon dbus-daemon exited unexpectedly ** ** ERROR:(gsm-dbus.c:118):gsm_dbus_daemon_start: assertion failed: (dbus_daemon_pid != 0) Wed May 21 11:51:38 2008 Connections: accepted: 204.152.96.245::49213 SConnection: Client needs protocol version 3.889 SConnection: Client uses unofficial protocol version 3.889 SConnection: Assuming compatibility with version 3.8 SConnection: Client requests security type VncAuth(2) VNCSConnST: Server default pixel format depth 16 (16bpp) little-endian rgb565 VNCSConnST: Client pixel format depth 32 (32bpp) little-endian rgb max 255,255,255 shift 16,8,0 I'm going to look on this one tomorrow. Could you please attach your .vnc/xstartup file, please? Thanks Brian try chcon -t unconfined_notrans_exec_t /usr/bin/vncserver Then restart the service, does that fix the problem? Created attachment 306284 [details]
Audit log tail while restarting VNCServer service
Hi Daniel, thanks for taking the time on this. That chcon did allow the desktop to launch, but it is extremely slow now. xstartup: #!/bin/sh # Uncomment the following two lines for normal desktop: unset SESSION_MANAGER exec /etc/X11/xinit/xinitrc [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources xsetroot -solid grey vncconfig -iconic & xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" & startx & I'm wondering if this is related to a recent 'yum update' that pulled down about 80 packages IIRC. As of the writing of this entry, it is the latest from the yum repo (no new updates). Regarding SELinux, I am finally getting entires in the audit.log. This is with a 'tail -f /var/log/audit/audit.log' running in the background so you can see the timing. Attached as "Terminal Saved Output". I have no idea why it is slow. Probably unrelated to selinux. The other avc you can ignore. Fixed in /selinux-policy-3.3.1-56 Could you please explain what you mean with "slow"? It consumes much CPU time? Did you compare F8/F9 Xvnc? I believe the reason the session is slow to launch is explained in bug #446176. When nautilus (or any application that creates a file chooser dialog) starts up the file chooser dialog tries to obtain a list of HAL devices, but SELinux prevents that information from getting to the security context that the VNC session runs in and so it times out after 50 seconds. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-72.fc9.noarch I believe #10 is correct. I have not seen the problem since Daniel sent me the patches, but am not entirely sure that SELinux is enabled now. I didn't realize Xen was a problem with F9 until after I installed over F8 and in the fallout, haven't had much time to use that machine. Sorry I can't be of more assistance. With selinux-policy-3.3.1-72.fc9 it works fine. (In reply to comment #13) > With selinux-policy-3.3.1-72.fc9 it works fine. Thanks for your feedback. *** Bug 450031 has been marked as a duplicate of this bug. *** |