Bug 447631

Summary: F9 cannot launch VNCServer with ENFORCING SELinux and error is not logged
Product: [Fedora] Fedora Reporter: Brian Topping <topping>
Component: vncAssignee: Adam Tkac <atkac>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 9CC: dwalsh, jeff, mats.ljunggren, ovasik, thoger, twaugh
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://forums.fedoraforum.org/showthread.php?p=1015374
Whiteboard:
Fixed In Version: selinux-policy-3.3.1-72.fc9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-30 10:59:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Audit log tail while restarting VNCServer service none

Description Brian Topping 2008-05-20 21:33:55 UTC 
Description of problem:

After upgrade from f8 to f9, preconfigured server launched by
/etc/init.d/vncserver stopped working.  Debugging has led to finding that a
process cannot launch /bin/dbus-daemon, apparently because of SELinux
('setenforce 0' causes server to run normally).  

Interesting/scarily the issues reported by the VNC process are not logged by
auditd.  

Version-Release number of selected component (if applicable):
  dbus-1.2.1-1.fc9.x86_64
  vnc-server-4.1.2-30.fc9.x86_64
  audit-1.7.3-1.fc9.x86_64
  kernel-2.6.25.3-18.fc9.x86_64

How reproducible:
Configure and launch VNCServer for a user.

See http://forums.fedoraforum.org/showthread.php?p=1015374 for more information.
Comment 1 Tomas Hoger 2008-05-21 13:42:08 UTC 
Adding Dan to the CC list, as report suggests issue with SELinux policy.
Comment 2 Daniel Walsh 2008-05-21 14:27:49 UTC 
Fixed in selinux-policy-3.3.1-55.fc9.noarch
Comment 3 Brian Topping 2008-05-21 15:55:05 UTC 
Downloaded and installed.  Package list:

[root@blackrock .vnc]# yum list selinux-policy*
Loaded plugins: refresh-packagekit
Installed Packages
selinux-policy.noarch                    3.3.1-55.fc9           installed       
selinux-policy-devel.noarch              3.3.1-55.fc9           installed       
selinux-policy-targeted.noarch           3.3.1-51.fc9           installed       
Available Packages
selinux-policy-mls.noarch                3.3.1-51.fc9           updates         

Then, configured for autorelabel and rebooted.  Confirmed /.autorelabel was
removed after reboot, connected to VNC.  Still same behavior.  

VNC logs show:

[root@blackrock /]# more ~topping/.vnc/blackrock.orb.org:1.log 

Xvnc Free Edition 4.1.2
Copyright (C) 2002-2005 RealVNC Ltd.
See http://www.realvnc.com for information on VNC.
Underlying X server release 10499901, 


Wed May 21 11:51:12 2008
 vncext:      VNC extension running!
 vncext:      Listening for VNC connections on port 5901
 vncext:      created VNC server for screen 0
Failed to execute message bus daemon /bin/dbus-daemon: Permission denied.  Will
try again
 without full path.
Failed to execute message bus daemon: Permission denied
EOF in dbus-launch reading address from bus daemon
SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/5603,unix/unix:/tmp/.ICE-unix/5603
** Message: another SSH agent is running at: /tmp/ssh-gUYRUn5603/agent.5603
Could not launch dbus-daemon
dbus-daemon exited unexpectedly
**
** ERROR:(gsm-dbus.c:118):gsm_dbus_daemon_start: assertion failed:
(dbus_daemon_pid != 0)

Wed May 21 11:51:38 2008
 Connections: accepted: 204.152.96.245::49213
 SConnection: Client needs protocol version 3.889
 SConnection: Client uses unofficial protocol version 3.889
 SConnection: Assuming compatibility with version 3.8
 SConnection: Client requests security type VncAuth(2)
 VNCSConnST:  Server default pixel format depth 16 (16bpp) little-endian rgb565
 VNCSConnST:  Client pixel format depth 32 (32bpp) little-endian rgb max
              255,255,255 shift 16,8,0
Comment 4 Adam Tkac 2008-05-21 16:09:50 UTC 
I'm going to look on this one tomorrow. Could you please attach your
.vnc/xstartup file, please? Thanks
Comment 5 Daniel Walsh 2008-05-21 16:50:30 UTC 
Brian 

try chcon -t unconfined_notrans_exec_t /usr/bin/vncserver

Then restart the service, does that fix the problem?
Comment 6 Brian Topping 2008-05-21 17:21:32 UTC 
Created attachment 306284 [details]
Audit log tail while restarting VNCServer service
Comment 7 Brian Topping 2008-05-21 17:22:32 UTC 
Hi Daniel, thanks for taking the time on this.  That chcon did allow the desktop
to launch, but it is extremely slow now.  

xstartup:

#!/bin/sh

# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
startx &


I'm wondering if this is related to a recent 'yum update' that pulled down about
80 packages IIRC.  As of the writing of this entry, it is the latest from the
yum repo (no new updates).

Regarding SELinux, I am finally getting entires in the audit.log.  This is with
a 'tail -f /var/log/audit/audit.log' running in the background so you can see
the timing.  Attached as "Terminal Saved Output".
Comment 8 Daniel Walsh 2008-05-21 17:55:22 UTC 
I have no idea why it is slow.  Probably unrelated to selinux.

The other avc you can ignore.

Fixed in /selinux-policy-3.3.1-56
Comment 9 Adam Tkac 2008-05-22 09:12:15 UTC 
Could you please explain what you mean with "slow"? It consumes much CPU time?
Did you compare F8/F9 Xvnc?
Comment 10 Tim Waugh 2008-06-26 10:44:08 UTC 
I believe the reason the session is slow to launch is explained in bug #446176.
 When nautilus (or any application that creates a file chooser dialog) starts up
the file chooser dialog tries to obtain a list of HAL devices, but SELinux
prevents that information from getting to the security context that the VNC
session runs in and so it times out after 50 seconds.
Comment 11 Daniel Walsh 2008-06-26 11:26:18 UTC 
# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-72.fc9.noarch
Comment 12 Brian Topping 2008-06-27 03:43:56 UTC 
I believe #10 is correct.  I have not seen the problem since Daniel sent me the
patches, but am not entirely sure that SELinux is enabled now.  I didn't realize
Xen was a problem with F9 until after I installed over F8 and in the fallout,
haven't had much time to use that machine.  Sorry I can't be of more assistance.
Comment 13 Tim Waugh 2008-06-30 08:55:02 UTC 
With selinux-policy-3.3.1-72.fc9 it works fine.
Comment 14 Adam Tkac 2008-06-30 10:58:14 UTC 
(In reply to comment #13)
> With selinux-policy-3.3.1-72.fc9 it works fine.

Thanks for your feedback.
Comment 15 Adam Tkac 2008-07-03 16:01:11 UTC 
*** Bug 450031 has been marked as a duplicate of this bug. ***