Description of problem: starting vncserver with systemd failes, while running vncserver from command line works fine. Version-Release number of selected component (if applicable): kernel-3.14.0-0.rc1.git2.1.fc21.x86_64 tigervnc-server-1.3.0-12.fc21.x86_64 systemd-208-12.fc21.x86_64 How reproducible: every time Steps to Reproduce: 1. install tigervnc-server 2. enable vncserver@:1.service in systemd 3. replace <USER> with your username in /etc/systemd/system/multi-user.target.wants/vncserver@:1.service 4. run vncpasswd to create ~/.vnc/passw file 5. try to start vncserver service by running "systemctl start vncserver@:1.service" as root. Actual results: vncserver does not start. systemd prints out error message: Job for vncserver@:1.service failed Expected results: vncserver starts. i normally verify it by running netstat and looking at Xvnc process listening on a tcp-port Additional info: content from journalctl: Feb 09 11:32:48 beast.localdomain sudo[1322]: user : TTY=pts/1 ; PWD=/home/user ; USER=root ; COMMAND=/bin/bash Feb 09 11:34:39 beast.localdomain sudo[1355]: user : TTY=pts/1 ; PWD=/home/user ; USER=root ; COMMAND=/bin/systemctl start vncserver@:1.service Feb 09 11:34:39 beast.localdomain systemd[1]: Starting Remote desktop service (VNC)... Feb 09 11:34:39 beast.localdomain systemd[1]: Starting Session c4 of user user. Feb 09 11:34:39 beast.localdomain systemd[1]: Started Session c4 of user user. Feb 09 11:34:39 beast.localdomain runuser[1361]: pam_unix(runuser-l:session): session opened for user user by (uid=0) Feb 09 11:34:39 beast.localdomain runuser[1361]: -bash: /usr/bin/vncserver: /usr/bin/perl: bad interpreter: Permission denied Feb 09 11:34:39 beast.localdomain runuser[1361]: pam_unix(runuser-l:session): session closed for user user Feb 09 11:34:39 beast.localdomain systemd[1]: vncserver@:1.service: control process exited, code=exited status=126 Feb 09 11:34:39 beast.localdomain systemd[1]: Failed to start Remote desktop service (VNC). Feb 09 11:34:39 beast.localdomain systemd[1]: Unit vncserver@:1.service entered failed state. content from audit.log: type=SERVICE_START msg=audit(1391945679.894:140): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="vncserver@:1" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' content from /etc/pam.d/runuser-l: #%PAM-1.0 auth include runuser session optional pam_keyinit.so force revoke -session optional pam_systemd.so session include runuser content from /etc/systemd/system/multi-user.target.wants/vncserver@\:1.service: [Unit] Description=Remote desktop service (VNC) After=syslog.target network.target [Service] Type=forking # Clean any existing files in /tmp/.X11-unix environment ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :' ExecStart=/sbin/runuser -l user -c "/usr/bin/vncserver %i" PIDFile=/home/user/.vnc/%H%i.pid ExecStop=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :' [Install] WantedBy=multi-user.target
> vncserver does not start. systemd prints out error message: Job for > vncserver@:1.service failed > Feb 09 11:34:39 beast.localdomain runuser[1361]: -bash: /usr/bin/vncserver: > /usr/bin/perl: bad interpreter: Permission denied This seems to be the issue. Permission denied is not really the cause, but just saying you can't run a script without an interpreter. The cause of 'Permission denied' is the 'bad interpreter' part. Why does /usr/bin/perl seem to be a bad interpreter? Check whether /usr/bin/perl is working correctly, has the right permissions and SELinux file context, etc. Changing component to perl as this seems to be where the problem lies.
hi Tim, thx for the answer. i do not think, perl itself is the problem. as i said in my original comment, i can run vncserver from command line. running following command as root works fine: runuser -l user -c "/usr/bin/vncserver :1 following command works as well: perl -e 'printf "perl is working"' i assume PAM somehow prevents systemd from running /usr/bin/perl
I don't think pam is involved, as it's already got as far as executing 'bash -c "/usr/bin/vncserver :1"' as we can see from the error message. The runuser session was started, so the auth phase was successful. It could potentially be something about the environment runuser is run from, so systemd may be causing this, either itself or as a result of SELinux context changes in rawhide. So you have SELinux in enforcing mode? Can you start the vncserver service after 'setenforce 0'?
(In reply to Tim Waugh from comment #3) > So you have SELinux in enforcing mode? yes > Can you start the vncserver service after 'setenforce 0'? you are right! after "setenforce 0" i can start the systemd service. how should i approach a SELinux related issue?
Changing component to selinux-policy for further analysis.
Hi Yevgeniy, Could you attach AVC logs from /var/log/audit.log? Thank you.
Hi Lukas, i ran "tail -f /var/log/audit/audit.log" and on a different terminal i ran "systemctl start vncserver@:1.service". Here is the output from tail: type=SELINUX_ERR msg=audit(1392234160.211:2339): security_compute_sid: invalid context system_u:unconfined_r:initrc_t:s0 for scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unconfined_exec_t:s0 tclass=process type=SYSCALL msg=audit(1392234160.211:2339): arch=c000003e syscall=59 success=no exit=-13 a0=2506b90 a1=2506cf0 a2=25059d0 a3=7fff5303e9b0 items=0 ppid=1490 pid=1491 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:initrc_t:s0 key=(null) type=CRED_ACQ msg=audit(1392234160.222:2340): pid=1493 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred acct="user" exe="/usr/sbin/runuser" hostname=? addr=? terminal=? res=success' type=USER_START msg=audit(1392234160.239:2341): pid=1493 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open acct="user" exe="/usr/sbin/runuser" hostname=? addr=? terminal=? res=success' type=SELINUX_ERR msg=audit(1392234160.281:2342): security_compute_sid: invalid context system_u:unconfined_r:initrc_t:s0 for scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unconfined_exec_t:s0 tclass=process type=SYSCALL msg=audit(1392234160.281:2342): arch=c000003e syscall=59 success=no exit=-13 a0=23f7e80 a1=23f7890 a2=23fcac0 a3=7fff343d4020 items=0 ppid=1493 pid=1499 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="bash" exe="/usr/bin/bash" subj=system_u:system_r:initrc_t:s0 key=(null) type=USER_END msg=audit(1392234160.284:2343): pid=1493 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_close acct="user" exe="/usr/sbin/runuser" hostname=? addr=? terminal=? res=success' type=CRED_DISP msg=audit(1392234160.284:2344): pid=1493 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred acct="user" exe="/usr/sbin/runuser" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1392234160.287:2345): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="vncserver@:1" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed here is a pastebin, if you prefer it over plain text: http://pastebin.com/FZn8eN6u
Strange that this ends up with an unconfined_r? system_u:unconfined_r:initrc_t:s0 It almost seams like there is a runcon somewhere.
type=SELINUX_ERR msg=audit(1392234160.211:2339): security_compute_sid: invalid context system_u:unconfined_r:initrc_t:s0 for scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unconfined_exec_t:s0 tclass=process Perhaps one of the binaries involved is labelled unconfined_exec_t? What does 'ls -Z /bin/bash /usr/bin/perl /usr/bin/vncserver' say?
This is really weird issue. Basically it is caused by ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :' which means we have init_t @bin_t -> initrc_t But we don't want to see it in initrc_t but in unconfined_t.
(In reply to Miroslav Grepl from comment #10) > This is really weird issue. Basically it is caused by > > ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :' > > which means we have > > init_t @bin_t -> initrc_t I meant init_t @shell_exec_t -> initrc_t > > But we don't want to see it in initrc_t but in unconfined_t.
This works on F20 because of initrc_t -> unconfined_t transition which has been removed in F20.
Well I guess we need to add it back in...
What about this line?: type=SELINUX_ERR msg=audit(1409737379.032:620): security_compute_sid: invalid context system_u:unconfined_r:unconfined_service_t:s0 for scontext=system_u:system_r:unconfined_service_t:s0 context=system_u:object_r:unconfined_exec_t:s0 tclass=process Is this a policy bug?
Yes this one is a bug in the policy.
commit 32b0a182f80b0a9d1f9fa42117c51ddf189ff852 Author: Miroslav Grepl <mgrepl> Date: Wed Sep 3 13:02:33 2014 +0200 Allow unconfined_r to access unconfined_service_t.
Hello all, I'm stuck at the same issue after a f20 to f21 upgrade. Is there anything I can do to get the vncserver service working properly? Seems this issue isn't fixed yet. Many thanks in advance.
Could you attach version of your selinux-policy package?
(In reply to Lukas Vrabec from comment #18) > Could you attach version of your selinux-policy package? I've the following version installed: selinux-policy.noarch 3.13.1-99.fc21 installed
Since the last slinux-policy update it's working properly again. Thanks a lot for the fix and merry christmas.