Description of problem: selinux is still blocking tigervnc-server start in fedora 28 Version-Release number of selected component (if applicable): [l@HP14 ~]$ uname -a Linux HP14 4.19.10-200.fc28.x86_64 #1 SMP Mon Dec 17 15:46:19 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux [l@HP14 ~]$ rpm -q tigervnc-server tigervnc-server-1.9.0-3.fc28.x86_64 [l@HP14 ~]$ rpm -qa |grep selinux-policy selinux-policy-3.14.1-50.fc28.noarch selinux-policy-targeted-3.14.1-50.fc28.noarch How reproducible: Steps to Reproduce: [l@HP14 ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31 [l@HP14 ~]$ sudo systemctl restart vncserver@:1.service Job for vncserver@:1.service failed because a timeout was exceeded. See "systemctl status vncserver@:1.service" and "journalctl -xe" for details. [l@HP14 ~]$ sudo systemctl status vncserver@\:1.service ● vncserver@:1.service - Remote desktop service (VNC) Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: disabled) Active: failed (Result: timeout) since Tue 2018-12-25 23:42:29 CST; 40s ago Process: 7487 ExecStop=/usr/bin/vncserver -kill :1 (code=exited, status=0/SUCCESS) Process: 9188 ExecStart=/usr/bin/vncserver -autokill :1 (code=exited, status=0/SUCCESS) Process: 9183 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill :1 > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS) Main PID: 6553 (code=exited, status=0/SUCCESS) CPU: 6.794s Dec 25 23:42:24 HP14 systemd[1]: vncserver@:1.service: Start operation timed out. Terminating. Dec 25 23:42:24 HP14 com.redhat.imsettings[9218]: Exiting... Dec 25 23:42:24 HP14 com.redhat.imsettings[9218]: [ 1545752544.451080]: GLib-GIO[9305]: CRITICAL **: Error while sending AddMatch() message: The connection is closed Dec 25 23:42:24 HP14 com.redhat.imsettings[9218]: [ 1545752544.451379]: GLib-GIO[9305]: CRITICAL **: Error while sending AddMatch() message: The connection is closed Dec 25 23:42:24 HP14 com.redhat.imsettings[9218]: [ 1545752544.451716]: IMSettings-Daemon[9305]: INFO: Unloading imesttings module: gsettings Dec 25 23:42:24 HP14 com.redhat.imsettings[9218]: [ 1545752544.452020]: IMSettings-Daemon[9305]: INFO: imsettings-daemon is shut down. Dec 25 23:42:24 HP14 pulseaudio[9430]: PulseAudio information vanished from X11! Dec 25 23:42:29 HP14 systemd[1]: vncserver@:1.service: Failed with result 'timeout'. Dec 25 23:42:29 HP14 systemd[1]: Failed to start Remote desktop service (VNC). Dec 25 23:42:29 HP14 systemd[1]: vncserver@:1.service: Consumed 6.794s CPU time [l@HP14 ~]$ journalctl -xe ... Dec 25 23:42:25 HP14 kernel: [drm] ib test on ring 3 succeeded in 0 usecs Dec 25 23:42:25 HP14 kernel: [drm] ib test on ring 4 succeeded in 0 usecs Dec 25 23:42:29 HP14 systemd[1]: vncserver@:1.service: Failed with result 'timeout'. Dec 25 23:42:29 HP14 systemd[1]: Failed to start Remote desktop service (VNC). -- Subject: Unit vncserver@:1.service has failed -- Defined-By: systemd -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit vncserver@:1.service has failed. -- -- The result is failed. Dec 25 23:42:29 HP14 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=vncserver@:1 comm="systemd" exe="/usr/lib/systemd/systemd"> Dec 25 23:42:29 HP14 systemd[1]: vncserver@:1.service: Consumed 6.794s CPU time -- Subject: Resources consumed by unit runtime -- Defined-By: systemd -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- The unit vncserver@:1.service completed and consumed the indicated resources. Dec 25 23:42:29 HP14 sudo[9175]: pam_unix(sudo:session): session closed for user root Dec 25 23:42:29 HP14 audit[9175]: USER_END pid=9175 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limit> Dec 25 23:42:29 HP14 audit[9175]: CRED_DISP pid=9175 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_localuser,pam_unix acc> Dec 25 23:43:10 HP14 sudo[9822]: l : problem with defaults entries ; TTY=pts/0 ; PWD=/home/l ; USER=root ; Dec 25 23:43:10 HP14 audit[9822]: USER_ACCT pid=9822 uid=1000 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localus> Dec 25 23:43:10 HP14 audit[9822]: USER_CMD pid=9822 uid=1000 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/l" cmd=73797374656D63746C207374617475> Dec 25 23:43:10 HP14 sudo[9822]: l : TTY=pts/0 ; PWD=/home/l ; USER=root ; COMMAND=/usr/bin/systemctl status vncserver@:1.service Dec 25 23:43:10 HP14 audit[9822]: CRED_REFR pid=9822 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="> Dec 25 23:43:10 HP14 sudo[9822]: pam_systemd(sudo:session): Cannot create session: Already running in a session Dec 25 23:43:10 HP14 sudo[9822]: pam_unix(sudo:session): session opened for user root by (uid=0) Dec 25 23:43:10 HP14 audit[9822]: USER_START pid=9822 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limi> Dec 25 23:43:10 HP14 sudo[9822]: pam_unix(sudo:session): session closed for user root Dec 25 23:43:10 HP14 audit[9822]: USER_END pid=9822 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limit> Dec 25 23:43:10 HP14 audit[9822]: CRED_DISP pid=9822 uid=0 auid=1000 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="> lines 1291-1342/1342 (END) [l@HP14 ~]$ sudo setenforce 0 [l@HP14 ~]$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31 [l@HP14 ~]$ sudo systemctl restart vncserver@:1.service [l@HP14 ~]$ sudo systemctl status vncserver@:1.service ● vncserver@:1.service - Remote desktop service (VNC) Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2018-12-25 23:50:49 CST; 1min 13s ago Process: 7487 ExecStop=/usr/bin/vncserver -kill :1 (code=exited, status=0/SUCCESS) Process: 9912 ExecStart=/usr/bin/vncserver -autokill :1 (code=exited, status=0/SUCCESS) Process: 9907 ExecStartPre=/bin/sh -c /usr/bin/vncserver -kill :1 > /dev/null 2>&1 || : (code=exited, status=0/SUCCESS) Main PID: 9919 (Xvnc) Tasks: 180 (limit: 4915) Memory: 250.5M CPU: 6.182s CGroup: /system.slice/system-vncserver.slice/vncserver@:1.service ├─ 9919 /usr/bin/Xvnc :1 -auth /home/l/.Xauthority -desktop HP14:1 (l) -fp catalogue:/etc/X11/fontpath.d -geometry 1024x768 -pn -rfbauth /home/l/.vnc/passwd -rfbport 5901 -rfbwai> ├─ 9932 sh -c (/home/l/.vnc/xstartup; /usr/bin/vncserver -kill :1) >> '/home/l/.vnc/HP14:1.log' 2>&1 & ├─ 9933 /bin/sh /etc/xdg/xfce4/xinitrc -- vt ├─ 9946 dbus-launch --sh-syntax --exit-with-session ├─ 9947 /usr/bin/dbus-daemon --syslog --fork --print-pid 5 --print-address 7 --session ├─10034 /usr/libexec/imsettings-daemon ├─10038 /usr/libexec/gvfsd ├─10085 /usr/bin/ssh-agent /etc/X11/xinit/Xclients ├─10099 xfce4-session ├─10103 /usr/lib64/xfce4/xfconf/xfconfd ├─10106 gnome-keyring-daemon --start ├─10111 xfwm4 ├─10115 xfce4-panel ├─10117 Thunar --daemon ├─10119 xfdesktop ├─10120 /usr/bin/python3 /usr/bin/redshift-gtk ├─10121 xscreensaver -nosplash ├─10122 /usr/bin/ibus-daemon ├─10124 xfsettingsd ├─10127 /usr/bin/python3 /usr/bin/dnfdragora-updater ├─10128 /usr/libexec/geoclue-2.0/demos/agent ├─10142 /usr/libexec/ibus-dconf ├─10143 /usr/libexec/ibus-ui-gtk3 ├─10146 xfce4-power-manager ├─10147 /usr/libexec/ibus-extension-gtk3 ├─10152 /usr/bin/python2 /usr/bin/blueberry-tray ├─10156 /usr/libexec/ibus-portal ├─10158 /usr/bin/python2 /usr/lib/blueberry/blueberry-tray.py ├─10163 /usr/bin/pulseaudio --start ├─10167 nm-applet ├─10172 abrt-applet ├─10181 /usr/bin/python3 /usr/bin/seapplet ├─10196 /usr/libexec/at-spi-bus-launcher ├─10198 /usr/libexec/xfce-polkit ├─10208 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3 ├─10238 /usr/libexec/at-spi2-registryd --use-gnome-session ├─10245 /usr/lib64/tumbler-1/tumblerd ├─10269 /usr/lib64/xfce4/notifyd/xfce4-notifyd ├─10288 /usr/libexec/gvfs-udisks2-volume-monitor ├─10318 /usr/bin/redshift -v ├─10332 /usr/lib64/xfce4/panel/wrapper-2.0 /usr/lib64/xfce4/panel/plugins/libpulseaudio-plugin.so 16 10485793 pulseaudio PulseAudio Plugin Adjust the audio volume of the PulseAud> lines 1-52 Actual results: selinux is still blocking tigervnc-server start in fedora 28 Expected results: tigervnc-server can start with selinux either enforced or permissive in fedora 28 Additional info:
Hello lutingrong. Did you try to execute it either as a permissive domain or in permissive mode ? So we know whether SELinux is a culprit or not. Note: You mentioned "tigervnc-server can start with selinux either enforced or permissive in fedora 28" but not sure whether you tested it in permissive mode or not.
This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Bug Still with fedora 30 when enabled SELinux the systemctl status vncserver@:1 times out when disable SELinux then VNC-server works fine $uname -a Linux fedora 5.3.8-200.fc30.x86_64 #1 SMP Tue Oct 29 14:46:22 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux #sestatus SELinux status: disabled