Red Hat Bugzilla – Bug 447631
F9 cannot launch VNCServer with ENFORCING SELinux and error is not logged
Last modified: 2013-04-30 19:39:38 EDT
Description of problem:
After upgrade from f8 to f9, preconfigured server launched by
/etc/init.d/vncserver stopped working. Debugging has led to finding that a
process cannot launch /bin/dbus-daemon, apparently because of SELinux
('setenforce 0' causes server to run normally).
Interesting/scarily the issues reported by the VNC process are not logged by
Version-Release number of selected component (if applicable):
Configure and launch VNCServer for a user.
See http://forums.fedoraforum.org/showthread.php?p=1015374 for more information.
Adding Dan to the CC list, as report suggests issue with SELinux policy.
Fixed in selinux-policy-3.3.1-55.fc9.noarch
Downloaded and installed. Package list:
[root@blackrock .vnc]# yum list selinux-policy*
Loaded plugins: refresh-packagekit
selinux-policy.noarch 3.3.1-55.fc9 installed
selinux-policy-devel.noarch 3.3.1-55.fc9 installed
selinux-policy-targeted.noarch 3.3.1-51.fc9 installed
selinux-policy-mls.noarch 3.3.1-51.fc9 updates
Then, configured for autorelabel and rebooted. Confirmed /.autorelabel was
removed after reboot, connected to VNC. Still same behavior.
VNC logs show:
[root@blackrock /]# more ~topping/.vnc/blackrock.orb.org:1.log
Xvnc Free Edition 4.1.2
Copyright (C) 2002-2005 RealVNC Ltd.
See http://www.realvnc.com for information on VNC.
Underlying X server release 10499901,
Wed May 21 11:51:12 2008
vncext: VNC extension running!
vncext: Listening for VNC connections on port 5901
vncext: created VNC server for screen 0
Failed to execute message bus daemon /bin/dbus-daemon: Permission denied. Will
without full path.
Failed to execute message bus daemon: Permission denied
EOF in dbus-launch reading address from bus daemon
** Message: another SSH agent is running at: /tmp/ssh-gUYRUn5603/agent.5603
Could not launch dbus-daemon
dbus-daemon exited unexpectedly
** ERROR:(gsm-dbus.c:118):gsm_dbus_daemon_start: assertion failed:
(dbus_daemon_pid != 0)
Wed May 21 11:51:38 2008
Connections: accepted: 188.8.131.52::49213
SConnection: Client needs protocol version 3.889
SConnection: Client uses unofficial protocol version 3.889
SConnection: Assuming compatibility with version 3.8
SConnection: Client requests security type VncAuth(2)
VNCSConnST: Server default pixel format depth 16 (16bpp) little-endian rgb565
VNCSConnST: Client pixel format depth 32 (32bpp) little-endian rgb max
255,255,255 shift 16,8,0
I'm going to look on this one tomorrow. Could you please attach your
.vnc/xstartup file, please? Thanks
try chcon -t unconfined_notrans_exec_t /usr/bin/vncserver
Then restart the service, does that fix the problem?
Created attachment 306284 [details]
Audit log tail while restarting VNCServer service
Hi Daniel, thanks for taking the time on this. That chcon did allow the desktop
to launch, but it is extremely slow now.
# Uncomment the following two lines for normal desktop:
[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
I'm wondering if this is related to a recent 'yum update' that pulled down about
80 packages IIRC. As of the writing of this entry, it is the latest from the
yum repo (no new updates).
Regarding SELinux, I am finally getting entires in the audit.log. This is with
a 'tail -f /var/log/audit/audit.log' running in the background so you can see
the timing. Attached as "Terminal Saved Output".
I have no idea why it is slow. Probably unrelated to selinux.
The other avc you can ignore.
Fixed in /selinux-policy-3.3.1-56
Could you please explain what you mean with "slow"? It consumes much CPU time?
Did you compare F8/F9 Xvnc?
I believe the reason the session is slow to launch is explained in bug #446176.
When nautilus (or any application that creates a file chooser dialog) starts up
the file chooser dialog tries to obtain a list of HAL devices, but SELinux
prevents that information from getting to the security context that the VNC
session runs in and so it times out after 50 seconds.
# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp
Fixed in selinux-policy-3.3.1-72.fc9.noarch
I believe #10 is correct. I have not seen the problem since Daniel sent me the
patches, but am not entirely sure that SELinux is enabled now. I didn't realize
Xen was a problem with F9 until after I installed over F8 and in the fallout,
haven't had much time to use that machine. Sorry I can't be of more assistance.
With selinux-policy-3.3.1-72.fc9 it works fine.
(In reply to comment #13)
> With selinux-policy-3.3.1-72.fc9 it works fine.
Thanks for your feedback.
*** Bug 450031 has been marked as a duplicate of this bug. ***