Red Hat Bugzilla – Bug 447631
F9 cannot launch VNCServer with ENFORCING SELinux and error is not logged
Last modified: 2013-04-30 19:39:38 EDT
Description of problem: After upgrade from f8 to f9, preconfigured server launched by /etc/init.d/vncserver stopped working. Debugging has led to finding that a process cannot launch /bin/dbus-daemon, apparently because of SELinux ('setenforce 0' causes server to run normally). Interesting/scarily the issues reported by the VNC process are not logged by auditd. Version-Release number of selected component (if applicable): dbus-1.2.1-1.fc9.x86_64 vnc-server-4.1.2-30.fc9.x86_64 audit-1.7.3-1.fc9.x86_64 kernel-2.6.25.3-18.fc9.x86_64 How reproducible: Configure and launch VNCServer for a user. See http://forums.fedoraforum.org/showthread.php?p=1015374 for more information.
Adding Dan to the CC list, as report suggests issue with SELinux policy.
Fixed in selinux-policy-3.3.1-55.fc9.noarch
Downloaded and installed. Package list: [root@blackrock .vnc]# yum list selinux-policy* Loaded plugins: refresh-packagekit Installed Packages selinux-policy.noarch 3.3.1-55.fc9 installed selinux-policy-devel.noarch 3.3.1-55.fc9 installed selinux-policy-targeted.noarch 3.3.1-51.fc9 installed Available Packages selinux-policy-mls.noarch 3.3.1-51.fc9 updates Then, configured for autorelabel and rebooted. Confirmed /.autorelabel was removed after reboot, connected to VNC. Still same behavior. VNC logs show: [root@blackrock /]# more ~topping/.vnc/blackrock.orb.org:1.log Xvnc Free Edition 4.1.2 Copyright (C) 2002-2005 RealVNC Ltd. See http://www.realvnc.com for information on VNC. Underlying X server release 10499901, Wed May 21 11:51:12 2008 vncext: VNC extension running! vncext: Listening for VNC connections on port 5901 vncext: created VNC server for screen 0 Failed to execute message bus daemon /bin/dbus-daemon: Permission denied. Will try again without full path. Failed to execute message bus daemon: Permission denied EOF in dbus-launch reading address from bus daemon SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/5603,unix/unix:/tmp/.ICE-unix/5603 ** Message: another SSH agent is running at: /tmp/ssh-gUYRUn5603/agent.5603 Could not launch dbus-daemon dbus-daemon exited unexpectedly ** ** ERROR:(gsm-dbus.c:118):gsm_dbus_daemon_start: assertion failed: (dbus_daemon_pid != 0) Wed May 21 11:51:38 2008 Connections: accepted: 204.152.96.245::49213 SConnection: Client needs protocol version 3.889 SConnection: Client uses unofficial protocol version 3.889 SConnection: Assuming compatibility with version 3.8 SConnection: Client requests security type VncAuth(2) VNCSConnST: Server default pixel format depth 16 (16bpp) little-endian rgb565 VNCSConnST: Client pixel format depth 32 (32bpp) little-endian rgb max 255,255,255 shift 16,8,0
I'm going to look on this one tomorrow. Could you please attach your .vnc/xstartup file, please? Thanks
Brian try chcon -t unconfined_notrans_exec_t /usr/bin/vncserver Then restart the service, does that fix the problem?
Created attachment 306284 [details] Audit log tail while restarting VNCServer service
Hi Daniel, thanks for taking the time on this. That chcon did allow the desktop to launch, but it is extremely slow now. xstartup: #!/bin/sh # Uncomment the following two lines for normal desktop: unset SESSION_MANAGER exec /etc/X11/xinit/xinitrc [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources xsetroot -solid grey vncconfig -iconic & xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" & startx & I'm wondering if this is related to a recent 'yum update' that pulled down about 80 packages IIRC. As of the writing of this entry, it is the latest from the yum repo (no new updates). Regarding SELinux, I am finally getting entires in the audit.log. This is with a 'tail -f /var/log/audit/audit.log' running in the background so you can see the timing. Attached as "Terminal Saved Output".
I have no idea why it is slow. Probably unrelated to selinux. The other avc you can ignore. Fixed in /selinux-policy-3.3.1-56
Could you please explain what you mean with "slow"? It consumes much CPU time? Did you compare F8/F9 Xvnc?
I believe the reason the session is slow to launch is explained in bug #446176. When nautilus (or any application that creates a file chooser dialog) starts up the file chooser dialog tries to obtain a list of HAL devices, but SELinux prevents that information from getting to the security context that the VNC session runs in and so it times out after 50 seconds.
# audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-72.fc9.noarch
I believe #10 is correct. I have not seen the problem since Daniel sent me the patches, but am not entirely sure that SELinux is enabled now. I didn't realize Xen was a problem with F9 until after I installed over F8 and in the fallout, haven't had much time to use that machine. Sorry I can't be of more assistance.
With selinux-policy-3.3.1-72.fc9 it works fine.
(In reply to comment #13) > With selinux-policy-3.3.1-72.fc9 it works fine. Thanks for your feedback.
*** Bug 450031 has been marked as a duplicate of this bug. ***