903371 – Selinux blocks gdm/Xorg from starting x11vnc

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 903371 - Selinux blocks gdm/Xorg from starting x11vnc

Summary: Selinux blocks gdm/Xorg from starting x11vnc

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.3
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Michal Trunecka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-01-23 20:20 UTC by Stuart Newman
Modified:	2014-09-30 23:34 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.7.19-210.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-21 10:15:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1598	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-11-20 21:39:24 UTC

Description Stuart Newman 2013-01-23 20:20:07 UTC

Description of problem:Selinux blocks gdm/Xorg from starting x11vnc


Version-Release number of selected component (if applicable):3.7.19-155.el6_3.14


How reproducible:always


Steps to Reproduce:
1. Add the line 
    /usr/local/bin/x11vnc -rfbauth /path/to/the/vnc/passwd -o /var/log/x11vnc.log
-forever -bg
before the "exit 0" in /etc/gdm/Init/Default
2.reboot the system
3.cat /var/log/x11vnc.log to see the error
  
Actual results:
23/01/2013 17:17:56 passing arg to libvncserver: -rfbauth
23/01/2013 17:17:56 passing arg to libvncserver: /etc/x11vnc.passwd
23/01/2013 17:17:56 x11vnc version: 0.9.13 lastmod: 2011-08-10  pid: 1823
23/01/2013 17:17:56 Using X display :0
23/01/2013 17:17:56 rootwin: 0x102 reswin: 0x400001 dpy: 0x2147240
23/01/2013 17:17:56
23/01/2013 17:17:56 ------------------ USEFUL INFORMATION ------------------
23/01/2013 17:17:56
23/01/2013 17:17:56 Wireframing: -wireframe mode is in effect for window moves.
23/01/2013 17:17:56   If this yields undesired behavior (poor response, painting
23/01/2013 17:17:56   errors, etc) it may be disabled:
23/01/2013 17:17:56    - use '-nowf' to disable wireframing completely.
23/01/2013 17:17:56    - use '-nowcr' to disable the Copy Rectangle after the
23/01/2013 17:17:56      moved window is released in the new position.
23/01/2013 17:17:56   Also see the -help entry for tuning parameters.
23/01/2013 17:17:56   You can press 3 Alt_L's (Left "Alt" key) in a row to
23/01/2013 17:17:56   repaint the screen, also see the -fixscreen option for
23/01/2013 17:17:56   periodic repaints.
23/01/2013 17:17:56
23/01/2013 17:17:56 XFIXES available on display, resetting cursor mode
23/01/2013 17:17:56   to: '-cursor most'.
23/01/2013 17:17:56   to disable this behavior use: '-cursor arrow'
23/01/2013 17:17:56   or '-noxfixes'.
23/01/2013 17:17:56 using XFIXES for cursor drawing.
23/01/2013 17:17:56 GrabServer control via XTEST.
23/01/2013 17:17:56
23/01/2013 17:17:56 Scroll Detection: -scrollcopyrect mode is in effect to
23/01/2013 17:17:56   use RECORD extension to try to detect scrolling windows
23/01/2013 17:17:56   (induced by either user keystroke or mouse input).
23/01/2013 17:17:56   If this yields undesired behavior (poor response, painting
23/01/2013 17:17:56   errors, etc) it may be disabled via: '-noscr'
23/01/2013 17:17:56   Also see the -help entry for tuning parameters.
23/01/2013 17:17:56   You can press 3 Alt_L's (Left "Alt" key) in a row to
23/01/2013 17:17:56   repaint the screen, also see the -fixscreen option for
23/01/2013 17:17:56   periodic repaints.
23/01/2013 17:17:56
23/01/2013 17:17:56 XKEYBOARD: number of keysyms per keycode 6 is greater
23/01/2013 17:17:56   than 4 and 2 keysyms are mapped above 4.
23/01/2013 17:17:56   Automatically switching to -xkb mode.
23/01/2013 17:17:56   If this makes the key mapping worse you can
23/01/2013 17:17:56   disable it with the "-noxkb" option.
23/01/2013 17:17:56   Also, remember "-remap DEAD" for accenting characters.
23/01/2013 17:17:56
23/01/2013 17:17:56 X FBPM extension not supported.
23/01/2013 17:17:56 X display is not capable of DPMS.
23/01/2013 17:17:56 --------------------------------------------------------
23/01/2013 17:17:56
23/01/2013 17:17:56 Default visual ID: 0x21
23/01/2013 17:17:56 Read initial data from X display into framebuffer.
23/01/2013 17:17:56 initialize_screen: fb_depth/fb_bpp/fb_Bpl 24/32/4096
23/01/2013 17:17:56
23/01/2013 17:17:56 X display :0.0 is 32bpp depth=24 true color
23/01/2013 17:17:56
23/01/2013 17:17:56 Autoprobing TCP port
23/01/2013 17:17:56 Failure autoprobing: Permission denied
23/01/2013 17:17:56 listen6: bind: Permission denied
23/01/2013 17:17:56 Not listening on IPv6 interface.
23/01/2013 17:17:56 Xinerama: Library libXinerama is not available to determine
23/01/2013 17:17:56 Xinerama: the head geometries, consider using -blackout
23/01/2013 17:17:56 Xinerama: if the screen is non-rectangular.
23/01/2013 17:17:56 fb read rate: 464 MB/sec
23/01/2013 17:17:56 fast read: reset -wait  ms to: 10
23/01/2013 17:17:56 fast read: reset -defer ms to: 10
23/01/2013 17:17:56 The X server says there are 24 mouse buttons.
23/01/2013 17:17:56 Error: could not obtain listening port.
23/01/2013 17:17:56 deleted 32 tile_row polling images.ca


Expected results:
23/01/2013 16:02:40 passing arg to libvncserver: -rfbauth
23/01/2013 16:02:40 passing arg to libvncserver: /etc/x11vnc.passwd
23/01/2013 16:02:40 x11vnc version: 0.9.13 lastmod: 2011-08-10  pid: 1859
23/01/2013 16:02:40 Using X display :0
23/01/2013 16:02:40 rootwin: 0x102 reswin: 0x400001 dpy: 0x1ae6240
23/01/2013 16:02:40
23/01/2013 16:02:40 ------------------ USEFUL INFORMATION ------------------
23/01/2013 16:02:40
23/01/2013 16:02:40 Wireframing: -wireframe mode is in effect for window moves.
23/01/2013 16:02:40   If this yields undesired behavior (poor response, painting
23/01/2013 16:02:40   errors, etc) it may be disabled:
23/01/2013 16:02:40    - use '-nowf' to disable wireframing completely.
23/01/2013 16:02:40    - use '-nowcr' to disable the Copy Rectangle after the
23/01/2013 16:02:40      moved window is released in the new position.
23/01/2013 16:02:40   Also see the -help entry for tuning parameters.
23/01/2013 16:02:40   You can press 3 Alt_L's (Left "Alt" key) in a row to
23/01/2013 16:02:40   repaint the screen, also see the -fixscreen option for
23/01/2013 16:02:40   periodic repaints.
23/01/2013 16:02:40
23/01/2013 16:02:40 XFIXES available on display, resetting cursor mode
23/01/2013 16:02:40   to: '-cursor most'.
23/01/2013 16:02:40   to disable this behavior use: '-cursor arrow'
23/01/2013 16:02:40   or '-noxfixes'.
23/01/2013 16:02:40 using XFIXES for cursor drawing.
23/01/2013 16:02:40 GrabServer control via XTEST.
23/01/2013 16:02:40
23/01/2013 16:02:40 Scroll Detection: -scrollcopyrect mode is in effect to
23/01/2013 16:02:40   use RECORD extension to try to detect scrolling windows
23/01/2013 16:02:40   (induced by either user keystroke or mouse input).
23/01/2013 16:02:40   If this yields undesired behavior (poor response, painting
23/01/2013 16:02:40   errors, etc) it may be disabled via: '-noscr'
23/01/2013 16:02:40   Also see the -help entry for tuning parameters.
23/01/2013 16:02:40   You can press 3 Alt_L's (Left "Alt" key) in a row to
23/01/2013 16:02:40   repaint the screen, also see the -fixscreen option for
23/01/2013 16:02:40   periodic repaints.
23/01/2013 16:02:40
23/01/2013 16:02:40 XKEYBOARD: number of keysyms per keycode 6 is greater
23/01/2013 16:02:40   than 4 and 2 keysyms are mapped above 4.
23/01/2013 16:02:40   Automatically switching to -xkb mode.
23/01/2013 16:02:40   If this makes the key mapping worse you can
23/01/2013 16:02:40   disable it with the "-noxkb" option.
23/01/2013 16:02:40   Also, remember "-remap DEAD" for accenting characters.
23/01/2013 16:02:40
23/01/2013 16:02:40 X FBPM extension not supported.
23/01/2013 16:02:40 X display is not capable of DPMS.
23/01/2013 16:02:40 --------------------------------------------------------
23/01/2013 16:02:40
23/01/2013 16:02:40 Default visual ID: 0x21
23/01/2013 16:02:40 Read initial data from X display into framebuffer.
23/01/2013 16:02:40 initialize_screen: fb_depth/fb_bpp/fb_Bpl 24/32/4096
23/01/2013 16:02:40
23/01/2013 16:02:40 X display :0.0 is 32bpp depth=24 true color
23/01/2013 16:02:40
23/01/2013 16:02:40 Autoprobing TCP port
23/01/2013 16:02:40 Autoprobing selected port 5900
23/01/2013 16:02:40 Listening also on IPv6 port 5900 (socket 10)
23/01/2013 16:02:40 Xinerama: Library libXinerama is not available to determine
23/01/2013 16:02:40 Xinerama: the head geometries, consider using -blackout
23/01/2013 16:02:40 Xinerama: if the screen is non-rectangular.
23/01/2013 16:02:40 fb read rate: 472 MB/sec
23/01/2013 16:02:40 fast read: reset -wait  ms to: 10
23/01/2013 16:02:40 fast read: reset -defer ms to: 10
23/01/2013 16:02:40 The X server says there are 24 mouse buttons.
23/01/2013 16:02:40 screen setup finished.
23/01/2013 16:02:40

The VNC desktop is:      volvo:0

******************************************************************************
Have you tried the x11vnc '-ncache' VNC client-side pixel caching feature yet?

The scheme stores pixel data offscreen on the VNC viewer side for faster
retrieval.  It should work with any VNC viewer.  Try it by running:

    x11vnc -ncache 10 ...

One can also add -ncache_cr for smooth 'copyrect' window motion.
More info: http://www.karlrunge.com/x11vnc/faq.html#faq-client-caching



Additional info:
The problem seems to be that SElinux is blocking the connectiopn from the xdm_t type process to the vnc_port_t port.  The local policy below fixes the problem.

module locx11vnc 1.1;

require {
	type admin_home_t;
	type vnc_port_t;
	type xdm_t;
	class file { rename write setattr read create open };
	class tcp_socket { name_connect name_bind};
}

#============= xdm_t ==============
#!!!! The source type 'xdm_t' can write to a 'file' of the following types:
# faillog_t, xdm_tmp_t, xdm_log_t, gnome_home_type, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t, etc_runtime_t, pcscd_var_run_t, gconf_home_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, xdm_lock_t, pam_var_console_t, cgroup_t, locale_t, var_auth_t, user_fonts_t, user_tmpfs_t, xdm_spool_t, fonts_cache_t, user_tmp_t, xauth_home_t, auth_cache_t, xdm_tmpfs_t, xserver_log_t, krb5_host_rcache_t, nfs_t, user_home_t


allow xdm_t admin_home_t:file { rename write setattr read create open };
allow xdm_t vnc_port_t:tcp_socket { name_connect name_bind };

Comment 2 Miroslav Grepl 2013-01-24 07:29:42 UTC

Could you try to execute

# chcon -t xserver_exec_t /usr/local/bin/x11vnc

and re-test it? Thank you.

Comment 3 Stuart Newman 2013-01-24 13:18:52 UTC

That worked.

Comment 4 Miroslav Grepl 2013-01-30 08:48:11 UTC

Thank you for testing.

Comment 12 errata-xmlrpc 2013-11-21 10:15:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.