No vnc desktop with selinux enabled

redhatdude at bellsouth.net redhatdude at bellsouth.net
Sat Jul 5 17:24:56 UTC 2008 

> 2008/7/5 <redhatdude at bellsouth.net>:
> 
> > Hello,
> > I'm having an issue with selinux. Whenever I enable selinux, vnc doens't
> > start my gnome desktop. I only get a grey screen. Once I set selinux to
> > permisive, I connect to the vncserver and can see and use my desktop.
> > How can I use my desktop with selinux enabled?
> > Thanks,
> > EJ

-------------- Original message ----------------------
From: "Olivier Robert" <robby57 at gmail.com>
> You can connect to the box via ssh and forward you vnc port.
> ex:
> ssh -L 5900:localhost:5900 you at your_box
> Then connect your vnc client to localhost on the forwarded port.
> vncviewer 127.0.0.1:5900
> selinux can run normally on your box and the vnc traffic is secured as well.

That's what I do and selinux may run normally but it won't let me start my Desktop.

Below is the output of audit.log when I start the vncserver
Thanks for your help.

channel 4: open failed: connect failed: Connection refused
type=USER_START msg=audit(1215278387.539:6023): user pid=27840 uid=0 auid=500 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="MyUserName" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=CRED_ACQ msg=audit(1215278387.539:6024): user pid=27840 uid=0 auid=500 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="MyUserName" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=CRED_DISP msg=audit(1215278387.594:6025): user pid=27840 uid=0 auid=500 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="MyUserName" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=USER_END msg=audit(1215278387.595:6026): user pid=27840 uid=0 auid=500 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="MyUserName" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=ANOM_ABEND msg=audit(1215278387.704:6027): auid=4294967295 uid=500 gid=500 ses=4294967295 subj=system_u:system_r:unconfined_notrans_t:s0 pid=3027 comm="tomboy" sig=11
type=USER_START msg=audit(1215278390.622:6028): user pid=27859 uid=0 auid=500 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="MyUserName" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=CRED_ACQ msg=audit(1215278390.622:6029): user pid=27859 uid=0 auid=500 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="MyUserName" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=CRED_DISP msg=audit(1215278393.696:6030): user pid=27859 uid=0 auid=500 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="MyUserName" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=USER_END msg=audit(1215278393.696:6031): user pid=27859 uid=0 auid=500 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="MyUserName" exe="/sbin/runuser" (hostname=?, addr=?, terminal=pts/2 res=success)'
type=AVC msg=audit(1215278393.750:6032): avc:  denied  { connectto } for  pid=27907 comm="ck-get-x11-serv" path=002F746D702F2E5831312D756E69782F5831000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:unconfined_notrans_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1215278393.750:6032): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fff1a692120 a2=6e a3=7fff1a692123 items=0 ppid=27906 pid=27907 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1215278393.751:6033): avc:  denied  { read } for  pid=27907 comm="ck-get-x11-serv" name=".Xauthority" dev=md3 ino=32941 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1215278393.751:6033): arch=c000003e syscall=21 success=yes exit=0 a0=9e83b0 a1=4 a2=9e83c8 a3=3d0d567a70 items=0 ppid=27906 pid=27907 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1215278393.751:6034): avc:  denied  { getattr } for  pid=27907 comm="ck-get-x11-serv" path="/home/MyUserName/.Xauthority" dev=md3 ino=32941 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1215278393.751:6034): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fff1a690e30 a2=7fff1a690e30 a3=9e9180 items=0 ppid=27906 pid=27907 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="ck-get-x11-serv" exe="/usr/libexec/ck-get-x11-server-pid" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1215278395.523:6035): avc:  denied  { execheap } for  pid=28030 comm="mono" scontext=unconfined_u:system_r:unconfined_notrans_t:s0 tcontext=unconfined_u:system_r:unconfined_notrans_t:s0 tclass=process
type=SYSCALL msg=audit(1215278395.523:6035): arch=c000003e syscall=10 success=yes exit=0 a0=15a9000 a1=1000 a2=7 a3=3d0d567a70 items=0 ppid=1 pid=28030 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=43 comm="mono" exe="/usr/bin/mono" subj=unconfined_u:system_r:unconfined_notrans_t:s0 key=(null)

More information about the fedora-list mailing list