-
Notifications
You must be signed in to change notification settings - Fork 946
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tigervnc server not starting up in centos 8 #1189
Comments
Please provide full log of: sudo systemctl status vncserver@:1 |
Status of vncserver@:1 Jan 20 13:17:34 vlsi183 systemd[1]: vncserver@:1.service: Succeeded. The following are the entries in the file /etc/tigervnc/vncserver-config-defaults session=gnome The following is the result of netstat -tpln Active Internet connections (only servers) |
We see the same problem issue here but only in case selinux is enforced. When we disable selinux vnc works correct. Based on the selinux alerts we tried to create a custom policy and apply it : require { #============= vnc_session_t ============== |
That installation process works well for me. Update repository
Install desktop environment
Set default desktop environment for graphical target
Install selinux module vncsession.pp
Reset the security context
Add some user
Use gnome session
Open 5900 TCP port (if you want to access from the internet)
Start the vncserver
Enable vncserver for persistence after reboot
|
@MihaiSandor |
Do you get any extra details if you run And is there any log file in |
Finally I found a solution which works for me Installation on tigervnc server on Cetnos8
Attached you find the selinux rules ausearch -c 'vncsession' --raw | audit2allow -M my-vncsession created |
@CendioOssman . Thanks for your response. Appreciate the help. The following is the output of journalctl: Jan 20 13:20:19 vlsi183 systemd[1]: Starting Remote desktop service (VNC)... The following is the log in .vnc. _Using desktop session gnome New 'vlsi183:1 (harshml)' desktop is vlsi183:1 Starting desktop session gnome Xvnc TigerVNC 1.10.0 - built Jan 4 2021 16:27:28 Sat Jan 23 01:53:31 2021 |
Have you checked the entire journal? GNOME commonly logs there, so any warnings or errors should be there somewhere. The session looks like it starts properly, but then dies again. A common cause is that you are also logged in locally with this user. Could that be it? |
The log that I posted is the full journal. A common cause is that you are also logged in locally with this user. Could that be it? To double check, I created a new user and tried to create a vncsession. The user was logged off the machine during this process. The result was the same. The following are the journal entries for the new session. -- Logs begin at Tue 2021-01-19 14:44:23 IST, end at Wed 2021-01-27 22:02:27 IST. -- |
That's just the journal for this service. Please check everything in the journal (i.e. just run |
I have uploaded the journal log for the last few attempts. Thanks again. |
I guess this is a problem caused by having the user dir on NFS. We have a slightly different SELinux policy in RHEL 8.3, because I backported the systemd/selinux support to Tigervnc 1.10.0 with first version of @wrabcak patch, but I guess the current one in Tigervnc 1.11.0 won't make a difference. @wrabcak can you tell if the following policy is needed and correct?
|
PTAL @zpytela |
@CendioOssman I am sorry for the delay, I will update you later today. |
I have 3 comments:
Please let me know if the answer is clean or more clarification is needed. I also haven't noticed if just the local policy module is required (like the one suggested by audit2allow), or you want to update the vncsession.pp custom module. |
@zpytela |
@imonmondal ok, so let's clarify first: do you want to update the tigervnc selinux policy, or create a custom policy to make it working for you? In the former case it is good enough as long as it works. In the latter one you should use interface, please take a look at this example: Calling the interface for vnc_session_t expands to:
This may be too much for your use case, so additional interfaces as suggested in my previous comment can be added to selinux-policy to be called from the tigervnc selinux module if the permissions list in the first comment is complete. I've just noticed you need to have it resolved for centos 8. In that case, creating a local policy is a valid solution until this is added in Centos. I would just use this permissions sets to match the common ones in https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/support/obj_perm_sets.spt#L139:
It would be good though do the other way in parallel to resolve this issue in current Fedora and later RHEL/Centos releases. Surely I can help with this. |
I have found solution at Fedora bug-tracking. This issue is actual for all Fedora distros as well. VNC session cannot start because SELinux does not allow to create log file or pid file. Some new rules for SELinux: cat > "/tmp/systemd-tigervnc.te" <<END
module systemd-tigervnc 1.0;
require {
type init_t;
type user_home_t;
class file { open read unlink };
}
#============= init_t ==============
allow init_t user_home_t:file { open read unlink };
END
checkmodule -M -m -o /tmp/systemd-tigervnc.mod /tmp/systemd-tigervnc.te
semodule_package -o /tmp/systemd-tigervnc.pp -m /tmp/systemd-tigervnc.mod
semodule -X 300 -i /tmp/systemd-tigervnc.pp Most likely it is not good solution. But it did the trick, so probably should be here as well. |
This worked for me!! sudo nano /etc/gdm/custom.conf |
This is fixed in TigerVNC 1.12 beta, but since that's not released yet (and certainly not part of RHEL/CentOS/Rocky), here's a fix. The strategy is to grab the updated SELinux policy from the TigerVNC repository, build it, and install it.
You should now be able to start you vncserver without issues. This fix will no longer be needed once TigerVNC 1.12 drops. The fix is the one @CendioOssman references above: 3c86226 |
Sometimes it can be solved like it is described here: #1325 Depends on your configuration and version of TigerVNC. So maybe helpful for somebody. |
Describe the bug
I am unable to start vncserver in centos 8:
Procedure
Started vncserver using the following procedure
Added user in
/etc/tigervnc/vncserver.users
as
1:user1
modified
/etc/tigervnc/vncserver-config-defaults
as
session=gnome
securitytypes=vncauth,tlsvnc
desktop=sandbox
#geometry=2000x1200
localhost
alwaysshared
Started vncserver using the following command
sudo systemctl start vncserver@:1
vncviewer :1
yields the following error
unable connect to socket : Connection refused (111).
Note: netstat -tpln confirm that vncserver is not listening to port 5901.
Have opened ports 590*
The text was updated successfully, but these errors were encountered: