Tigervnc server not starting up in centos 8

[imonmondal]

Describe the bug
I am unable to start vncserver in centos 8:

Procedure
Started vncserver using the following procedure

Added user in
/etc/tigervnc/vncserver.users
as
1:user1
modified
/etc/tigervnc/vncserver-config-defaults
as

session=gnome
securitytypes=vncauth,tlsvnc
desktop=sandbox
#geometry=2000x1200
localhost
alwaysshared

Started vncserver using the following command
sudo systemctl start vncserver@:1

vncviewer :1
yields the following error
unable connect to socket : Connection refused (111).

Note: netstat -tpln confirm that vncserver is not listening to port 5901.
Have opened ports 590*

[MihaiSandor]

Please provide full log of:

sudo systemctl status vncserver@:1

[imonmondal]

Status of vncserver@:1

Jan 20 13:17:34 vlsi183 systemd[1]: vncserver@:1.service: Succeeded.
Jan 20 13:20:19 vlsi183 systemd[1]: Starting Remote desktop service (VNC)...
Jan 20 13:20:19 vlsi183 systemd[1]: Started Remote desktop service (VNC).
Jan 20 13:20:19 vlsi183 systemd[1]: vncserver@:1.service: Succeeded.
Jan 21 16:36:20 vlsi183 systemd[1]: Starting Remote desktop service (VNC)...
Jan 21 16:36:20 vlsi183 systemd[1]: Started Remote desktop service (VNC).
Jan 21 16:36:20 vlsi183 systemd[1]: vncserver@:1.service: Succeeded.
Jan 21 16:36:28 vlsi183 systemd[1]: Starting Remote desktop service (VNC)...
Jan 21 16:36:28 vlsi183 systemd[1]: Started Remote desktop service (VNC).
Jan 21 16:36:28 vlsi183 systemd[1]: vncserver@:1.service: Succeeded.

The following are the entries in the file /etc/tigervnc/vncserver-config-defaults

session=gnome
securitytypes=vncauth,tlsvnc
desktop=sandbox
#geometry=2000x1200
vlsi183
alwaysshared

The following is the result of netstat -tpln

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:16723 0.0.0.0:* LISTEN 12970/clsbd
tcp 0 0 0.0.0.0:16725 0.0.0.0:* LISTEN 13133/oaFSLockD
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN -
tcp6 0 0 :::53225 :::* LISTEN -
tcp6 0 0 :::49995 :::* LISTEN -
tcp6 0 0 :::42125 :::* LISTEN -
tcp6 0 0 :::34831 :::* LISTEN -
tcp6 0 0 :::111 :::* LISTEN -
tcp6 0 0 :::58673 :::* LISTEN -
tcp6 0 0 :::49555 :::* LISTEN -
tcp6 0 0 :::40629 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::35415 :::* LISTEN -
tcp6 0 0 :::50423 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
tcp6 0 0 :::38937 :::* LISTEN -
tcp6 0 0 :::36249 :::* LISTEN -
tcp6 0 0 ::1:6010 :::* LISTEN -
tcp6 0 0 :::7325 :::* LISTEN 12990/cdsNameServer
tcp6 0 0 :::56223 :::* LISTEN -
tcp6 0 0 :::33857 :::* LISTEN -
tcp6 0 0 :::52993 :::* LISTEN -
tcp6 0 0 :::9090 :::* LISTEN -

[mcsSteam]

We see the same problem issue here but only in case selinux is enforced.
Please be aware that we have mounted home directories (nfs version 3) and because of this the selinux context nfs_t for the ~/.vnc dir and all it's files (including the passwd file)

When we disable selinux vnc works correct.

Based on the selinux alerts we tried to create a custom policy and apply it :
my-vncsession.te:
`module my-vncsession 1.0;

require {
type nfs_t;
type vnc_session_t;
class dir { add_name create search write };
class file { create open };
}

#============= vnc_session_t ==============
allow vnc_session_t nfs_t:dir { add_name create search write };
allow vnc_session_t nfs_t:file { create open };
`
after this no selinux alerts are shown and also the the log file can be created but no content is written there (this is different when selinux is in permissive mode for vnc_session_t)

[MihaiSandor]

That installation process works well for me.

Update repository

dnf update -y

Install desktop environment

dnf groupinstall workstation -y

Set default desktop environment for graphical target

systemctl set-default graphical.target

Install selinux module vncsession.pp

sudo semodule -i /usr/share/selinux/packages/vncsession.pp

Reset the security context

sudo restorecon /usr/sbin/vncsession /usr/libexec/vncsession-start

Add some user

echo ":1=root" >> /etc/tigervnc/vncserver.users

Use gnome session

echo "session=gnome" >> /etc/tigervnc/vncserver-config-defaults

Open 5900 TCP port (if you want to access from the internet)

firewall-cmd --zone=public --permanent --add-port=5900/tcp

Start the vncserver

systemctl start vncserver@:1

Enable vncserver for persistence after reboot

systemctl enable vncserver@:1

[mcsSteam]

@MihaiSandor
The difference to my setup is that the home dir of root is not a nfs mounted directory with se context nfs_t

[CendioOssman]

Do you get any extra details if you run sudo journalctl -u vncserver@:1.service?

And is there any log file in ~/.vnc for the user?

[mcsSteam]

Finally I found a solution which works for me

Installation on tigervnc server on Cetnos8

1. Install tigervnc-server 1.10.1-9.el8_3 with dnf from CentOS8_AppStream

   dnf install tigervnc-server

2. configure vncserver users

   echo ":3=<user>" >> /etc/tigervnc/vncserver.users

3. set selinux in permissive mode

   setenforce 0
   

4. start vnc server for user

   systemctl start vncserver@:3
   

5. Vncserver starts correctly but we have several selinux alerts

   Jan 22 19:05:00 chbrn-v-00001 setroubleshoot[7508]: SELinux is preventing /usr/sbin/vncsession from search access on the directory /home/chportc1/. For complete SELinux messages run: sealert -l 60079cad-d512-4d60-adad-da1f4aaaf631
   Jan 22 19:05:00 chbrn-v-00001 setroubleshoot[7508]: SELinux is preventing /usr/sbin/vncsession from search access on the directory /home/chportc1/.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that vncsession should be allowed search access on the  directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vncsession' --raw | audit2allow -M my-vncsession#012# semodule -X 300 -i my-vncsession.pp#012
   Jan 22 19:05:00 chbrn-v-00001 cupsd[1268]: REQUEST localhost - - "POST / HTTP/1.1" 200 364 Create-Printer-Subscriptions successful-ok
   Jan 22 19:05:01 chbrn-v-00001 libcanberra-login-sound.desktop[8022]: Failed to play sound: File or data not found
   Jan 22 19:05:01 chbrn-v-00001 journal[7836]: Error looking up permission: GDBus.Error:org.freedesktop.portal.Error.NotFound: No entry for geolocation
   Jan 22 19:05:01 chbrn-v-00001 dbus-daemon[1033]: [system] Successfully activated service 'org.freedesktop.hostname1'
   Jan 22 19:05:01 chbrn-v-00001 systemd[1]: Started Hostname Service.
   Jan 22 19:05:01 chbrn-v-00001 dbus-daemon[1033]: [system] Successfully activated service 'org.freedesktop.locale1'
   Jan 22 19:05:01 chbrn-v-00001 systemd[1]: Started Locale Service.
   Jan 22 19:05:01 chbrn-v-00001 journal[7836]: STACK_OP_ADD: window 0x2200001 already in stack
   Jan 22 19:05:01 chbrn-v-00001 journal[7836]: STACK_OP_ADD: window 0x2200001 already in stack
   Jan 22 19:05:01 chbrn-v-00001 journal[7951]: Failed to get password expiration policy for user: GDBus.Error:org.freedesktop.Accounts.Error.NotSupported: account expiration policy unknown to accounts service
   Jan 22 19:05:01 chbrn-v-00001 journal[7975]: Unable to inhibit keypresses: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Permission denied
   Jan 22 19:05:02 chbrn-v-00001 /SetroubleshootPrivileged.py[7822]: failed to retrieve rpm info for /var/lib/selinux/targeted/active/modules/200/vncsession
   Jan 22 19:05:02 chbrn-v-00001 setroubleshoot[7508]: SELinux is preventing /usr/sbin/vncsession from write access on the file chbrn-v-00001.keymile.net:5.log. For complete SELinux messages run: sealert -l b8111dee-598f-4b0d-92d9-5c26e709debd
   Jan 22 19:05:02 chbrn-v-00001 setroubleshoot[7508]: SELinux is preventing /usr/sbin/vncsession from write access on the file chbrn-v-00001.keymile.net:5.log.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that vncsession should be allowed write access on the chbrn-v-00001.keymile.net:5.log file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'vncsession' --raw | audit2allow -M my-vncsession#012# semodule -X 300 -i my-vncsession.pp#012
   

6. Create custom selinux policy which allows accessing ~/.vnc directory and load it afterards

   ausearch -c 'vncsession' --raw | audit2allow -M my-vncsession
   semodule -X 300 -i my-vncsession.pp
   

7. enforce selinux

   setenforce 1
   

8. enable Security Enhanced Linux Policy for NFS

   setsebool use_nfs_home_dirs on
   

9. Restart VNC server for user

   systemctl start vncserver@:3
   

10. Check vncserver status

    systemctl status vncserver@:3
    

Attached you find the selinux rules ausearch -c 'vncsession' --raw | audit2allow -M my-vncsession created
my-vncsession.zip

[imonmondal]

@CendioOssman . Thanks for your response. Appreciate the help.

The following is the output of journalctl:

Jan 20 13:20:19 vlsi183 systemd[1]: Starting Remote desktop service (VNC)...
Jan 20 13:20:19 vlsi183 systemd[1]: Started Remote desktop service (VNC).
Jan 20 13:20:19 vlsi183 systemd[1]: vncserver@:1.service: Succeeded.
Jan 21 17:58:52 vlsi183 systemd[1]: Starting Remote desktop service (VNC)...
Jan 21 17:58:52 vlsi183 systemd[1]: Started Remote desktop service (VNC).
Jan 21 17:58:52 vlsi183 systemd[1]: vncserver@:1.service: Succeeded.

The following is the log in .vnc.

_Using desktop session gnome

New 'vlsi183:1 (harshml)' desktop is vlsi183:1

Starting desktop session gnome

Xvnc TigerVNC 1.10.0 - built Jan 4 2021 16:27:28
Copyright (C) 1999-2019 TigerVNC Team and many others (see README.rst)
See https://www.tigervnc.org for information on TigerVNC.
Underlying X server release 12008000, The X.Org Foundation_

Sat Jan 23 01:53:31 2021
vncext: VNC extension running!
vncext: Listening for VNC connections on local interface(s), port 5901
vncext: created VNC server for screen 0
The XKEYBOARD keymap compiler (xkbcomp) reports:
Warning: Could not resolve keysym XF86MonBrightnessCycle
Warning: Could not resolve keysym XF86RotationLockToggle
Errors from xkbcomp are not fatal to the X server
xinit: XFree86_VT property unexpectedly has 0 items instead of 1
xinit: connection to X server lost
^M
waiting for X server to shut down
Sat Jan 23 01:53:32 2021
ComparingUpdateTracker: 0 pixels in / 0 pixels out
ComparingUpdateTracker: (1:-nan ratio)

[CendioOssman]

Have you checked the entire journal? GNOME commonly logs there, so any warnings or errors should be there somewhere.

The session looks like it starts properly, but then dies again. A common cause is that you are also logged in locally with this user. Could that be it?

[imonmondal]

@CendioOssman

The log that I posted is the full journal.

A common cause is that you are also logged in locally with this user. Could that be it?

To double check, I created a new user and tried to create a vncsession. The user was logged off the machine during this process.

The result was the same.

The following are the journal entries for the new session.

-- Logs begin at Tue 2021-01-19 14:44:23 IST, end at Wed 2021-01-27 22:02:27 IST. --
Jan 27 22:02:25 vlsi183 systemd[1]: Starting Remote desktop service (VNC)...
Jan 27 22:02:25 vlsi183 systemd[1]: Started Remote desktop service (VNC).

[CendioOssman]

That's just the journal for this service. Please check everything in the journal (i.e. just run sudo journalctl without any arguments) as I'm unsure exactly where the logging from GNOME might end up.

[imonmondal]

@CendioOssman

I have uploaded the journal log for the last few attempts.

Thanks again.

journalLog.pdf

[CendioOssman]

You seem to have the same SELinux issue as @mcsSteam.

@wrabcak, @grulja, what's going on here? Are these problems from #1034?

[grulja]

I guess this is a problem caused by having the user dir on NFS. We have a slightly different SELinux policy in RHEL 8.3, because I backported the systemd/selinux support to Tigervnc 1.10.0 with first version of @wrabcak patch, but I guess the current one in Tigervnc 1.11.0 won't make a difference.

@wrabcak can you tell if the following policy is needed and correct?

require {
type nfs_t;
type vnc_session_t;
class dir { add_name create search write };
class file { create open };
}

#============= vnc_session_t ==============
allow vnc_session_t nfs_t:dir { add_name create search write };
allow vnc_session_t nfs_t:file { create open };

[wrabcak]

PTAL @zpytela

[CendioOssman]

@grulja , @wrabcak , any update here?

[zpytela]

@CendioOssman I am sorry for the delay, I will update you later today.

[zpytela]

I have 3 comments:

• I'd rather use permissions sets like add_entry_dir_perms, or even better file patterns create_dirs_pattern and create_files_pattern, not to omit any possible permission required later.
• If you want to have these permissions in the vncsession custom module, interfaces should be called instead. Currently we don't have such interfaces in selinux-policy to allow just creating files and dirs, but we have these, allowing more permissions: fs_manage_nfs_dirs, fs_manage_nfs_files, I would also consider fs_manage_nfs_symlinks.
• The permissions should be allowed only when use_nfs_home_dirs boolean is turned on.

Please let me know if the answer is clean or more clarification is needed. I also haven't noticed if just the local policy module is required (like the one suggested by audit2allow), or you want to update the vncsession.pp custom module.

[imonmondal]

@zpytela
I am not sure if I understood the comments. Where should I set the permissions?

[zpytela]

@imonmondal ok, so let's clarify first: do you want to update the tigervnc selinux policy, or create a custom policy to make it working for you?

In the former case it is good enough as long as it works. In the latter one you should use interface, please take a look at this example:

https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/pulseaudio.te#L109-L117

Calling the interface for vnc_session_t expands to:

$ macro-expander 'fs_manage_nfs_dirs(vnc_session_t)'
allow vnc_session_t autofs_t:dir { getattr search open };
allow vnc_session_t nfs_t:dir { create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl };

This may be too much for your use case, so additional interfaces as suggested in my previous comment can be added to selinux-policy to be called from the tigervnc selinux module if the permissions list in the first comment is complete.

I've just noticed you need to have it resolved for centos 8. In that case, creating a local policy is a valid solution until this is added in Centos. I would just use this permissions sets to match the common ones in https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/support/obj_perm_sets.spt#L139:

allow vnc_session_t nfs_t:dir {  getattr search open lock ioctl write add_name };
allow vnc_session_t nfs_t:file { getattr create open };

It would be good though do the other way in parallel to resolve this issue in current Fedora and later RHEL/Centos releases. Surely I can help with this.

[ghost]

I have found solution at Fedora bug-tracking. This issue is actual for all Fedora distros as well.

VNC session cannot start because SELinux does not allow to create log file or pid file.

Some new rules for SELinux:

cat > "/tmp/systemd-tigervnc.te" <<END
module systemd-tigervnc 1.0;

require {
    type init_t;
    type user_home_t;
    class file { open read unlink };
}

#============= init_t ==============
allow init_t user_home_t:file { open read unlink };
END

checkmodule -M -m -o /tmp/systemd-tigervnc.mod /tmp/systemd-tigervnc.te
semodule_package -o /tmp/systemd-tigervnc.pp -m /tmp/systemd-tigervnc.mod
semodule -X 300 -i /tmp/systemd-tigervnc.pp

Most likely it is not good solution. But it did the trick, so probably should be here as well.

[txdgidraph]

This worked for me!!

sudo nano /etc/gdm/custom.conf
uncomment WaylandEnable=false
save the file
systemctl restart gdm.service

[bo-qeye]

This is fixed in TigerVNC 1.12 beta, but since that's not released yet (and certainly not part of RHEL/CentOS/Rocky), here's a fix.

The strategy is to grab the updated SELinux policy from the TigerVNC repository, build it, and install it.

1. Make sure that the package selinux-policy-devel is installed. (Or whatever provides /usr/share/selinux/devel/Makefile) as well as make.
2. Clone the TigerVNC github repo.
3. Go to tigervnc/unix/vncserver/selinux.
4. Type make vncsession.pp. This should yield a file called vncsession.pp. Copy this to /tmp/.
5. Make sure setsebool use_nfs_home_dirs on has been run.
6. Type semodule -X 300 -i /tmp/vncsession.pp.

You should now be able to start you vncserver without issues.

This fix will no longer be needed once TigerVNC 1.12 drops.

The fix is the one @CendioOssman references above: 3c86226

[ghost]

Sometimes it can be solved like it is described here: #1325

Depends on your configuration and version of TigerVNC.

So maybe helpful for somebody.