Description of problem: vncserver will not launch due to pam_selinux.so in /etc/pam.d/tigervnc Version-Release number of selected component (if applicable): Cauldron/MGA8 How reproducible: Always. Steps to Reproduce: 1. Add user to /etc/tigervnc/vncservers.users such as :7=stimpy 2. Copy /etc/tigervnc/vncserver-config-defaults ~/.vnc/config 3. Create a vncpassword with vncpassword 4. sudo systemctl start vncserver@:7 The result is "Job for vncserver@:7.service failed because the control process exited with error code.". journalctl-xe has this: vncsession[37526]: pam_open_session failed: 28 (Module is unknown) However by removing the "se_linux.so" entries from /etc/pam.d/tigervnc allows tigervnc to start up and work. Thus perhaps by removing the se_linux.so entries from tigervnc-1.11.0/unix/vncserver/tigervnc.pam might be a workaround for this issue.
Thanks for the report. It doesn't quite make sense though, as the pam file is: #%PAM-1.0 # pam_selinux.so close should be the first session rule -session required pam_selinux.so close session required pam_loginuid.so -session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session required pam_limits.so -session optional pam_systemd.so session required pam_unix.so -session optional pam_reauthorize.so prepare and man pam.conf says: If the type value from the list above is prepended with a - character the PAM library will not log to the system log if it is not possible to load the module because it is missing in the system. This can be useful especially for modules which are not always installed on the system and are not required for correct authentication and authorization of the login session. So the pam_selinux.so lines have a - at the beginning, and thus their lack of existence shouldn't break anything.
Well it does: sudo systemctl start vncserver@:7 Job for vncserver@:7.service failed because the control process exited with error code. See "systemctl status vncserver@:7.service" and "journalctl -xe" for details. Dec 05 09:37:13 duck sudo[15210]: arichter : HOST=duck ; TTY=pts/0 ; PWD=/home/arichter ; USER=root ; COMMAND=/bin/systemctl start vncserver@:7 Dec 05 09:37:13 duck systemd[1]: Starting Remote desktop service (VNC)... ░░ Subject: A start job for unit vncserver@:7.service has begun execution ░░ Defined-By: systemd ░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel ░░ ░░ A start job for unit vncserver@:7.service has begun execution. ░░ ░░ The job identifier is 4863. Dec 05 09:37:13 duck systemd-logind[889]: New session 5 of user arichter. ░░ Subject: A new session 5 has been created for user arichter ░░ Defined-By: systemd ░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel ░░ Documentation: https://www.freedesktop.org/wiki/Software/systemd/multiseat ░░ ░░ A new session with the ID 5 has been created for the user arichter. ░░ ░░ The leading process of the session is 15223. Dec 05 09:37:13 duck systemd[1]: Started Session 5 of user arichter. ░░ Subject: A start job for unit session-5.scope has finished successfully ░░ Defined-By: systemd ░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel ░░ ░░ A start job for unit session-5.scope has finished successfully. ░░ ░░ The job identifier is 5027. Dec 05 09:37:13 duck vncsession[15223]: pam_unix(tigervnc:session): session opened for user arichter by (uid=0) Dec 05 09:37:13 duck vncsession[15223]: pam_open_session failed: 28 (Module is unknown) Dec 05 09:37:13 duck vncsession-start[15217]: Failure daemonizing Dec 05 09:37:13 duck systemd[1]: vncserver@:7.service: Control process exited, code=exited, status=71/OSERR ░░ Subject: Unit process exited ░░ Defined-By: systemd ░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel ░░ ░░ An ExecStart= process belonging to unit vncserver@:7.service has exited. ░░ ░░ The process' exit code is 'exited' and its exit status is 71. Dec 05 09:37:13 duck systemd[1]: vncserver@:7.service: Failed with result 'exit-code'. ░░ Subject: Unit failed ░░ Defined-By: systemd ░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel ░░ ░░ The unit vncserver@:7.service has entered the 'failed' state with result 'exit-code'. Dec 05 09:37:13 duck systemd[1]: Failed to start Remote desktop service (VNC). ░░ Subject: A start job for unit vncserver@:7.service has failed ░░ Defined-By: systemd ░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel ░░ ░░ A start job for unit vncserver@:7.service has finished with a failure. ░░ ░░ The job identifier is 4863 and the job result is failed. Dec 05 09:37:13 duck systemd[1]: session-5.scope: Succeeded. ░░ Subject: Unit succeeded ░░ Defined-By: systemd ░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel ░░ ░░ The unit session-5.scope has successfully entered the 'dead' state. Dec 05 09:37:13 duck systemd-logind[889]: Session 5 logged out. Waiting for processes to exit. Dec 05 09:37:13 duck systemd-logind[889]: Removed session 5. ░░ Subject: Session 5 has been terminated ░░ Defined-By: systemd ░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel ░░ Documentation: https://www.freedesktop.org/wiki/Software/systemd/multiseat ░░ ░░ A session with the ID 5 has been terminated. However with pam_selinux.so removed it does work: [arichter@duck ~]$ cat /etc/pam.d/tigervnc #%PAM-1.0 # pam_selinux.so close should be the first session rule session required pam_loginuid.so session required pam_namespace.so session optional pam_keyinit.so force revoke session required pam_limits.so -session optional pam_systemd.so session required pam_unix.so -session optional pam_reauthorize.so prepare Excerpt from "sudo journalctl -xe": Dec 05 09:40:19 duck systemd[1]: Starting Remote desktop service (VNC)... ░░ Subject: A start job for unit vncserver@:7.service has begun execution ░░ Defined-By: systemd ░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel ░░ ░░ A start job for unit vncserver@:7.service has begun execution. ░░ ░░ The job identifier is 5194. Dec 05 09:40:19 duck systemd-logind[889]: New session 6 of user arichter. ░░ Subject: A new session 6 has been created for user arichter ░░ Defined-By: systemd ░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel ░░ Documentation: https://www.freedesktop.org/wiki/Software/systemd/multiseat ░░ ░░ A new session with the ID 6 has been created for the user arichter. ░░ ░░ The leading process of the session is 15620. Dec 05 09:40:19 duck systemd[1]: Started Session 6 of user arichter. ░░ Subject: A start job for unit session-6.scope has finished successfully ░░ Defined-By: systemd ░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel ░░ ░░ A start job for unit session-6.scope has finished successfully. ░░ ░░ The job identifier is 5358. Dec 05 09:40:19 duck vncsession[15620]: pam_unix(tigervnc:session): session opened for user arichter by (uid=0) Dec 05 09:40:19 duck systemd[1]: Started Remote desktop service (VNC). ░░ Subject: A start job for unit vncserver@:7.service has finished successfully ░░ Defined-By: systemd ░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel ░░ ░░ A start job for unit vncserver@:7.service has finished successfully. ░░ ░░ The job identifier is 5194.
I guess pam_selinux.so can't be 'required' even the line is prepended with a - character. It can be only 'optional'.
CC: (none) => jani.valimaa
That's confirmed this: #%PAM-1.0 # pam_selinux.so close should be the first session rule -session optional pam_selinux.so close session required pam_loginuid.so -session optional pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session required pam_limits.so -session optional pam_systemd.so session required pam_unix.so -session optional pam_reauthorize.so prepare works just fine.
Should be fixed in tigervnc-1.11.0-4.mga8. Please test.
Will do, unfortunately tigervnc won't build, it's getting hung up in the java section: [100%] Generating VncViewer.jar /usr/bin/jar cfm VncViewer.jar /home/arichter/rpmbuild/BUILD/tigervnc-1.11.0/java/com/tigervnc/vncviewer/MANIFEST.MF com/tigervnc/vncviewer/timestamp com/tigervnc/vncviewer/*.class com/tigervnc/rfb/*.class com/tigervnc/rdr/*.class com/tigervnc/network/*.class com/jcraft/jzlib/*.class com/jcraft/jsch/jcraft/*.class com/jcraft/jsch/jce/*.class com/jcraft/jsch/*.class com/tigervnc/vncviewer/*.png com/tigervnc/vncviewer/tigervnc.ico /usr/bin/cmake -DJava_PATH=/usr/bin/ -DJAR_FILE=/home/arichter/rpmbuild/BUILD/tigervnc-1.11.0/java/build/VncViewer.jar -DJAVA_KEYSTORE=NOTFOUND -DJAVA_KEYSTORE_TYPE=jks -DJAVA_STOREPASS=NOTFOUND -DJAVA_KEYPASS=NOTFOUND -DJAVA_KEY_ALIAS=NOTFOUND -DJAVA_TSA_URL=NOTFOUND -P /home/arichter/rpmbuild/BUILD/tigervnc-1.11.0/java/cmake/SignJar.cmake -- Generating self-signed certificate -- Signing /home/arichter/rpmbuild/BUILD/tigervnc-1.11.0/java/build/VncViewer.jar CMake Error at /home/arichter/rpmbuild/BUILD/tigervnc-1.11.0/java/cmake/SignJar.cmake:66 (message): /usr/bin//jarsigner failed: Exception in thread "main" java.lang.ExceptionInInitializerError Caused by: java.lang.IllegalArgumentException: Error in security property. Constraint unknown: c2tnb191v1 at java.base/sun.security.util.DisabledAlgorithmConstraints$Constraints.<init>(DisabledAlgorithmConstraints.java:376) at java.base/sun.security.util.DisabledAlgorithmConstraints.<init>(DisabledAlgorithmConstraints.java:125) at java.base/sun.security.util.DisabledAlgorithmConstraints.<init>(DisabledAlgorithmConstraints.java:92) at jdk.jartool/sun.security.tools.jarsigner.Main.<clinit>(Main.java:98)
Looks like it built on the build system. Should show up on the mirrors in a few hours.
Fixed, thank you.
Resolution: (none) => FIXEDStatus: NEW => RESOLVED