-
Notifications
You must be signed in to change notification settings - Fork 953
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add vncsession-restore script to restore SELinux context #1425
base: master
Are you sure you want to change the base?
Conversation
4f9f072
to
36f0e77
Compare
Testing workflow (with SELinux set to Enforcing):
|
Are you saying that #1372 did not fix the issue fully? |
Unfortunately it did not. This seems to fix it and I asked here: https://bugzilla.redhat.com/show_bug.cgi?id=2042535 if someone else can confirm it fixes the issue for him as well. |
I'm still confused. The linked bugzilla thread suggests that #1372 was a sufficient fix. What exactly is still breaking? |
E.g. this comment https://bugzilla.redhat.com/show_bug.cgi?id=2042535#c9 suggest it's still not working and I can reproduce that. When I downgrade to Tigervnc 1.11.0 and setup a user, then upgrading to Tigervnc 1.12.0 (having SELinux in Enforcing mode) and starting the vncserver service, it fails to start. When SELinux is in Permissive mode, it will work and you will see the SELinux context has changed. |
All right. I'd like to see a more exact analysis of why the existing method is failing though. Perhaps it can be fixed? |
I can see following AVC:
|
There are three calls on the |
The vncsession-restore script is used in the ExecStartPre option for systemd service file in order to properly start the session in case the policy is updated (e.g. after Tigervnc update).
36f0e77
to
9754d4e
Compare
Is it the check itself that might cause the issue? Should we perhaps do the relabeling unconditionally? |
Doesn't seem so. When I do that I still get:
And I see: In the journal log. |
It works when I just run Removing the |
Further investigating this, when I add following line into vncsession.fc, then even this solution doesn't work:
that makes it run with given context and fails afterwards? Even though when I disable it and also when I remove the
This change as it is works for me just fine. |
I'm afraid I don't have time to dig in to this right now. Perhaps one of the SELinux experts could have a look? |
The vncsession-restore script is used in the ExecStartPre option for systemd service file in order to properly start the session in case the policy is updated (e.g. after Tigervnc update).
Note: the original solution where we call restorecon in vncsession might be either removed or can be kept in case someone runs this outside systemd, but it doesn't seem to be enough when Tigervnc is started as systemd service.
Keeping this as WIP for now as I'm trying to test it properly, but any feedback is welcomed.
cc: @zpytela @vmojzis