I was able to solve the problem. I will post the solution here, because I believe this SELinux issue is a bug in Centos 7/RHEL 7 running vncserver as a service and will affect other people as well.
The root cause of the geoclue_t AVCs is that the Gnome session started from vncserver runs in the wrong security context. The vncserver is started by systemd and runs in unconfined_service_t, whereas Gnome is intended to be started by a regular user and run in the unconfined_t context.
The first step to fix the issue is to add the following line to the Service section of /etc/systemd/system/vncserver@:1.service. This intents to transition the vncserver process to the the unconfined_t domain.
Code: Select all
[Service]
SELinuxContext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
To allow the transition to take place, the following custom module needs to be added to the SELinus policy:
Code: Select all
module my-vncserver 1.0;
require {
type unconfined_t;
type init_t;
class process transition;
}
#============= init_t ==============
allow init_t unconfined_t:process transition;
save in a working directory, for example as my-vncserver.te.
Compile and install with:
Code: Select all
checkmodule -M -m -o my-vncserver.mod my-vncserver.te
semodule_package -o my-vncserver.pp -m my-vncserver.mod
semodule -i my-vncserver.pp
Make sure to do this for all users (vncserver@:2, vncserver@:3, etc), otherwise the AVCs will continue.