[SOLVED] - SELINUX: geoclue_t AVCs when starting vncserver as a service

Issues related to applications and software problems
Post Reply
Rudy
Posts: 5
Joined: 2013/03/05 09:05:06

[SOLVED] - SELINUX: geoclue_t AVCs when starting vncserver as a service

Post by Rudy » 2021/05/24 10:35:20

When starting vncserver as a service, by copying then customizing /usr/lib/systemd/system/vncserver@.service, system_u:system_r:geoclue_t AVCs show up in the audit log:

Code: Select all

SELinux is preventing /usr/libexec/geoclue from getattr access on the file /proc/<pid>/cgroup.
[...]
Additional Information:
Source Context                system_u:system_r:geoclue_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                /proc/<pid>/cgroup [ file ]
Source                        geoclue
Source Path                   /usr/libexec/geoclue
I believe this is because the vncserver process is running in the unconfined_service_t context (started by systemd), instead of the unconfined_t context (started by a regular user).

What is the best way to make sure that vncserver runs in the proper unconfined_t context? Or, more generally, what is the best way to handle running vncserver as a service with selinux enabled?
Last edited by Rudy on 2021/05/26 13:15:09, edited 3 times in total.

Rudy
Posts: 5
Joined: 2013/03/05 09:05:06

Re: SELINUX: geoclue_t AVCs when starting vncserver as a service

Post by Rudy » 2021/05/26 12:22:55

I was able to solve the problem. I will post the solution here, because I believe this SELinux issue is a bug in Centos 7/RHEL 7 running vncserver as a service and will affect other people as well.

The root cause of the geoclue_t AVCs is that the Gnome session started from vncserver runs in the wrong security context. The vncserver is started by systemd and runs in unconfined_service_t, whereas Gnome is intended to be started by a regular user and run in the unconfined_t context.

The first step to fix the issue is to add the following line to the Service section of /etc/systemd/system/vncserver@:1.service. This intents to transition the vncserver process to the the unconfined_t domain.

Code: Select all

[Service]
SELinuxContext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
To allow the transition to take place, the following custom module needs to be added to the SELinus policy:

Code: Select all

module my-vncserver 1.0;

require {
	type unconfined_t;
	type init_t;
	class process transition;
}

#============= init_t ==============
allow init_t unconfined_t:process transition;
save in a working directory, for example as my-vncserver.te.

Compile and install with:

Code: Select all

checkmodule -M -m -o my-vncserver.mod my-vncserver.te
semodule_package -o my-vncserver.pp -m my-vncserver.mod
semodule -i my-vncserver.pp
Make sure to do this for all users (vncserver@:2, vncserver@:3, etc), otherwise the AVCs will continue.

Post Reply