Forum / NoMachine for Linux / SELinux is preventing systemd from ioctl access on the file nxserver.service
- This topic has 3 replies, 4 voices, and was last updated 2 years, 11 months ago by Britgirl.
-
AuthorPosts
-
September 19, 2021 at 21:57 #35348maxim-nomachineParticipant
I have the same problem as described here: https://bugzilla.redhat.com/show_bug.cgi?id=1769673
SELinux is preventing systemd from ioctl access on the file /usr/lib/systemd/system/nxserver.service.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd should be allowed ioctl access on the nxserver.service file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c ‘systemd’ –raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.ppAdditional Information:
Source Context system_u:system_r:init_t:s0
Target Context unconfined_u:object_r:nx_unit_file_t:s0
Target Objects /usr/lib/systemd/system/nxserver.service [ file ]
Source systemd
Source Path systemd
Port
Host MyName
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.6-39.fc33.noarch
Local Policy RPM selinux-policy-targeted-3.14.6-39.fc33.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name MyName
Platform Linux MyName 5.13.15-100.fc33.x86_64 #1 SMP Wed Sep
8 15:51:20 UTC 2021 x86_64 x86_64
Alert Count 18
First Seen 2021-09-19 19:46:02 UTC
Last Seen 2021-09-19 19:46:02 UTC
Local ID ef5382b8-5b37-4577-8b99-90df2acff745Raw Audit Messages
type=AVC msg=audit(1632080762.44:6751): avc: denied { ioctl } for pid=1 comm=”systemd” path=”/usr/lib/systemd/system/nxserver.service” dev=”dm-1″ ino=134561805 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:nx_unit_file_t:s0 tclass=file permissive=0Hash: systemd,init_t,nx_unit_file_t,file,ioctl
`
October 11, 2021 at 18:30 #35689CarinParticipantHi maxim-nomachine,
thank you for reporting this. We were able to reproduce the problem in our labs and opened a Trouble Report: https://knowledgebase.nomachine.com/TR10S10384
October 23, 2021 at 18:00 #35916edwkmhoParticipantI am also experiencing this issue with Fedora 34 and Fedora 35 Beta.
By the way, from the trouble report TR10S10384 – As a temporary workaround, you can add a local policy to SELinux to allow access to that file.
Can anyone provide the command(s) to add the local policy to SELinux for Fedora 34 and Fedora 35 Beta.
Thanks.
November 19, 2021 at 19:30 #36351BritgirlKeymasterHi, I am going to send you a file in a separate email. It contains the workaround whilst you wait for the permanent fix. Download it on to your machine and then run:
sudo semodule -i nx-unconfined.pp
-
AuthorPosts
This topic was marked as solved, you can't post.