SELinux is preventing systemd from ioctl access on the file nxserver.service

Forum / NoMachine for Linux / SELinux is preventing systemd from ioctl access on the file nxserver.service

Tagged: ,

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • September 19, 2021 at 21:57 #35348
    maxim-nomachine
    Participant

    I have the same problem as described here: https://bugzilla.redhat.com/show_bug.cgi?id=1769673

    SELinux is preventing systemd from ioctl access on the file /usr/lib/systemd/system/nxserver.service.

    ***** Plugin catchall (100. confidence) suggests **************************

    If you believe that systemd should be allowed ioctl access on the nxserver.service file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c ‘systemd’ –raw | audit2allow -M my-systemd
    # semodule -X 300 -i my-systemd.pp

    Additional Information:
    Source Context system_u:system_r:init_t:s0
    Target Context unconfined_u:object_r:nx_unit_file_t:s0
    Target Objects /usr/lib/systemd/system/nxserver.service [ file ]
    Source systemd
    Source Path systemd
    Port
    Host MyName
    Source RPM Packages
    Target RPM Packages
    SELinux Policy RPM selinux-policy-targeted-3.14.6-39.fc33.noarch
    Local Policy RPM selinux-policy-targeted-3.14.6-39.fc33.noarch
    Selinux Enabled True
    Policy Type targeted
    Enforcing Mode Enforcing
    Host Name MyName
    Platform Linux MyName 5.13.15-100.fc33.x86_64 #1 SMP Wed Sep
    8 15:51:20 UTC 2021 x86_64 x86_64
    Alert Count 18
    First Seen 2021-09-19 19:46:02 UTC
    Last Seen 2021-09-19 19:46:02 UTC
    Local ID ef5382b8-5b37-4577-8b99-90df2acff745

    Raw Audit Messages
    type=AVC msg=audit(1632080762.44:6751): avc: denied { ioctl } for pid=1 comm=”systemd” path=”/usr/lib/systemd/system/nxserver.service” dev=”dm-1″ ino=134561805 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:nx_unit_file_t:s0 tclass=file permissive=0

    Hash: systemd,init_t,nx_unit_file_t,file,ioctl
    `

    October 11, 2021 at 18:30 #35689
    Carin
    Participant

    Hi maxim-nomachine,

    thank you for reporting this. We were able to reproduce the problem in our labs and opened a Trouble Report: https://knowledgebase.nomachine.com/TR10S10384

    October 23, 2021 at 18:00 #35916
    edwkmho
    Participant

    I am also experiencing this issue with Fedora 34 and Fedora 35 Beta.

    By the way, from the trouble report TR10S10384 – As a temporary workaround, you can add a local policy to SELinux to allow access to that file.

    Can anyone provide the command(s) to add the local policy to SELinux for Fedora 34 and Fedora 35 Beta.

    Thanks.

    November 19, 2021 at 19:30 #36351
    Britgirl
    Keymaster

    Hi, I am going to send you a file in a separate email. It contains the workaround whilst you wait for the permanent fix. Download it on to your machine and then run:
    sudo semodule -i nx-unconfined.pp

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)

This topic was marked as solved, you can't post.