SELinux is preventing systemd from ioctl access on the file nxserver.service

Forum / NoMachine for Linux / SELinux is preventing systemd from ioctl access on the file nxserver.service

Tagged: ,

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #35348
    maxim-nomachine
    Participant

    I have the same problem as described here: https://bugzilla.redhat.com/show_bug.cgi?id=1769673

    SELinux is preventing systemd from ioctl access on the file /usr/lib/systemd/system/nxserver.service.

    ***** Plugin catchall (100. confidence) suggests **************************

    If you believe that systemd should be allowed ioctl access on the nxserver.service file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c ‘systemd’ –raw | audit2allow -M my-systemd
    # semodule -X 300 -i my-systemd.pp

    Additional Information:
    Source Context system_u:system_r:init_t:s0
    Target Context unconfined_u:object_r:nx_unit_file_t:s0
    Target Objects /usr/lib/systemd/system/nxserver.service [ file ]
    Source systemd
    Source Path systemd
    Port
    Host MyName
    Source RPM Packages
    Target RPM Packages
    SELinux Policy RPM selinux-policy-targeted-3.14.6-39.fc33.noarch
    Local Policy RPM selinux-policy-targeted-3.14.6-39.fc33.noarch
    Selinux Enabled True
    Policy Type targeted
    Enforcing Mode Enforcing
    Host Name MyName
    Platform Linux MyName 5.13.15-100.fc33.x86_64 #1 SMP Wed Sep
    8 15:51:20 UTC 2021 x86_64 x86_64
    Alert Count 18
    First Seen 2021-09-19 19:46:02 UTC
    Last Seen 2021-09-19 19:46:02 UTC
    Local ID ef5382b8-5b37-4577-8b99-90df2acff745

    Raw Audit Messages
    type=AVC msg=audit(1632080762.44:6751): avc: denied { ioctl } for pid=1 comm=”systemd” path=”/usr/lib/systemd/system/nxserver.service” dev=”dm-1″ ino=134561805 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:nx_unit_file_t:s0 tclass=file permissive=0

    Hash: systemd,init_t,nx_unit_file_t,file,ioctl
    `

    #35689
    Carin
    Participant

    Hi maxim-nomachine,

    thank you for reporting this. We were able to reproduce the problem in our labs and opened a Trouble Report: https://knowledgebase.nomachine.com/TR10S10384

    #35916
    edwkmho
    Participant

    I am also experiencing this issue with Fedora 34 and Fedora 35 Beta.

    By the way, from the trouble report TR10S10384 – As a temporary workaround, you can add a local policy to SELinux to allow access to that file.

    Can anyone provide the command(s) to add the local policy to SELinux for Fedora 34 and Fedora 35 Beta.

    Thanks.

    #36351
    Britgirl
    Keymaster

    Hi, I am going to send you a file in a separate email. It contains the workaround whilst you wait for the permanent fix. Download it on to your machine and then run:
    sudo semodule -i nx-unconfined.pp

Viewing 4 posts - 1 through 4 (of 4 total)

This topic was marked as solved, you can't post.