[RHEL7] geoclue_t AVCs seen when starting vncserver as a service
Issue
-
When starting vncserver as a service, by copying then customizing
/usr/lib/systemd/system/vncserver@.service,system_u:system_r:geoclue_tAVCs are seen in the audit log# ausearch -m AVC ---- time->XXX type=PROCTITLE msg=audit(XXX): proctitle=... type=PATH msg=audit(XXX): item=0 name="/proc/<PID>/cgroup" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(XXX): cwd="/" type=SYSCALL msg=audit(1529592076.290:764): arch=c000003e syscall=2 success=no exit=-13 ... comm="geoclue" exe="/usr/libexec/geoclue" subj=system_u:system_r:geoclue_t:s0 key=(null) type=AVC msg=audit(XXX): avc: denied { search } for ... comm="geoclue" ... dev="proc" ... scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir -
Other
system_u:system_r:unconfined_service_trelated AVCs can be seen, for example# ausearch -m AVC ---- time->XXX type=PROCTITLE msg=audit(XXX): proctitle="/usr/sbin/spice-vdagentd" type=SYSCALL msg=audit(XXX): arch=c000003e syscall=5 success=yes exit=0 ... comm="spice-vdagentd" exe="/usr/sbin/spice-vdagentd" subj=system_u:system_r:vdagent_t:s0 key=(null) type=AVC msg=audit(XXX): avc: denied { getattr } for ... comm="spice-vdagentd" ... scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file
Environment
- Red Hat Enterprise Linux 7
- tigervnc-server
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
