[RHEL7] geoclue_t AVCs seen when starting vncserver as a service
Issue
-
When starting vncserver as a service, by copying then customizing
/usr/lib/systemd/system/vncserver@.service
,system_u:system_r:geoclue_t
AVCs are seen in the audit log# ausearch -m AVC ---- time->XXX type=PROCTITLE msg=audit(XXX): proctitle=... type=PATH msg=audit(XXX): item=0 name="/proc/<PID>/cgroup" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(XXX): cwd="/" type=SYSCALL msg=audit(1529592076.290:764): arch=c000003e syscall=2 success=no exit=-13 ... comm="geoclue" exe="/usr/libexec/geoclue" subj=system_u:system_r:geoclue_t:s0 key=(null) type=AVC msg=audit(XXX): avc: denied { search } for ... comm="geoclue" ... dev="proc" ... scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=dir
-
Other
system_u:system_r:unconfined_service_t
related AVCs can be seen, for example# ausearch -m AVC ---- time->XXX type=PROCTITLE msg=audit(XXX): proctitle="/usr/sbin/spice-vdagentd" type=SYSCALL msg=audit(XXX): arch=c000003e syscall=5 success=yes exit=0 ... comm="spice-vdagentd" exe="/usr/sbin/spice-vdagentd" subj=system_u:system_r:vdagent_t:s0 key=(null) type=AVC msg=audit(XXX): avc: denied { getattr } for ... comm="spice-vdagentd" ... scontext=system_u:system_r:vdagent_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file
Environment
- Red Hat Enterprise Linux 7
- tigervnc-server
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.