Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-77973

VNC session crashes early when having "unlimited" configured as "nofile" limit

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-9.7
    • rhel-9.5
    • tigervnc
    • None
    • tigervnc-1.15.0-1.el9
    • No
    • Moderate
    • 2
    • rhel-display-applications
    • ssg_display
    • 1
    • 3
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • DESKTOP Cycle #5 10.0 phase, DESKTOP Cycle #1 10.1 phase
    • None

      This is similar to RHEL-77745 but for tigervnc, which ships its own policy.

      What were you trying to do that didn't work?

      When configuring the nofile limit to unlimited, starting a VNC session fails due to an AVC popping up:

      type=PROCTITLE msg=audit(02/05/2025 09:51:57.510:224) : proctitle=/usr/sbin/vncsession root :2 
type=PATH msg=audit(02/05/2025 09:51:57.510:224) : item=0 name=/proc/sys/fs/nr_open nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/05/2025 09:51:57.510:224) : cwd=/ 
type=SYSCALL msg=audit(02/05/2025 09:51:57.510:224) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ff28ec680c5 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=5509 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=vncsession exe=/usr/sbin/vncsession subj=system_u:system_r:vnc_session_t:s0 key=(null) 
type=AVC msg=audit(02/05/2025 09:51:57.510:224) : avc:  denied  { search } for  pid=5509 comm=vncsession name=fs dev="proc" ino=1826 scontext=system_u:system_r:vnc_session_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=0

      The reason is vnc_session_t is not allowed to read /proc/sys/fs/nr_open, which is used to get the max value for nofile and done by the pam_limit module.

      What is the impact of this issue to you?

      Cannot set nofile to unlimited due to this.

      Please provide the package NVR for which the bug is seen:

      tigervnc-selinux-1.14.1-1.el9_5.noarch

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Configure the limit 
        # cat /etc/security/limits.d/99-nofile.conf 
root	- nofile	unlimited
      2. Configure VNC for the user 
        # echo ":2=root" >> /etc/tigervnc/vncserver.users
      3. Start a VNC session 
        # systemctl start vncserver@:2

      Expected results

      VNC service starting properly

      Actual results

      VNC service failing and AVC

              jgrulich@redhat.com Jan Grulich
              rhn-support-rmetrich Renaud Métrich
              Jan Grulich Jan Grulich
              Radek Duda Radek Duda
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: