Dec 112010
 

[Note added in August 2011: Be sure to read the comment by Dan Walsh. There is a simpler solution]

When you attempt to connect to a remote machine using freenx, you might encounter this message:

The NX service is not available or the NX access was disabled on host XXX.

This is likely due to SELinux blocking the connection. If you are using QtNX, it just hangs without any message.  Here is how to solve the issue.

(1) Disable auditd.

service auditd stop

(2) Rename /var/log/audit/audit.log or move it somewhere else.

(3) Enable auditd

service auditd start

(4) Try connection from the client. It will fail. This writes the audit.log file.

(5) Generate SELinux policy rules from the log file and install it.

cat /var/log/audit/audit.log | audit2allow -M freenx
semodule -i freenx.pp

(6) You can see the policy by reading the .te file.

cat freenx.te

module freenx 1.0;

require {
type nx_server_var_lib_t;
type sshd_t;
class file read;
}

#============= sshd_t ==============
allow sshd_t nx_server_var_lib_t:file read;

(7) Now, try connecting from the client again. It will fail again. Repeat the steps (1) to (5) using ‘freenx2’ instead of ‘freenx’.

(8) You will most likely need to repeat the process yet one more time until the connection finally succeeds. So, once again repeat the steps (1) to (5) but this time using ‘freenx3’ instead of ‘freenx’.

If you look at the policy files generated, you will find what was added by each action.

  2 Responses to “SELinux and FreeNX”

  1. Most likely this is the .ssh directory being mislabeled in
    /opt/NX/home/nx/\.ssh

    Running restorecon -R -v /OPT/NX Should fix the label. If this path is incorrect, then we need to know that correct path.

    A simpler method to generate this policy would be to setup sshd_t as a permissive domain.

    semanage permissive -a sshd_t
    Then run your test. Then you can generate your rules off of all of the AVC’s generated.
    Finally you can turn off the permissive by executing
    semanage permissive -d sshd_t

  2. Thanks, Dan, for your note. Yes, that worked.

    The home directory of nx is /var/lib/nxserver/home, so I ran:

    restorecon -R -v /var/lib/nxserver

    and that solved the selinux issue. 🙂

Sorry, the comment form is closed at this time.