VNC server won't start on AlmaLinux/CentOS 8
I could not get tigervnc to start on my AlmaLinux 8 machine. We have SELinux enabled and our home directories are automounted NFS shares (configured by IPA).
I see errors in my /var/log/audit/audit.log for vncserver accessing our home directories.
Solution 1:
It turns out that at least up to NFSv4.1, NFS does not have full support for SELinux contexts; you can only set the context per-mount, not per-file/directory.
So first we need to allow vncserver access to NFS home directories. This has been fixed upstream in tigervnc v1.12. If that isn't available for the OS, we can just pull the new SELinux configuration from upstream and install it on our system. This has been documented here: https://github.com/TigerVNC/tigervnc/issues/1189. Here are the important steps:
- Obtain and extract the tigervnc v1.12 sources
- Go to <tigervnc source>/unix/vncserver/selinux
- Generate the new SELinux policy file (vncserver.pp) by running "make vncserver.pp"
- Tell SELinux that we're using NFS home directories by running "setsebool -P use_nfs_home_dirs on". The -P option makes it permanent.
- Install the new SELinux policy: "semodule -X 300 -i vncsession.pp"
The next issue we run into is that vncserver isn't waiting for our NFS mount. Many guides will tell you to add the "After=remote-fs.target" or "After=home.mount" or "RequiresMountsFor=/home". However, this does not work with filesystems mounted by autofs (at least, it didn't for me).
Instead, we need to wait for autofs to come up. Add "After=autofs.target" to the [Unit] section of your [email protected] file. For me it was located at /usr/lib/systemd/system/[email protected]. See: https://github.com/TigerVNC/tigervnc/issues/1284
At this point continue following your OS's documentation for configuring the VNC server.