Issue with TigerVNC for Yocto-Based Linux with SELinux: PAM and SELinux Context Errors

Question

I am running TigerVNC version 1.14.1 on a Yocto-based Linux system with SELinux enabled. The issue I’m facing is related to starting the VNC server service when SELinux policies are in place. Below is the configuration and steps I’ve followed:

1. User Configuration: I have configured the vncserver.conf file as follows: 1:user1

2. SELinux Policy: I am using the default vncsession SELinux policy module that I compiled successfully. Since I am not using GNOME, I removed GNOME-related lines from the .te file.

3. Systemd and PAM Configuration: I am using the default tigervnc systemd service file and PAM configuration file provided by the TigerVNC package. No modifications were made to these files initially.

4. Error Encountered: When I start the VNC server service using systemctl start vncserver@:1, I observe the following errors in the logs:

root@Test:/etc/pam.d# systemctl status vncserver@:1 -l
● vncserver@:1.service - Remote desktop service (VNC)
     Loaded: loaded (/usr/lib/systemd/system/vncserver@.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2025-01-17 16:53:37 UTC; 3s ago
    Process: 48507 ExecStart=/usr/libexec/vncsession-start :1 (code=exited, status=0/SUCCESS)
   Main PID: 48514 (vncsession)
      Tasks: 0 (limit: 4637)
     Memory: 468.0K
     CGroup: /system.slice/system-vncserver.slice/vncserver@:1.service
             ‣  48514 /usr/sbin/vncsession user1 :1

Jan 17 16:53:37 Test systemd[1]: Starting Remote desktop service (VNC)...
Jan 17 16:53:37 Test vncsession[48514]: pam_selinux(tigervnc:session): Unable to get valid context for user1
Jan 17 16:53:37 Test vncsession[48514]: pam_selinux(tigervnc:session): conversation failed
Jan 17 16:53:37 Test vncsession[48514]: pam_unix(tigervnc:session): session opened for user user1(uid=1001) by (uid=0)
Jan 17 16:53:37 Test systemd[1]: Started Remote desktop service (VNC).

The critical lines in the log are:

pam_selinux(tigervnc:session): Unable to get valid context for user1 pam_selinux(tigervnc:session): conversation failed Despite these errors, the VNC server service starts, but there seems to be an issue with the SELinux context assignment during the PAM authentication process.

5. Temporary Workaround: When I comment out the pam_systemd.so line in /etc/pam.d/tigervnc, the error is no longer observed, and the service starts cleanly without issues.

6. Additional Information:

   • user1 is mapped to the SELinux context user_u.
   • The issue appears to be specific to the interaction between SELinux, PAM, and TigerVNC during the session initialization process.

Below is Default tigervnc.pam file,

#%PAM-1.0

# THIS IS AN EXAMPLE CONFIGURATION
# MODIFY AS NEEDED FOR YOUR DISTRIBUTION

# pam_selinux.so close should be the first session rule
-session   required     pam_selinux.so close
session    required     pam_loginuid.so
-session   required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    required     pam_limits.so
-session   optional     pam_systemd.so
session    required     pam_unix.so
-session   optional     pam_reauthorize.so prepare

Systemd service file:

[Unit]
Description=Remote desktop service (VNC)
After=network.target systemd-user-sessions.service

[Service]
Type=forking
ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i
PIDFile=/run/vncsession-%i.pid
SELinuxContext=system_u:system_r:vnc_session_t:s0

[Install]
WantedBy=multi-user.target

Could I be overlooking any steps in this process? Any guidance would be greatly appreciated.