21 September 2020

Fedora has been our operating system of choice. We have been maintaining an reusing systems over many years. This recently led to an issue with Tiger VNC. Tiger VNC would no longer start on workstation boot. This occurred after a DNF update. After investigation two issues were found. The first is that there wasn’t a user defined in a Tiger VNC configuration file. Note that Tiger VNC was working fine without this prior to the update. The second issue was caused by a conflict with SELinux and the systemd start script.

Lets demonstrate how to tell if you have the first issue. We will attempt to start the VNC service and check its status. If it tells us that there isn’t a user configured for display :1, we have the first issue.

No user configured example.
$ sudo systemctl start vncserver@:1
Job for vncserver@:1.service failed because the control process exited with error code.
See "systemctl status vncserver@:1.service" and "journalctl -xe" for details.
$ sudo systemctl status vncserver@:1
? vncserver@:1.service - Remote desktop service (VNC)
     Loaded: loaded (/usr/lib/systemd/system/vncserver@.service; enabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Mon 2020-09-21 10:10:24 EDT; 11s ago
    Process: 3537 ExecStart=/usr/libexec/vncsession-start :1 (code=exited, status=1/FAILURE)
        CPU: 6ms

Sep 21 10:10:24  systemd[1]: Starting Remote desktop service (VNC)...
Sep 21 10:10:24  vncsession-start[3537]: No user configured for display :1
Sep 21 10:10:24  systemd[1]: vncserver@:1.service: Control process exited, code=exited, status=1/FAILURE
Sep 21 10:10:24  systemd[1]: vncserver@:1.service: Failed with result 'exit-code'.
Sep 21 10:10:24  systemd[1]: Failed to start Remote desktop service (VNC).

To resolve the issue we simply edit /etc/tigervnc/vncserver.users. You should replace "username" with your Linux user name.

# TigerVNC User assignment
# This file assigns users to specific VNC display numbers.
# The syntax is <display>=<username>. E.g.:
# :2=andrew
# :3=lisa

If you are having issues with SELinux it still won’t start. So let’s demonstrate how to tell if you are having SELinux issues. If we have an issue there will be an AVC message telling us SELinux denied access to some resource.

Check for SELinux issues
$ sudo systemctl start vncserver@:1
$ sudo ausearch -m avc -ts recent
time->Wed Sep 16 12:18:50 2020
type=AVC msg=audit(1600273130.525:365): avc:  denied  { search } for  pid=1956 comm="vncsession" name=".vnc" dev="dm-2" ino=6030017 scontext=system_u:system_r:vnc_session_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0

I have found the SELinux basics simple to understand. This simplicity seems to disappear when trying to fix SELinux issues on a workstation. Fortunately there is a command we can use to fix problems without fully understanding the intricacies. Run the following command and it should reset the SELinux properties for .vnc in hour home directory.

Reset SELinux attributres on .vnc directory
$ cd ~
$ sudo restorecon -R .vnc

Now verify your Tiger VNC is working properly by running the following.

Verify Tiger VNC working
$ systemctl start vncserver@:1
$ systemctl status vncserver@:1

Less Is More ~ Older posts are available in the archive.