NoMachine Support

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR05D00389
Applies to: NX Server Products
Added on: 2006-05-06
Last update: 2019-04-12
How to configure SELinux to allow NX server operations

In order to determine if SELinux is preventing your NoMachine server from working, you should switch the SELinux mode from enforcing to permissive. The enforcing mode, which is the standard operating mode of SELinux, allows SELinux to enforce policy access decisions. The permissive mode still checks the security policy to see whether an attempted operation should be allowed, but logs denials to the system log, usually /var/log/ messages or /var/log/secure, and doesn't deny any operation.

To set the permissive mode, run

[root@machine ~]# setenforce 0

and verify the current SELinux mode is set to permissive:

[root@machine ~]# sestatus
SELinux status:            enabled
SELinuxfs mount:         /selinux
Current mode:             permissive
Mode from config file:   enforcing
Policy version:             20
Policy from config file:  targeted

Now you can start a NoMachine session, and if everything is working as expected, you can proceed with the analysis of the SELinux logs to check which of the NoMachine server operations would be denied by SELinux. Run, depending on your Linux version:

  tail -f /var/log/messages | grep avc 
 
  tail -f /var/log/audit/audit.log | grep avc

  tail -f /var/log/avc.log | grep avc

and perform some basic tests like starting, disconnecting, reconnecting and terminating a session. Launch the session via NoMachine Client running on a different machine to the NoMachine server host.

Once you have retrieved the SELinux log, you need to check all the denied items, for example:

[...] avc:  denied   run  for  pid=26878 exe=xauth [...]

and configure SELinux to allow the NoMachine server operations. See for example any of the following websites for more information on how to configure SELinux:

https://docs.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/index.html

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/sec-sel-policy-customizing#sec-sel-policy-customizing-modpolicy
 

Once you have configured SELinux to allow NoMachine server operations, you can switch the SELinux mode back to enforcing:

[root@machine ~]# setenforce 1