How to configure SELinux to allow NX server operations
In order to determine if SELinux is preventing your NoMachine server from working, you should switch the SELinux mode from enforcing to permissive. The enforcing mode, which is the standard operating mode of SELinux, allows SELinux to enforce policy access decisions. The permissive mode still checks the security policy to see whether an attempted operation should be allowed, but logs denials to the system log, usually /var/log/ messages or /var/log/secure, and doesn't deny any operation.
To set the permissive mode, run
[root@machine ~]# setenforce 0
and verify the current SELinux mode is set to permissive:
[root@machine ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 20 Policy from config file: targeted
Now you can start a NoMachine session, and if everything is working as expected, you can proceed with the analysis of the SELinux logs to check which of the NoMachine server operations would be denied by SELinux. Run, depending on your Linux version:
tail -f /var/log/messages | grep avc tail -f /var/log/audit/audit.log | grep avc tail -f /var/log/avc.log | grep avc
and perform some basic tests like starting, disconnecting, reconnecting and terminating a session. Launch the session via NoMachine Client running on a different machine to the NoMachine server host.
Once you have retrieved the SELinux log, you need to check all the denied items, for example:
[...] avc: denied run for pid=26878 exe=xauth [...]
and configure SELinux to allow the NoMachine server operations. See for example any of the following websites for more information on how to configure SELinux:
Once you have configured SELinux to allow NoMachine server operations, you can switch the SELinux mode back to enforcing:
[root@machine ~]# setenforce 1