Comment 1 Jonas Stein 2020-10-03 14:03:43 UTC

Thank you for the report. We need to have all information at hand before ticket assignment. That is why I ask you to 
* attach the logs
as described on https://wiki.gentoo.org/wiki/Attach_the_logs_to_the_bug_ticket
Please reopen this ticket (Status:UNCONFIRMED) afterwards.

I need your help here. Please instruct me how can I obtain a log from a build that does not fail.

Created attachment 663613 [details]
Build logs, as requested

Ok, I've managed to preserve build logs for both versions (with and without bin/vncserver built).

Comment 4 Ulrich Müller 2020-10-03 17:19:39 UTC

The vncserver binary is being built, but its install location has changed from /usr/bin to /usr/libexec.

Looks like the intention is that it should be started through an additional wrapper named vncsession.

Comment 5 Ulrich Müller 2020-10-03 17:41:04 UTC

(In reply to Ulrich Müller from comment #4)
> [...] vncserver binary [...]

It is a Perl script, in fact.

Thanks for your analysis.

The trouble is, this is not-systemd host, hence /etc/init.d/tigervnc script must be uptated, it still refers to vncserver executable.

Comment 7 Ulrich Müller 2020-10-04 07:11:25 UTC

(In reply to Paul Osmialowski from comment #6)
> The trouble is, this is not-systemd host, hence /etc/init.d/tigervnc script
> must be uptated, it still refers to vncserver executable.

Yes, I am aware. Simply replacing vncserver by vncsession in the init script won't work though, because vncsession has different arguments. I also must be run as root (while vncserver had to be started under the user's account) because it switches to the user itself. All in all I think the init script will become much simpler because the "su" logic can be dropped.

However, I am not the maintainer, and I don't use tigervnc as a server. So I am not the right person to test this.

I wonder, should we package mask 1.11.0 until this issue will be fixed?

Comment 8 Ulrich Müller 2020-10-04 07:17:08 UTC

@jer: Any comment? You have bumped the package to 1.11.0.

Comment 9 Larry the Git Cow 2020-10-04 07:25:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ceb78937c6177d52ebf8628eb1cf85a6e6e28b74

commit ceb78937c6177d52ebf8628eb1cf85a6e6e28b74
Author:     Ulrich Müller <ulm@gentoo.org>
AuthorDate: 2020-10-04 07:24:05 +0000
Commit:     Ulrich Müller <ulm@gentoo.org>
CommitDate: 2020-10-04 07:24:05 +0000

    profiles: Package mask >=net-misc/tigervnc-1.11.0, bug 746227.
    
    Bug: https://bugs.gentoo.org/746227
    Signed-off-by: Ulrich Müller <ulm@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)

This needs to be resolved, currently users are forced to downgrade to 1.9.0 which is unsecure

(In reply to Ulrich Müller from comment #8)
> @jer: Any comment? You have bumped the package to 1.11.0.

@ulm, mind just masking the server USE flag instead of the whole pkg?

Comment 12 Ulrich Müller 2020-10-13 13:07:39 UTC

(In reply to Joakim Tjernlund from comment #11)
> @ulm, mind just masking the server USE flag instead of the whole pkg?

Then users would get the new version but with server disabled, potentially locking them out of their system. I think that's not an option.


(In reply to Joakim Tjernlund from comment #10)
> This needs to be resolved, currently users are forced to downgrade to 1.9.0
> which is unsecure

Is that vulnerability in the client or server code?

(In reply to Ulrich Müller from comment #12)
> (In reply to Joakim Tjernlund from comment #11)
> > @ulm, mind just masking the server USE flag instead of the whole pkg?
> 
> Then users would get the new version but with server disabled, potentially
> locking them out of their system. I think that's not an option.
> 
> 
> (In reply to Joakim Tjernlund from comment #10)
> > This needs to be resolved, currently users are forced to downgrade to 1.9.0
> > which is unsecure
> 
> Is that vulnerability in the client or server code?

version 1.10.1 says:

This is a security release to fix a number of issues that were found by Kaspersky Lab. These issues affect both the client and server and could theoretically allow an malicious peer to take control over the software on the other side.

No working exploit is known at this time, and the issues require the peer to first be authenticated. We still urge users to upgrade when possible.

Comment 14 Ulrich Müller 2020-10-13 13:39:31 UTC

Hm, copying tigervnc-1.9.0-r1.ebuild to tigervnc-1.10.1.ebuild would be a quick workaround. I had to remove ${PN}-1.9.0-030_manpages.patch from PATCHES, otherwise it builds and installs just fine.

@Joakim Tjernlund: Would that be feasible as a stop-gap measure, until we get a real fix for 1.11? Could you test if 1.10.1 works at runtime?

(In reply to Ulrich Müller from comment #14)
> Hm, copying tigervnc-1.9.0-r1.ebuild to tigervnc-1.10.1.ebuild would be a
> quick workaround. I had to remove ${PN}-1.9.0-030_manpages.patch from
> PATCHES, otherwise it builds and installs just fine.
> 
> @Joakim Tjernlund: Would that be feasible as a stop-gap measure, until we
> get a real fix for 1.11? Could you test if 1.10.1 works at runtime?

Not really as I don't us the server/client at all, just the xorg module

Created attachment 676600 [details, diff]
Bypass Xsession script from vncserver perl script

Starting from version 1.11 the xstartup script is no more used and the windows manager is selected between /usr/share/xsessions/*.desktop files (it can be forced with property "session" in the configuration file, ex. session=plasma).
Looking how it works on fedora, the server is then started with a command like:
  xinit /etc/X11/xinit/Xsession /usr/bin/startplasma-x11 -- /usr/bin/Xvnc :1 ...
but gentoo script Xsession (/etc/X11/Sessions/Xsession) does not take care of additional argument (except when it is "failsafe"), so it is not suitable to be used in this way.
With this patch the vncserver script will use directly the command found into *.desktop file, hoping that it works for any possible .desktop file that can be found there (I have tested it only with plasma)

Created attachment 676603 [details, diff]
use vncsession to start the server

The patch will modify the init script to use the new tool vncsession to start the service.
When the service is stopped, the command started with xinit (in my test /usr/bin/startplasma-x11) is still running, but it was the same with the old version (1.9.0)

As per the changelog:
  Support for building Xvnc/libvnc.so with Xorg 1.20.7+ and deprecate support for Xorg older than 1.16

the xorg-server version can be updated

Comment 19 Ulrich Müller 2020-12-04 12:27:13 UTC

Thank you for the patches. We would need a copyright signoff for them:
https://www.gentoo.org/glep/glep-0076.html#certificate-of-origin

(In reply to Roberto Castagnola from comment #16)
> Created attachment 676600 [details, diff] [details, diff]
> Bypass Xsession script from vncserver perl script

> --- a/unix/vncserver/tigervnc.pam	2020-09-08 14:16:08.000000000 +0200
> +++ b/unix/vncserver/tigervnc.pam	2020-12-03 21:28:34.100507590 +0100
> @@ -1,8 +1,8 @@
>  #%PAM-1.0
>  # pam_selinux.so close should be the first session rule
> --session   required     pam_selinux.so close
> +-session   optional     pam_selinux.so close
>  session    required     pam_loginuid.so
> --session   required     pam_selinux.so open
> +-session   optional     pam_selinux.so open

What is the purpose of the two changes from "required" to "optional"?

(In reply to Ulrich Müller from comment #19)
> Thank you for the patches. We would need a copyright signoff for them:
> https://www.gentoo.org/glep/glep-0076.html#certificate-of-origin
> 
> (In reply to Roberto Castagnola from comment #16)
> > Created attachment 676600 [details, diff] [details, diff] [details, diff]
> > Bypass Xsession script from vncserver perl script
> 
> > --- a/unix/vncserver/tigervnc.pam	2020-09-08 14:16:08.000000000 +0200
> > +++ b/unix/vncserver/tigervnc.pam	2020-12-03 21:28:34.100507590 +0100
> > @@ -1,8 +1,8 @@
> >  #%PAM-1.0
> >  # pam_selinux.so close should be the first session rule
> > --session   required     pam_selinux.so close
> > +-session   optional     pam_selinux.so close
> >  session    required     pam_loginuid.so
> > --session   required     pam_selinux.so open
> > +-session   optional     pam_selinux.so open
> 
> What is the purpose of the two changes from "required" to "optional"?

It avoids vncsession to fail if selinux is not installed.

(In reply to Ulrich Müller from comment #19)
> Thank you for the patches. We would need a copyright signoff for them:
> https://www.gentoo.org/glep/glep-0076.html#certificate-of-origin

Sorry but the link refers to commits, so I cannot figure how it should be applied to an attached proposed patch; could you give me an hint?

Comment 22 Ulrich Müller 2020-12-04 17:51:24 UTC

(In reply to Roberto Castagnola from comment #20)
> > > --session   required     pam_selinux.so open
> > > +-session   optional     pam_selinux.so open
> > 
> > What is the purpose of the two changes from "required" to "optional"?
> 
> It avoids vncsession to fail if selinux is not installed.

IIUC that's what the minus sign at the beginning of the line is for. But I've asked our PAM expert in IRC; waiting for an answer here.


(In reply to Roberto Castagnola from comment #21)
> (In reply to Ulrich Müller from comment #19)
> > Thank you for the patches. We would need a copyright signoff for them:
> > https://www.gentoo.org/glep/glep-0076.html#certificate-of-origin
> 
> Sorry but the link refers to commits, so I cannot figure how it should be
> applied to an attached proposed patch; could you give me an hint?

You can simply post the Signed-off-by line as a comment to this bug.

Comment 23 Jason Zaman 2020-12-04 18:27:23 UTC

Looks like a few of these things come from redhat where SELinux is always enabled, we have SELinux optional in gentoo and the policies are handled quite differently.

The gentoo policies dont have anything for vncserver so tigervnc should not be built with any selinux stuff.

pam_selinux is definitely required to login on an selinux-enforcing system so the line should either be "required" or completely not there. pambase handles this in /etc/pam.d/system-login.

The best course of action for this package would be to use pamd_mimic from pam.eclass to include system-remote-login which includes system-login.

dropbear has this line:
pamd_mimic system-remote-login dropbear auth account password session

I don't know if tigervnc should have all or only session, but probably all wont hurt

(In reply to Ulrich Müller from comment #22)
> You can simply post the Signed-off-by line as a comment to this bug.

Signed-off-by: Roberto Castagnola <roberto.castagnola@gmail.com>

(In reply to Jason Zaman from comment #23)
> Looks like a few of these things come from redhat where SELinux is always
> enabled, we have SELinux optional in gentoo and the policies are handled
> quite differently.
> 
> The gentoo policies dont have anything for vncserver so tigervnc should not
> be built with any selinux stuff.
> 
> pam_selinux is definitely required to login on an selinux-enforcing system
> so the line should either be "required" or completely not there.

Maybe the selinux use flag can be added to manage this: if not enabled, lines with pam_selinux could be removed by ebuild, otherwise they can be kept as is. In the latter case selinux policies should be created for tigervnc as well.
I know almost nothing of selinux policies, but I can find them in the source code (tigervnc-1.11.0/unix/vncserver/selinux/), so maybe they can be used for gentoo system as well.

I looked on Xsession script provided by few display manager (xdm, sddm, ...) and I have come to the conclusion that it is better to patch Xsession script provided by xinit package instead of bypass it.
A bug was already opened in the past for it (bug #301051)

Solved as a temporary workaround for my headless vnc configuration by copying /usr/bin/vncserver script from version 1.9.0-r2. I didn't change anything else. I think it's not a solution, but as a temporary workaround in case if somebody needs new version.

Is there any need to still mask 1.11.0 with the patch applied? Do we know the correct PAM configuration now?

Currently this blocks upgrades of org-server:

WARNING: One or more updates/rebuilds have been skipped due to a dependency conflict:

x11-base/xorg-server:0

  (x11-base/xorg-server-21.1.1-r2:0/21.1.1::gentoo, ebuild scheduled for merge) USE="elogind udev xorg xvfb -debug -doc -minimal (-selinux) -suid -systemd -test -unwind -xcsecurity -xephyr -xnest" ABI_X86="(64)" conflicts with
    x11-base/xorg-server:0/1.20.13= required by (x11-drivers/xf86-input-joystick-1.6.3:0/0::gentoo, installed) USE="" ABI_X86="(64)"
                        ^^^^^^^^^^^
    x11-base/xorg-server:0/1.20.13= required by (x11-drivers/xf86-input-wacom-0.40.0:0/0::gentoo, installed) USE="-debug" ABI_X86="(64)"
                        ^^^^^^^^^^^
    x11-base/xorg-server:0/1.20.13= required by (x11-drivers/xf86-video-intel-2.99.917_p20201215:0/0::gentoo, installed) USE="dri sna tools udev uxa xvmc -debug" ABI_X86="(64)"
                        ^^^^^^^^^^^
    x11-base/xorg-server:0/1.20.13= required by (x11-drivers/xf86-input-libinput-1.2.0:0/0::gentoo, installed) USE="" ABI_X86="(64)"
                        ^^^^^^^^^^^
    x11-base/xorg-server:0/1.20.13= required by (x11-drivers/xf86-input-void-1.4.1:0/0::gentoo, installed) USE="" ABI_X86="(64)"
                        ^^^^^^^^^^^
    x11-base/xorg-server:0/1.20.13= required by (x11-drivers/xf86-input-evdev-2.10.6:0/0::gentoo, installed) USE="" ABI_X86="(64)"
                        ^^^^^^^^^^^
    =x11-base/xorg-server-1.20* required by (net-misc/tigervnc-1.9.0-r2:0/0::gentoo, installed) USE="dri3 drm java nls opengl pam server xinerama xorgmodule -gnutls" ABI_X86="(64)"
    ^                     ^^^^^

What's still needed here, actually? Sorry if I missed anything...

Cheers,
Alexander

Comment 29 Larry the Git Cow 2021-12-07 23:16:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9dc0ec55803692786e6538bca4a12b0102e775f3

commit 9dc0ec55803692786e6538bca4a12b0102e775f3
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-07 23:16:18 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-07 23:16:42 +0000

    net-misc/tigervnc: add 1.12.0 (still masked)
    
    Note that this doesn't yet fix the xsession handling stuff, but
    am looking to see what we can do about it.
    
    Bug: https://bugs.gentoo.org/746227
    Closes: https://bugs.gentoo.org/746359
    Closes: https://bugs.gentoo.org/746365
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/tigervnc/Manifest               |   1 +
 net-misc/tigervnc/tigervnc-1.12.0.ebuild | 184 +++++++++++++++++++++++++++++++
 net-misc/tigervnc/tigervnc-9999.ebuild   |   9 +-
 3 files changed, 189 insertions(+), 5 deletions(-)

Comment 30 Sam James 2021-12-07 23:19:33 UTC

(In reply to Alexander Wessel from comment #28)
> Is there any need to still mask 1.11.0 with the patch applied? Do we know
> the correct PAM configuration now?
> 

So, I don't think anybody applied the xsession patches.

Roberto posted some patches but then decided it'd be a better idea to fix the xinit packages instead.

> 
> What's still needed here, actually? Sorry if I missed anything...
> 

I think we have two options:
1. try apply / rebase Roberto's patches;
2. wait for the xinit patches to be applied.

I don't use TigerVNC (or VNC at all much at the moment) so I'm a bit stuck on what to do given I'm not really familiar with this.

(In reply to Larry the Git Cow from comment #29)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=9dc0ec55803692786e6538bca4a12b0102e775f3
> 
> commit 9dc0ec55803692786e6538bca4a12b0102e775f3
> Author:     Sam James <sam@gentoo.org>
> AuthorDate: 2021-12-07 23:16:18 +0000
> Commit:     Sam James <sam@gentoo.org>
> CommitDate: 2021-12-07 23:16:42 +0000
> 
>     net-misc/tigervnc: add 1.12.0 (still masked)
>     
>     Note that this doesn't yet fix the xsession handling stuff, but
>     am looking to see what we can do about it.
>     
>     Bug: https://bugs.gentoo.org/746227
>     Closes: https://bugs.gentoo.org/746359
>     Closes: https://bugs.gentoo.org/746365
>     Signed-off-by: Sam James <sam@gentoo.org>
> 
>  net-misc/tigervnc/Manifest               |   1 +
>  net-misc/tigervnc/tigervnc-1.12.0.ebuild | 184
> +++++++++++++++++++++++++++++++
>  net-misc/tigervnc/tigervnc-9999.ebuild   |   9 +-
>  3 files changed, 189 insertions(+), 5 deletions(-)

In new ebuild there is:
		eapply "${FILESDIR}"/xserver120.patch
Here you need use the 21.1.1 server patch that comes with tigervnc.
See https://github.com/TigerVNC/tigervnc/blob/master/unix/xserver21.1.1.patch

(In reply to Joakim Tjernlund from comment #31)
> (In reply to Larry the Git Cow from comment #29)
> > The bug has been referenced in the following commit(s):
> > 
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/
> > ?id=9dc0ec55803692786e6538bca4a12b0102e775f3
> > 
> > commit 9dc0ec55803692786e6538bca4a12b0102e775f3
> > Author:     Sam James <sam@gentoo.org>
> > AuthorDate: 2021-12-07 23:16:18 +0000
> > Commit:     Sam James <sam@gentoo.org>
> > CommitDate: 2021-12-07 23:16:42 +0000
> > 
> >     net-misc/tigervnc: add 1.12.0 (still masked)
> >     
> >     Note that this doesn't yet fix the xsession handling stuff, but
> >     am looking to see what we can do about it.
> >     
> >     Bug: https://bugs.gentoo.org/746227
> >     Closes: https://bugs.gentoo.org/746359
> >     Closes: https://bugs.gentoo.org/746365
> >     Signed-off-by: Sam James <sam@gentoo.org>
> > 
> >  net-misc/tigervnc/Manifest               |   1 +
> >  net-misc/tigervnc/tigervnc-1.12.0.ebuild | 184
> > +++++++++++++++++++++++++++++++
> >  net-misc/tigervnc/tigervnc-9999.ebuild   |   9 +-
> >  3 files changed, 189 insertions(+), 5 deletions(-)
> 
> In new ebuild there is:
> 		eapply "${FILESDIR}"/xserver120.patch
> Here you need use the 21.1.1 server patch that comes with tigervnc.
> See https://github.com/TigerVNC/tigervnc/blob/master/unix/xserver21.1.1.patch

I forgot, you need two patches as well:
https://github.com/TigerVNC/tigervnc/commit/736b50d04e1ba965696cd15d456dc2b7fc123150
and
https://github.com/TigerVNC/tigervnc/commit/f2577107f7f55382c524d8c738a777e5cdd80f60

Comment 33 Larry the Git Cow 2021-12-07 23:45:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=14e8c0f75ccd89f10dca5f83b3991c3bab5c7523

commit 14e8c0f75ccd89f10dca5f83b3991c3bab5c7523
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-07 23:44:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-07 23:45:29 +0000

    net-misc/tigervnc: fix 1.12.0 for xorg 1.21.1
    
    Add additional patches and apply the right one in the source tree too.
    
    Bug: https://bugs.gentoo.org/746227
    Thanks-to: Joakim Tjernlund <joakim.tjernlund@infinera.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/tigervnc/Manifest                         |  1 +
 .../tigervnc/files/tigervnc-1.12.0-xorg-1.21.patch | 55 ++++++++++++++++++++++
 ...vnc-1.12.0.ebuild => tigervnc-1.12.0-r1.ebuild} | 15 +++---
 3 files changed, 65 insertions(+), 6 deletions(-)

(In reply to Larry the Git Cow from comment #33)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=14e8c0f75ccd89f10dca5f83b3991c3bab5c7523
> 
> commit 14e8c0f75ccd89f10dca5f83b3991c3bab5c7523
> Author:     Sam James <sam@gentoo.org>
> AuthorDate: 2021-12-07 23:44:49 +0000
> Commit:     Sam James <sam@gentoo.org>
> CommitDate: 2021-12-07 23:45:29 +0000
> 
>     net-misc/tigervnc: fix 1.12.0 for xorg 1.21.1
>     
>     Add additional patches and apply the right one in the source tree too.
>     
>     Bug: https://bugs.gentoo.org/746227
>     Thanks-to: Joakim Tjernlund <joakim.tjernlund@infinera.com>
>     Signed-off-by: Sam James <sam@gentoo.org>
> 
>  net-misc/tigervnc/Manifest                         |  1 +
>  .../tigervnc/files/tigervnc-1.12.0-xorg-1.21.patch | 55
> ++++++++++++++++++++++
>  ...vnc-1.12.0.ebuild => tigervnc-1.12.0-r1.ebuild} | 15 +++---
>  3 files changed, 65 insertions(+), 6 deletions(-)

Noticed you patched away Present deps in tigervnc. If that does not work out
you can just configure xorg-server with  present. Then it builds without patching away present

What is current state of this bug? I vote to solve it.

Comment 36 Sam James 2021-12-11 06:16:59 UTC

(In reply to Reva Denis from comment #35)
> What is current state of this bug? I vote to solve it.

I explained a few days ago: https://bugs.gentoo.org/746227#c30.

It's not a matter of votes or more people wanting it fixed: I don't really know much about this area and I need somebody who does (possibly a user!) to assist.

| I don't really know much about this area and I need somebody who does (possibly a user!) to assist.

Well, I'm having one ARM64 Gentoo box which I mostly access remotely, also using VNC. I could possibly use it for testing. Currently it has the following installed:

[ebuild   R   ~] x11-base/xorg-server-21.1.1-r2:0/21.1.1::gentoo  USE="elogind udev unwind xephyr xnest xorg xvfb -debug -doc -minimal (-selinux) -suid -systemd -test -xcsecurity" 0 KiB
[ebuild   R   ~] net-misc/tigervnc-1.9.0-r2::gentoo  USE="dri3 drm gnutls java nls opengl pam server -xinerama -xorgmodule" 0 KiB

Do you have a specific scenario I could test on it?

Now that xorg-server-21.1.3 is stable one need >=tigervnc-1.12.0-r1
to use the xorg vnc module

Just tried to install on my second machine (main machine is still on 1.9 version) using the 1.12.0-r1 version. Compiled fine but startup of server fails with "Failure daemonizing"  in daemon.log

in auth.log it shows

Jan 26 11:39:41 machinename vncsession[10736]: pam_unix(tigervnc:session): session opened for user Username(uid=1000) by (uid=0)
Jan 26 11:39:41 machinename vncsession[10736]: pam_open_session failed: 28 (Module is unknown)

If wanted i can supply an strace or execute other tests?

Hi, I found a few minutes to dig deeper (no final success/understanding yet).
After removing the pam_selinux.so related lines in /etc/pam.d/tigervnc it tries to start. 
My interpretation is that it would only work if the mention .so files are present. Which i guess depends on pam having the "selinux" use flag. 

I was then able to launch a second xserver for vnc by manually invoking
"xinit  /usr/bin/fluxbox -- /usr/bin/Xvnc :1 -rfbauth /home/myuser/.vnc/passwd"

If i understand the discussion here the skipped "/etc/X11/xinit/Xsession" is what is not updated yet to pass the arguments (in my case fluxbox) and therefore it can not be fixed easily.

What also confuses me is the statement in their Howto (https://github.com/TigerVNC/tigervnc/blob/master/unix/vncserver/HOWTO.md)
"You will not be able to start a TigerVNC server for a user who is already logged into a graphical session". Why would it not just run an additional instance (as in my example, is this a limitation on xsession handling).

Don't want to spam or confuse. But if i can help further by testing i'll try to support.

Created attachment 765203 [details]
New ebuild

Created attachment 765204 [details, diff]
Patch

Created attachment 765205 [details, diff]
Patch

Created attachment 765206 [details, diff]
Patch

Created attachment 765207 [details]
Config

Created attachment 765208 [details]
init

I've reviewed the posts above and archlinux bug https://bugs.archlinux.org/task/67869.
Unlike most distributions, every Gentoo install is different, with many different display managers.
So my feeling is that the Xsession file used by tigervnc must be configurable.
So expanding on the patches by Roberto Castagnola, adding an Xsession file choice to /etc/conf.d/tigervnc, adding the use flag selinux to the ebuild and further patches to get it working.
As sddm is used on all my systems, so far I have only tested with the sddm Xsession file.
The above attachments provide all the changes required.

Regards
Norman Back

I have now checked that the Xsession files for ebuilds:
x11-misc/sddm-0.18.1-r5
x11-misc/lightdm-1.30.0-r2
lxde-base/lxdm-0.5.3-r3
x11-apps/xdm-1.1.12-r1
work OK.

However x11-misc/wdm-1.28-r8 fails.

I also attempted to check gnome-base/gdm-40.1 but failed compile some dependencies.

By using ebuild install on gnome-base/gdm-40.1 and manually copying the
Xsession file into /etc/gdm, I have now checked that the gdm Xsession file
also works OK.

Comment 50 Larry the Git Cow 2022-03-18 18:52:33 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=caf073483a915d187c7c9b76678425006bdf0873

commit caf073483a915d187c7c9b76678425006bdf0873
Author:     Viorel Munteanu <ceamac.paragon@gmail.com>
AuthorDate: 2022-02-20 08:17:45 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-18 18:52:05 +0000

    profiles/package.mask: unmask tigervnc 1.11+
    
    Closes: https://bugs.gentoo.org/746227
    Signed-off-by: Viorel Munteanu <ceamac.paragon@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/24252
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 5 -----
 1 file changed, 5 deletions(-)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0660ebeeddda8fb14f5f34f40d467b6e6f288d1

commit c0660ebeeddda8fb14f5f34f40d467b6e6f288d1
Author:     Viorel Munteanu <ceamac.paragon@gmail.com>
AuthorDate: 2022-02-18 17:38:03 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-18 18:51:58 +0000

    net-misc/tigervnc: fix start server with openrc
    
    Add support to override the default Xsession file
    
    Bug: https://bugs.gentoo.org/746227
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Viorel Munteanu <ceamac.paragon@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/tigervnc-1.12.0-xsession-path.patch      |  28 +++
 net-misc/tigervnc/files/tigervnc-1.12.0.confd      |  15 ++
 net-misc/tigervnc/files/tigervnc-1.12.0.initd      |  75 ++++++++
 net-misc/tigervnc/tigervnc-1.12.0-r2.ebuild        | 201 +++++++++++++++++++++
 4 files changed, 319 insertions(+)

Comment 51 Sam James 2022-03-18 18:52:55 UTC

Big thanks to Anarchy for testing.

Comment 52 Sam James 2022-03-20 03:49:55 UTC

(In reply to Sam James from comment #51)
> Big thanks to Anarchy for testing.

(and ceamac for doing the work!)