Tl-session: pam_open_session failed: 14 (Cannot make/remove an entry)

Thinlink was working fine on SuSe Leap 15. However when I moved to Suse Leap 16.1 it stopped working. I get the message “No agent server was available”

vsmagent.log

2026-06-13 16:03:33 INFO vsmagent: Got SIGTERM, signaling process to quit
2026-06-13 16:03:33 INFO vsmagent: Terminating. Have a nice day!
2026-06-13 18:00:29 INFO vsmagent: VSM Agent version 4.17.0 build 3647 started
2026-06-13 18:00:29 INFO vsmagent: My public hostname is xxxxx.net
2026-06-13 18:00:59 INFO vsmagent: Got SIGTERM, signaling process to quit
2026-06-13 18:00:59 INFO vsmagent: Terminating. Have a nice day!
2026-06-13 18:02:56 INFO vsmagent: VSM agent version 4.20.1 build 4529 started
2026-06-13 18:02:56 INFO vsmagent: My public hostname is rhodos.heron-arcturus.ts.net
2026-06-13 18:03:20 WARNING tl-session: pam_open_session failed: 14 (Cannot make/remove an entry for the specified session)
2026-06-13 18:25:31 WARNING tl-session: pam_open_session failed: 14 (Cannot make/remove an entry for the specified session)
2026-06-13 22:50:49 WARNING tl-session: pam_open_session failed: 14 (Cannot make/remove an entry for the specified session)
2026-06-13 22:59:31 WARNING tl-session: pam_open_session failed: 14 (Cannot make/remove an entry for the specified session)
2026-06-13 23:11:03 WARNING tl-session: pam_open_session failed: 14 (Cannot make/remove an entry for the specified session)

/var/log/messages

2026-06-13T22:59:31.329501-04:00 rhodos tl-session: pam_warn(thinlinc:session): function=[pam_sm_open_session] flags=0x8000 service=[thinlinc] terminal=[/dev/thinlinc] user=[gkamendje] ruser=[<unknown>] rhost=[x.x.x.x]

sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

sudo getenforce
Permissive

From the logs I highly suspect this is PAM related but I have no clue what I should do next.

sysctl -a | grep audit reports nothing

/etc/pam.d/sshd and /etc/pam.d/thinlinc are both empty

There is no line containing session required pam_loginuid.so in /etc/pam.d/common-session

Hi @guytout,

It sounds like the following issue (see heading “Configuring and starting ThinLinc services and timers… failed”):

In short, SuSE moved the location of the PAM configuration files in SLE 16 to a non-standard location. Copying them back to /etc/pam.d should fix things.

@aaron Thanks for the hint. Unfortunately copying /usr/lib/pam.d/sshd back to /etc/pam.d did not fix the issue. In even re-installed Thinlinc could not help.

I am now getting the following messages in /var/log/vsmagent.log

tl-xinit: Unable to open xinit.log for writing: Permission denied
2026-06-15 19:42:03 WARNING tl-session: tl-xinit exited with status=1
tl-xinit: Unable to open xinit.log for writing: Permission denied
2026-06-15 19:46:25 WARNING tl-session: tl-xinit exited with status=1
tl-xinit: Unable to open xinit.log for writing: Permission denied
2026-06-15 19:57:23 WARNING tl-session: tl-xinit exited with status=1

I have checked and updated ownership and permissions of /var/opt/thinlinc/sessions/

Not sure what I should check anymore.

Does disabling selinux help?

sudo setenforce 0

Not that that’s the problem, but it might tell us where the issue lies.

@aaron yes sudo setenforce 0 does help. In permissive mode I am able to connect.

Nice! Then you should be able to do the following:

sudo restorecon -Rv /var/opt/thinlinc

And re-enable SELinux:

sudo setenforce 1

Hope that helps.

@aaron After running the commands you provided, the client get stucks in a loop with the message “connecting to graphical session”.

The server log reports the connection attempt

2026-06-17 07:14:51 INFO vsmserver.session: User with uid 1000 requested a reconnection to 127.0.0.1:11
2026-06-17 07:14:51 INFO vsmserver: Verifying session 127.0.0.1:11 for gkamendje
2026-06-17 07:14:51 INFO vsmserver: Session 127.0.0.1:11 for gkamendje is alive and ready for reconnection

However the agent log does not report any connection attempt. The content of the log is from 2 days ago.

2026-06-15 19:57:23 WARNING tl-session: tl-xinit exited with status=1
tl-xinit: Unable to open xinit.log for writing: Permission denied
2026-06-15 20:04:36 WARNING tl-session: tl-xinit exited with status=1
2026-06-15 21:36:35 INFO vsmagent.session: Verified connectivity to newly started Xvnc for gkamendje

Strange - it works with selinux disabled, though? Or you still get stuck at “connecting to graphical session”?

Is the system fully updated? There was a bug in the SLE 16 SELinux policy that was fixed in an update. It doesn’t give this exact error, but a similar one. So it might be the same underlying problem.

@aaron Yes it works when I am in Permissive mode

@CendioOssman I migrated from Suse Leap 15 to Suse Leap 16.1 10 days ago. Not sure if the lastest update was picked up by the migration process. Do you know which version of SELinux I should be looking at?

A zypper search reports the following on my side.

S  | Name                           | Type    | Version                              | Arch   | Repository
---+--------------------------------+---------+--------------------------------------+--------+----------------
   | cepces-selinux                 | package | 0.3.9-160099.2.5                     | noarch | repo-oss (16.1)
   | cockpit-selinux                | package | 360-160099.2.5                       | noarch | repo-oss (16.1)
   | cockpit-ws-selinux             | package | 360-160099.2.5                       | x86_64 | repo-oss (16.1)
i  | container-selinux              | package | 2.247.0-160099.1.12                  | noarch | repo-oss (16.1)
   | drbd-selinux                   | package | 9.29.0-160099.7.28                   | noarch | repo-oss (16.1)
i  | flatpak-selinux                | package | 1.16.6-160099.1.9                    | noarch | repo-oss (16.1)
   | forgejo-longterm-selinux       | package | 11.0.3-bp161.1.10                    | noarch | repo-oss (16.1)
   | k3s-selinux                    | package | 1.4.stable.1-160099.4.5              | noarch | repo-oss (16.1)
i  | libselinux-devel               | package | 3.10-160099.1.1                      | x86_64 | repo-oss (16.1)
   | libselinux-devel-static        | package | 3.10-160099.1.1                      | x86_64 | repo-oss (16.1)
i  | libselinux1                    | package | 3.10-160099.1.1                      | x86_64 | repo-oss (16.1)
   | libselinux1-32bit              | package | 3.10-160099.1.1                      | x86_64 | repo-oss (16.1)
   | passt-selinux                  | package | 20260120.386b5f5-160099.1.6          | noarch | repo-oss (16.1)
i+ | patterns-base-selinux          | package | 20241218-160099.20.1                 | x86_64 | repo-oss (16.1)
   | pcp-selinux                    | package | 6.3.8-160099.1.11                    | x86_64 | repo-oss (16.1)
i  | python313-selinux              | package | 3.10-160099.1.1                      | x86_64 | repo-oss (16.1)
   | ruby-selinux                   | package | 3.10-160099.1.1                      | x86_64 | repo-oss (16.1)
i+ | selinux                        | pattern | 20241218-160099.20.1                 | x86_64 | repo-oss (16.1)
i  | selinux-autorelabel            | package | 4.0+git23-160099.1.2                 | x86_64 | repo-oss (16.1)
i  | selinux-policy                 | package | 20250627+git580.4ae3e981a-160099.1.4 | noarch | repo-oss (16.1)
i+ | selinux-policy-devel           | package | 20250627+git580.4ae3e981a-160099.1.4 | noarch | repo-oss (16.1)
   | selinux-policy-doc             | package | 20250627+git580.4ae3e981a-160099.1.4 | noarch | repo-oss (16.1)
   | selinux-policy-minimum         | package | 20250627+git580.4ae3e981a-160099.1.4 | noarch | repo-oss (16.1)
   | selinux-policy-sandbox         | package | 20250627+git580.4ae3e981a-160099.1.4 | noarch | repo-oss (16.1)
   | selinux-policy-sapenablement   | package | 1-160099.6.2                         | noarch | repo-oss (16.1)
i  | selinux-policy-targeted        | package | 20250627+git580.4ae3e981a-160099.1.4 | noarch | repo-oss (16.1)
   | selinux-policy-targeted-gaming | package | 2-bp161.1.2                          | noarch | repo-oss (16.1)
   | selinux-targeted-setup         | package | 20201215-bp161.1.1                   | noarch | repo-oss (16.1)
i  | selinux-tools                  | package | 3.10-160099.1.1                      | x86_64 | repo-oss (16.1)
   | swtpm-selinux                  | package | 0.10.0-160099.2.42                   | noarch | repo-oss (16.1)
i  | tigervnc-selinux               | package | 1.16.0-160099.3.4                    | noarch | repo-oss (16.1)
   | tpm2.0-abrmd-selinux           | package | 3.0.0-160099.7.12                    | noarch | repo-oss (16.1)


Sorry, no, I don’t have a specific version number. The change was done in late March, though, so as long as the packages are newer than that.