https://bugzilla.suse.com/show_bug.cgi?id=1233738 Bug ID: 1233738 Summary: SELINUX prevents XRDP from working when in enforcing mode Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: jmscdba@gmail.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Hi Cathy, In my test TW system that is using selinux I found that xrdp is not working. When you attempt to RDP after entering your credentials a dialog is displayed which says the login is successful but then it says VNC error - problem connecting some problem Error conneting to user session If I run "setenforce 0" after booting then xrdp works fine. If I watch the journal when selinux is enforcing I find: xrdp-sesman[6092]: pam_unix(xrdp-sesman:session): session opened for user denise(uid=1001) by (uid=0) xrdp-sesman[6092]: pam_kwallet5(xrdp-sesman:session): pam_kwallet5: pam_sm_open_session xrdp-sesman[6149]: pam_kwallet5: final socket path: /run/user/1001/kwallet5.socket xrdp-sesman[6150]: pam_kwallet5: could not execute kwalletd from /usr/bin/kwalletd6 xrdp-sesman[6092]: pam_systemd(xrdp-sesman:session): New sd-bus connection (system-bus-pam-systemd-6092) opened. xrdp-sesman[6092]: pam_unix(xrdp-sesman:session): session closed for user denise xrdp-sesman[6092]: pam_kwallet5(xrdp-sesman:session): pam_kwallet5: pam_sm_close_session xrdp-sesman[6092]: pam_kwallet5(xrdp-sesman:setcred): pam_kwallet5: pam_sm_setcred systemd[1]: session-c7.scope: Deactivated successfully. ausearch shows these denied messages ausearch -ts boot | grep -i denied type=AVC msg=audit(1732232293.658:185): avc: denied { transition } for pid=2613 comm="xrdp-sesman" path="/usr/bin/kwalletd6" dev="sda2" ino=1779042 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 type=AVC msg=audit(1732232293.658:188): avc: denied { transition } for pid=2616 comm="xrdp-sesman" path="/usr/bin/bash" dev="sda2" ino=1719714 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 type=AVC msg=audit(1732232303.435:189): avc: denied { transition } for pid=2621 comm="xrdp-sesman" path="/usr/sbin/xrdp-chansrv" dev="sda2" ino=1455897 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 I'm still getting up to speed with selinux but it seems to me that xrdp tries to launch /usr/bin/xrdp-chansrv it is denied because there is no selinux policy to allow it, however, I thought when TARGETED mode was used then selinux would have allowed it ? Or does the package need to be updated to include a policy to allow xrdp so that it works in enforcing mode. -- You are receiving this mail because: You are on the CC list for the bug.