Bug ID 1233738
Summary SELINUX prevents XRDP from working when in enforcing mode
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware x86-64
OS openSUSE Tumbleweed
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter jmscdba@gmail.com
QA Contact qa-bugs@suse.de
Target Milestone ---
Found By ---
Blocker --- 

Hi Cathy,

In my test TW system that is using selinux I found that xrdp is not working.

When you attempt to RDP after entering your credentials a dialog is displayed
which says the login is successful but then it says

VNC error - problem connecting 
some problem
Error conneting to user session



If I run "setenforce 0" after booting then xrdp works fine.



If I watch the journal when selinux is enforcing I find:

xrdp-sesman[6092]: pam_unix(xrdp-sesman:session): session opened for user
denise(uid=1001) by (uid=0)
xrdp-sesman[6092]: pam_kwallet5(xrdp-sesman:session): pam_kwallet5:
pam_sm_open_session
xrdp-sesman[6149]: pam_kwallet5: final socket path:
/run/user/1001/kwallet5.socket
xrdp-sesman[6150]: pam_kwallet5: could not execute kwalletd from
/usr/bin/kwalletd6
xrdp-sesman[6092]: pam_systemd(xrdp-sesman:session): New sd-bus connection
(system-bus-pam-systemd-6092) opened.
xrdp-sesman[6092]: pam_unix(xrdp-sesman:session): session closed for user
denise
xrdp-sesman[6092]: pam_kwallet5(xrdp-sesman:session): pam_kwallet5:
pam_sm_close_session
xrdp-sesman[6092]: pam_kwallet5(xrdp-sesman:setcred): pam_kwallet5:
pam_sm_setcred
systemd[1]: session-c7.scope: Deactivated successfully.



ausearch shows these denied messages


ausearch -ts boot | grep -i denied

type=AVC msg=audit(1732232293.658:185): avc:  denied  { transition } for 
pid=2613 comm="xrdp-sesman" path="/usr/bin/kwalletd6" dev="sda2" ino=1779042
scontext=system_u:system_r:unconfined_service_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
type=AVC msg=audit(1732232293.658:188): avc:  denied  { transition } for 
pid=2616 comm="xrdp-sesman" path="/usr/bin/bash" dev="sda2" ino=1719714
scontext=system_u:system_r:unconfined_service_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
type=AVC msg=audit(1732232303.435:189): avc:  denied  { transition } for 
pid=2621 comm="xrdp-sesman" path="/usr/sbin/xrdp-chansrv" dev="sda2"
ino=1455897 scontext=system_u:system_r:unconfined_service_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0


I'm still getting up to speed with selinux but it seems to me that xrdp tries
to launch /usr/bin/xrdp-chansrv it is denied because there is no selinux policy
to allow it, however, I thought when TARGETED mode was used then selinux would
have allowed it ?


Or does the package need to be updated to include a policy to allow xrdp so
that it works in enforcing mode.

You are receiving this mail because: