[Bug 1233738] SELINUX prevents XRDP from working when in enforcing mode

https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c5 --- Comment #5 from Joe S <jmscdba@gmail.com> --- (In reply to Johannes Segitz from comment #4)

https://build.opensuse.org/package/show/home:jsegitz:branches:security: SELinux_bsc1233738_6/selinux-policy

will contain the fix (once it build)

Hi Johannes, Thanks for taking a look at this. Sorry for the delay, I have been sick in bed last few days. Here's the console log of trying to install the rpm --------------------------------------------------- zypper -v install /tmp/selinux-policy-20241118-308.1.noarch.rpm Verbosity: 2 Non-option program arguments: '/tmp/selinux-policy-20241118-308.1.noarch.rpm' '/tmp/selinux-policy-20241118-308.1.noarch.rpm' looks like an RPM file. Will try to download it. Initializing Target Checking whether to refresh metadata for google-chrome Retrieving: repomd.xml ...........................................................................................................................................................................................................................[done] Checking whether to refresh metadata for openSUSE-Tumbleweed-Non-Oss (20241119) Retrieving: repomd.xml ...............................................................................................................................................................................................................[done (1.1 KiB/s)] Checking whether to refresh metadata for Open H.264 Codec (openSUSE Tumbleweed) Retrieving: repomd.xml .................................................................................................................................................................................................................[done (242 B/s)] Checking whether to refresh metadata for openSUSE-Tumbleweed-Oss (20241119) Retrieving: repomd.xml ...............................................................................................................................................................................................................[done (1.1 KiB/s)] Checking whether to refresh metadata for openSUSE-Tumbleweed-Update Retrieving: repomd.xml ...............................................................................................................................................................................................................[done (1.1 KiB/s)] Checking whether to refresh metadata for Plain RPM files cache Loading repository data... Reading installed packages... Selecting 'selinux-policy-20241118-308.1.noarch' from repository 'Plain RPM files cache' for installation. Resolving package dependencies... Force resolution: No Problem: 1: the installed selinux-policy-targeted-20241105-1.1.noarch requires 'selinux-policy = 20241105-1.1', but this requirement cannot be provided Solution 1: Following actions will be done: deinstallation of selinux-policy-targeted-20241105-1.1.noarch deinstallation of patterns-base-selinux-20200505-59.1.x86_64 deinstallation of container-selinux-2.232.1-1.2.noarch Solution 2: do not install selinux-policy-20241118-308.1.noarch Solution 3: break selinux-policy-targeted-20241105-1.1.noarch by ignoring some of its dependencies Choose from above solutions by number or cancel [1/2/3/c/d/?] (c): 1 Applying solution 1 Resolving dependencies... Resolving package dependencies... Force resolution: No The following package is going to be upgraded: selinux-policy 20241105-1.1 -> 20241118-308.1 The following package is going to change vendor: selinux-policy 20241105-1.1 -> 20241118-308.1 openSUSE -> obs://build.opensuse.org/home:jsegitz The following 3 packages are going to be REMOVED: container-selinux 2.232.1-1.2 patterns-base-selinux 20200505-59.1 selinux-policy-targeted 20241105-1.1 The following pattern is going to be REMOVED: selinux 20200505-59.1 1 package to upgrade, 3 to remove, 1 to change vendor. Package download size: 82.1 KiB Package install size change: | 25.0 KiB required by packages that will be installed -24.8 MiB | - 24.8 MiB released by packages that will be removed Backend: classic_rpmtrans Continue? [y/n/v/...? shows all options] (y): y committing Retrieving: selinux-policy-20241118-308.1.noarch (Plain RPM files cache) (1/1), 82.1 KiB selinux-policy-20241118-308.1.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 3150ff4ecd0ba9c9: NOKEY Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK V3 RSA/SHA256 Signature, key ID 3150ff4ecd0ba9c9: NOKEY MD5 digest: OK warning: /var/tmp/zypp.ROeCQ1/zypper/_tmpRPMcache_/%CLI%/selinux-policy-20241118-308.1.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID cd0ba9c9: NOKEY Looking for gpg key ID CD0BA9C9 in cache /var/cache/zypp/pubkeys. Repository Plain RPM files cache does not define additional 'gpgkey=' URLs. selinux-policy-20241118-308.1.noarch (Plain RPM files cache): Signature verification failed [4-Signatures public key is not available] Abort, retry, ignore? [a/r/i] (a): i Checking for file conflicts: .....................................................................................................................................................................................................................[done] (1/4) Removing: container-selinux-2.232.1-1.2.noarch .............................................................................................................................................................................................[done] warning: /etc/selinux/targeted/contexts/customizable_types saved as /etc/selinux/targeted/contexts/customizable_types.rpmsave (2/4) Removing: selinux-policy-targeted-20241105-1.1.noarch ......................................................................................................................................................................................[done] warning: /var/cache/zypper/RPMS/selinux-policy-20241118-308.1.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID cd0ba9c9: NOKEY error: selabel_open: (/etc/selinux/targeted/contexts/files/file_contexts) No such file or directory error: Plugin selinux: hook tsm_pre failed (3/4) Installing: selinux-policy-20241118-308.1.noarch ..........................................................................................................................................................................................[error] Installation of selinux-policy-20241118-308.1.noarch failed: Error: Subprocess failed. Error: RPM failed: Command exited with status 1. Abort, retry, ignore? [a/r/i] (a): i error: selabel_open: (/etc/selinux/targeted/contexts/files/file_contexts) No such file or directory error: Plugin selinux: hook tsm_pre failed (4/4) Removing: patterns-base-selinux-20200505-59.1.x86_64 ......................................................................................................................................................................................[error] Removal of (59724)patterns-base-selinux-20200505-59.1.x86_64(@System) failed: Error: Subprocess failed. Error: RPM failed: Command exited with status 1. Abort, retry, ignore? [a/r/i] (a): i Running post-transaction scripts .................................................................................................................................................................................................................[done] CommitResult (total 4, done 4, error 0, skipped 0, updateMessages 0) Checking for running processes using deleted libraries... semanage boolean -m -1 unconfined_service_transition_to_confined_user --------------------------------------------------------------------- libsemanage.semanage_read_policydb: Could not open kernel policy /var/lib/selinux/targeted/active/policy.kern for reading. (No such file or directory). FileNotFoundError: No such file or directory reboot Obviously that resulted in an unbootable system with error: [!!!!!!] Failed to load SELinux policy During the install of the rpm you provided Option 1 was selected but I'm sure that the removal of the following packages is what breaks selinux during the boot. container-selinux 2.232.1-1.2 patterns-base-selinux 20200505-59.1 selinux-policy-targeted 20241105-1.1 I am new to selinux but I suspect that the expected result would have been to just install your package to replace the existing one. To recover I Edited the Grub boot item temporarily to set selinux=0 Rollback back the changes from a before snapshot I took rebooted NOTE: I am testing this in a KVM vm which was created from a copy of the qcow2 file that is used by a VM that I regularly use. After booting the KVM copy the first time, I installed selinux using the instructions Cathy provided and then removed apparmor. Prior to installing the test rpm, SELinux has not had any issues other than the xrdp issue we are discussing here. Please let me know if you need any other details. Thanks for your efforts. -- You are receiving this mail because: You are on the CC list for the bug.