[Bug 1233738] New: SELINUX prevents XRDP from working when in enforcing mode
https://bugzilla.suse.com/show_bug.cgi?id=1233738 Bug ID: 1233738 Summary: SELINUX prevents XRDP from working when in enforcing mode Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: jmscdba@gmail.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Hi Cathy, In my test TW system that is using selinux I found that xrdp is not working. When you attempt to RDP after entering your credentials a dialog is displayed which says the login is successful but then it says VNC error - problem connecting some problem Error conneting to user session If I run "setenforce 0" after booting then xrdp works fine. If I watch the journal when selinux is enforcing I find: xrdp-sesman[6092]: pam_unix(xrdp-sesman:session): session opened for user denise(uid=1001) by (uid=0) xrdp-sesman[6092]: pam_kwallet5(xrdp-sesman:session): pam_kwallet5: pam_sm_open_session xrdp-sesman[6149]: pam_kwallet5: final socket path: /run/user/1001/kwallet5.socket xrdp-sesman[6150]: pam_kwallet5: could not execute kwalletd from /usr/bin/kwalletd6 xrdp-sesman[6092]: pam_systemd(xrdp-sesman:session): New sd-bus connection (system-bus-pam-systemd-6092) opened. xrdp-sesman[6092]: pam_unix(xrdp-sesman:session): session closed for user denise xrdp-sesman[6092]: pam_kwallet5(xrdp-sesman:session): pam_kwallet5: pam_sm_close_session xrdp-sesman[6092]: pam_kwallet5(xrdp-sesman:setcred): pam_kwallet5: pam_sm_setcred systemd[1]: session-c7.scope: Deactivated successfully. ausearch shows these denied messages ausearch -ts boot | grep -i denied type=AVC msg=audit(1732232293.658:185): avc: denied { transition } for pid=2613 comm="xrdp-sesman" path="/usr/bin/kwalletd6" dev="sda2" ino=1779042 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 type=AVC msg=audit(1732232293.658:188): avc: denied { transition } for pid=2616 comm="xrdp-sesman" path="/usr/bin/bash" dev="sda2" ino=1719714 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 type=AVC msg=audit(1732232303.435:189): avc: denied { transition } for pid=2621 comm="xrdp-sesman" path="/usr/sbin/xrdp-chansrv" dev="sda2" ino=1455897 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 I'm still getting up to speed with selinux but it seems to me that xrdp tries to launch /usr/bin/xrdp-chansrv it is denied because there is no selinux policy to allow it, however, I thought when TARGETED mode was used then selinux would have allowed it ? Or does the package need to be updated to include a policy to allow xrdp so that it works in enforcing mode. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c1 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |jsegitz@suse.com --- Comment #1 from Johannes Segitz <jsegitz@suse.com> --- I'll have a look -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 Joe S <jmscdba@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jmscdba@gmail.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c2 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #2 from Johannes Segitz <jsegitz@suse.com> --- Please install give this policy a try: https://build.opensuse.org/package/show/home:jsegitz:branches:security:SELin... After installing please run: semanage boolean -m -1 unconfined_service_transition_to_confined_user If you still have issues aftwards please run chcon -t bin_t /etc/xrdp/startwm.sh chcon -t bin_t /etc/xrdp/reconnectwm.sh and try again. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c3 --- Comment #3 from Johannes Segitz <jsegitz@suse.com> --- Recent changes in security:SELinux broke the policy I build for you, I'll repair it -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c4 --- Comment #4 from Johannes Segitz <jsegitz@suse.com> --- https://build.opensuse.org/package/show/home:jsegitz:branches:security:SELin... will contain the fix (once it build) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c5 --- Comment #5 from Joe S <jmscdba@gmail.com> --- (In reply to Johannes Segitz from comment #4)
https://build.opensuse.org/package/show/home:jsegitz:branches:security: SELinux_bsc1233738_6/selinux-policy
will contain the fix (once it build)
Hi Johannes, Thanks for taking a look at this. Sorry for the delay, I have been sick in bed last few days. Here's the console log of trying to install the rpm --------------------------------------------------- zypper -v install /tmp/selinux-policy-20241118-308.1.noarch.rpm Verbosity: 2 Non-option program arguments: '/tmp/selinux-policy-20241118-308.1.noarch.rpm' '/tmp/selinux-policy-20241118-308.1.noarch.rpm' looks like an RPM file. Will try to download it. Initializing Target Checking whether to refresh metadata for google-chrome Retrieving: repomd.xml ...........................................................................................................................................................................................................................[done] Checking whether to refresh metadata for openSUSE-Tumbleweed-Non-Oss (20241119) Retrieving: repomd.xml ...............................................................................................................................................................................................................[done (1.1 KiB/s)] Checking whether to refresh metadata for Open H.264 Codec (openSUSE Tumbleweed) Retrieving: repomd.xml .................................................................................................................................................................................................................[done (242 B/s)] Checking whether to refresh metadata for openSUSE-Tumbleweed-Oss (20241119) Retrieving: repomd.xml ...............................................................................................................................................................................................................[done (1.1 KiB/s)] Checking whether to refresh metadata for openSUSE-Tumbleweed-Update Retrieving: repomd.xml ...............................................................................................................................................................................................................[done (1.1 KiB/s)] Checking whether to refresh metadata for Plain RPM files cache Loading repository data... Reading installed packages... Selecting 'selinux-policy-20241118-308.1.noarch' from repository 'Plain RPM files cache' for installation. Resolving package dependencies... Force resolution: No Problem: 1: the installed selinux-policy-targeted-20241105-1.1.noarch requires 'selinux-policy = 20241105-1.1', but this requirement cannot be provided Solution 1: Following actions will be done: deinstallation of selinux-policy-targeted-20241105-1.1.noarch deinstallation of patterns-base-selinux-20200505-59.1.x86_64 deinstallation of container-selinux-2.232.1-1.2.noarch Solution 2: do not install selinux-policy-20241118-308.1.noarch Solution 3: break selinux-policy-targeted-20241105-1.1.noarch by ignoring some of its dependencies Choose from above solutions by number or cancel [1/2/3/c/d/?] (c): 1 Applying solution 1 Resolving dependencies... Resolving package dependencies... Force resolution: No The following package is going to be upgraded: selinux-policy 20241105-1.1 -> 20241118-308.1 The following package is going to change vendor: selinux-policy 20241105-1.1 -> 20241118-308.1 openSUSE -> obs://build.opensuse.org/home:jsegitz The following 3 packages are going to be REMOVED: container-selinux 2.232.1-1.2 patterns-base-selinux 20200505-59.1 selinux-policy-targeted 20241105-1.1 The following pattern is going to be REMOVED: selinux 20200505-59.1 1 package to upgrade, 3 to remove, 1 to change vendor. Package download size: 82.1 KiB Package install size change: | 25.0 KiB required by packages that will be installed -24.8 MiB | - 24.8 MiB released by packages that will be removed Backend: classic_rpmtrans Continue? [y/n/v/...? shows all options] (y): y committing Retrieving: selinux-policy-20241118-308.1.noarch (Plain RPM files cache) (1/1), 82.1 KiB selinux-policy-20241118-308.1.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 3150ff4ecd0ba9c9: NOKEY Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK V3 RSA/SHA256 Signature, key ID 3150ff4ecd0ba9c9: NOKEY MD5 digest: OK warning: /var/tmp/zypp.ROeCQ1/zypper/_tmpRPMcache_/%CLI%/selinux-policy-20241118-308.1.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID cd0ba9c9: NOKEY Looking for gpg key ID CD0BA9C9 in cache /var/cache/zypp/pubkeys. Repository Plain RPM files cache does not define additional 'gpgkey=' URLs. selinux-policy-20241118-308.1.noarch (Plain RPM files cache): Signature verification failed [4-Signatures public key is not available] Abort, retry, ignore? [a/r/i] (a): i Checking for file conflicts: .....................................................................................................................................................................................................................[done] (1/4) Removing: container-selinux-2.232.1-1.2.noarch .............................................................................................................................................................................................[done] warning: /etc/selinux/targeted/contexts/customizable_types saved as /etc/selinux/targeted/contexts/customizable_types.rpmsave (2/4) Removing: selinux-policy-targeted-20241105-1.1.noarch ......................................................................................................................................................................................[done] warning: /var/cache/zypper/RPMS/selinux-policy-20241118-308.1.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID cd0ba9c9: NOKEY error: selabel_open: (/etc/selinux/targeted/contexts/files/file_contexts) No such file or directory error: Plugin selinux: hook tsm_pre failed (3/4) Installing: selinux-policy-20241118-308.1.noarch ..........................................................................................................................................................................................[error] Installation of selinux-policy-20241118-308.1.noarch failed: Error: Subprocess failed. Error: RPM failed: Command exited with status 1. Abort, retry, ignore? [a/r/i] (a): i error: selabel_open: (/etc/selinux/targeted/contexts/files/file_contexts) No such file or directory error: Plugin selinux: hook tsm_pre failed (4/4) Removing: patterns-base-selinux-20200505-59.1.x86_64 ......................................................................................................................................................................................[error] Removal of (59724)patterns-base-selinux-20200505-59.1.x86_64(@System) failed: Error: Subprocess failed. Error: RPM failed: Command exited with status 1. Abort, retry, ignore? [a/r/i] (a): i Running post-transaction scripts .................................................................................................................................................................................................................[done] CommitResult (total 4, done 4, error 0, skipped 0, updateMessages 0) Checking for running processes using deleted libraries... semanage boolean -m -1 unconfined_service_transition_to_confined_user --------------------------------------------------------------------- libsemanage.semanage_read_policydb: Could not open kernel policy /var/lib/selinux/targeted/active/policy.kern for reading. (No such file or directory). FileNotFoundError: No such file or directory reboot Obviously that resulted in an unbootable system with error: [!!!!!!] Failed to load SELinux policy During the install of the rpm you provided Option 1 was selected but I'm sure that the removal of the following packages is what breaks selinux during the boot. container-selinux 2.232.1-1.2 patterns-base-selinux 20200505-59.1 selinux-policy-targeted 20241105-1.1 I am new to selinux but I suspect that the expected result would have been to just install your package to replace the existing one. To recover I Edited the Grub boot item temporarily to set selinux=0 Rollback back the changes from a before snapshot I took rebooted NOTE: I am testing this in a KVM vm which was created from a copy of the qcow2 file that is used by a VM that I regularly use. After booting the KVM copy the first time, I installed selinux using the instructions Cathy provided and then removed apparmor. Prior to installing the test rpm, SELinux has not had any issues other than the xrdp issue we are discussing here. Please let me know if you need any other details. Thanks for your efforts. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c6 --- Comment #6 from Johannes Segitz <jsegitz@suse.com> --- thanks for testing. That is weird, I'll have a look. For me it works without issues -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c7 --- Comment #7 from Johannes Segitz <jsegitz@suse.com> --- okay once I formatted this in a way that is simple to read it's easy to figure out: Please add the full repository instead of just installing one rpm zypper ar -p 80 https://download.opensuse.org/repositories/home:/jsegitz:/branches:/security... zypper in --allow-vendor-change selinux-policy-targeted Then it should work -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c8 --- Comment #8 from Joe S <jmscdba@gmail.com> --- Created attachment 879009 --> https://bugzilla.suse.com/attachment.cgi?id=879009&action=edit Test results and summary -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c9 --- Comment #9 from Joe S <jmscdba@gmail.com> --- (In reply to Johannes Segitz from comment #7)
okay once I formatted this in a way that is simple to read it's easy to figure out: Please add the full repository instead of just installing one rpm
zypper ar -p 80 https://download.opensuse.org/repositories/home:/jsegitz:/branches:/security: /SELinux_1232328/openSUSE_Factory/home:jsegitz:branches:security: SELinux_1232328.repo zypper in --allow-vendor-change selinux-policy-targeted
Then it should work
Since you had trouble with the formatting last time I attached test.2.log with the results. Summary: Install had some failures with resolving roletype statement semanage got ValueError ( assuming because of first issue ) chcon commands worked journal has issue with starting kwalletd xrdp dialog says login successful BUT vnc cannot connect The attached test.2.log has everything done with the results -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 https://bugzilla.suse.com/show_bug.cgi?id=1233738#c10 --- Comment #10 from Johannes Segitz <jsegitz@suse.com> --- semanage boolean -m -1 unconfined_service_transition_to_confined_user ValueError: Boolean unconfined_service_transition_to_confined_user is not defined that indicates that you're not having the policy installed that I provided (even though the logs look like they installed correctly). Please provide the output of zypper info selinux-policy-targeted -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1233738 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(jmscdba@gmail.com | |) -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com