When you use SELinux, this comes from a person that is RH Engineer, that a secondary package that install that does the SE Linux setting xrdp-selinux.x86_64 : SELinux policy module required tu run xrdp Do we not have such a package? I would recommend use it, because SELinux is a pain. It's great learning steap. On Fri, Feb 21, 2025 at 12:32 PM Joe Salmeri <jmscdba@gmail.com> wrote:
On Fri, Feb 21, 2025 at 11:17 AM Joe Salmeri <jmscdba@gmail.com> wrote:
Has anybody switched their TW system from apparmor to selinux AND using XRDP ?
I submitted a bug back on 11/25/2024 because selinux was blocking xrdp.
https://bugzilla.suse.com/show_bug.cgi?id=1233738
I have been Johannes to update the selinux policy to allow xrdp and his changes are now in Factory.
Today I restored my test TW system back to 20250106 and then updated it to 20250216 and followed the instructions here to switch to apparmor
https://en.opensuse.org/Portal:SELinux/Setup#Setup_SELinux_on_existing_tumbl...
ausearch -ts boot | grep -e DEN
Does NOT produce any denied errors but XRDP connection fails.
Switching to permissive mode with
setenforce 0
Allows XRDP to work.
Anybody else seeing this ?
On 2/21/25 11:45 AM, Neal Gompa wrote:
Since I use Wayland, XRDP isn't in my camp of things to use, but I have some suggestions on how to identify issues.
$ sudo zypper install setroubleshoot-server $ sudo systemctl enable --now setroubleshootd.service $ sudo setenforce 0
Then set up XRDP and attempt a connection. You will see better information on SELinux issues in the journal, since permissive mode lets the denials flow without blocking. That can be used to file a bug report to fix the policy, contribute a policy fix to selinux-policy[1], and make a local fix for your needs.
Hi Neal,
Install of setroubleshoot-server worked fine but enable fails with:
The unit files have no installation config (WantedBy=, RequiredBy=, UpheldBy=, Also=, or Alias= settings in the [Install] section, and DefaultInstance= for template units). This means they are not meant to be enabled or disabled using systemctl.
Possible reasons for having these kinds of units are: • A unit may be statically enabled by being symlinked from another unit's .wants/, .requires/, or .upholds/ directory. • A unit's purpose may be to act as a helper for some other unit which has a requirement dependency on it. • A unit may be started when needed via activation (socket, path, timer, D-Bus, udev, scripted systemctl call, ...). • In case of template units, the unit is meant to be enabled with some instance name specified.
Looks like the unit file is broken, however, I was able to successfully start the service.
After setenforce 0, XRDP works ( like before when I switch to permissive mode ) but ausearch does not return any DENIED issues.
Looking at the journal ( lots of messages unrelated to xrdp ) I found
Feb 21 12:22:50 (systemd)[7273]: pam_unix(systemd-user:session): session opened for user XXXXXX(uid=1001) by XXXXXX(uid=0) Feb 21 12:22:50 (systemd)[7273]: pam_kwallet5(systemd-user:session): pam_kwallet5: not a graphical session, skipping. Use force_run parameter to ignore this. Feb 21 12:22:50 systemd[7273]: Queued start job for default target Main User Target. Feb 21 12:22:50 systemd[7273]: Created slice User Application Slice. Feb 21 12:22:50 xrdp-sesman[7255]: pam_unix(xrdp-sesman:session): session opened for user XXXXXX(uid=1001) by (uid=0) Feb 21 12:22:50 xrdp-sesman[7255]: pam_kwallet5(xrdp-sesman:session): pam_kwallet5: pam_sm_open_session Feb 21 12:22:50 xrdp-sesman[7313]: pam_kwallet5: final socket path: /run/user/1001/kwallet5.socket Feb 21 12:22:51 xrdp-sesman[7316]: Xvnc TigerVNC 1.14.1 - built ??? ?? ???? ??:??:?? Feb 21 12:22:51 xrdp-sesman[7316]: Copyright (C) 1999-2024 TigerVNC Team and many others (see README.rst) Feb 21 12:22:51 xrdp-sesman[7316]: See https://www.tigervnc.org for information on TigerVNC. Feb 21 12:22:51 xrdp-sesman[7316]: Underlying X server release 12101015 Feb 21 12:22:51 xrdp-sesman[7316]: libEGL warning: failed to open /dev/dri/card1: Permission denied Feb 21 12:22:51 xrdp-sesman[7316]: libEGL warning: failed to open /dev/dri/card1: Permission denied Feb 21 12:22:51 xrdp-sesman[7316]: libEGL warning: failed to open /dev/dri/card1: Permission denied Feb 21 12:22:51 xrdp-sesman[7316]: Fri Feb 21 12:22:51 2025 Feb 21 12:22:51 xrdp-sesman[7316]: vncext: VNC extension running! Feb 21 12:22:51 xrdp-sesman[7316]: vncext: Listening for VNC connections on local interface(s), port 6100 Feb 21 12:22:51 xrdp-sesman[7316]: vncext: created VNC server for screen 0 Feb 21 12:22:51 xrdp-sesman[7318]: The XKEYBOARD keymap compiler (xkbcomp) reports: Feb 21 12:22:51 xrdp-sesman[7318]: > Warning: Could not resolve keysym XF86RefreshRateToggle Feb 21 12:22:51 xrdp-sesman[7318]: > Warning: Could not resolve keysym XF86Accessibility Feb 21 12:22:51 xrdp-sesman[7318]: > Warning: Could not resolve keysym XF86DoNotDisturb Feb 21 12:22:51 xrdp-sesman[7318]: Errors from xkbcomp are not fatal to the X server Feb 21 12:22:51 xrdp-sesman[7316]: [mi] mieq: warning: overriding existing handler (nil) with 0x5638cba2fdf0 for event 2 Feb 21 12:22:51 xrdp-sesman[7316]: [mi] mieq: warning: overriding existing handler (nil) with 0x5638cba2fdf0 for event 3 Feb 21 12:22:51 xrdp-sesman[7332]: Environment variable $XAUTHORITY not set, ignoring.
Possibly when in enforcing mode this is the problem ?
xrdp-sesman[7316]: libEGL warning: failed to open /dev/dri/card1: Permission denied
-- Terror PUP a.k.a Chuck "PUP" Payne ----------------------------------------- Discover it! Enjoy it! Share it! openSUSE Linux. ----------------------------------------- openSUSE -- Terrorpup openSUSE Advocate/openSUSE Member x/mastodon.social -- @terrorpup dicord -- terrorpup#3550 bluesky -- @terrorpup967.bsky.social uglyscale.press Register Linux Userid: 155363 openSUSE Community Member since 2008.