TW 20250216 + SELinux + XRDP
Has anybody switched their TW system from apparmor to selinux AND using XRDP ? I submitted a bug back on 11/25/2024 because selinux was blocking xrdp. https://bugzilla.suse.com/show_bug.cgi?id=1233738 I have been Johannes to update the selinux policy to allow xrdp and his changes are now in Factory. Today I restored my test TW system back to 20250106 and then updated it to 20250216 and followed the instructions here to switch to apparmor https://en.opensuse.org/Portal:SELinux/Setup#Setup_SELinux_on_existing_tumbl... ausearch -ts boot | grep -e DEN Does NOT produce any denied errors but XRDP connection fails. Switching to permissive mode with setenforce 0 Allows XRDP to work. Anybody else seeing this ? -- Regards, Joe
On 2/21/25 11:23 AM, Andrei Borzenkov wrote:
Thanks Andrei. What is interesting is I expected this restore/retest of selinux to work since the patches prepared which are now in Factory fixed the problem originally but are not fixing it now that it was released. When we first worked on the issue in 2024, ausearch was reporting the DENIED cases so it seems that in addition to RDP not working now it is also not reporting those DENIED messages. I tried your command "semodule --disable_dontaudit --build" But it fails with build or reload should not be used with other commands I tried "semodule --disable_dontaudit" and figured I'd do the --build afterwards but it fails with /sbin/semodule: Failed on dontaudit! -- Regards, Joe
On Fri, Feb 21, 2025 at 11:40:22AM -0500, Joe Salmeri wrote:
That's weird. Because then it shouldn't be SELinux, but it pretty clearly is given that it works in permissive mode. Please open a bug report with as much details about your setup as possible so we can reproduce it. ATM it just works (TM) for me, so it must be something special with your config Thanks, Johannes -- GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)
On 2/25/25 2:35 AM, Johannes Segitz wrote:
Hi Johannes, I agree it is very weird as I expected it to work and the rest was just a confirmation of it coming from factory. I updated the existing bug you and I have been working with the details. https://bugzilla.suse.com/show_bug.cgi?id=1233738 -- Regards, Joe
On Tue, Feb 25, 2025 at 10:46:34AM -0500, Joe Salmeri wrote:
I have updated the bug report with the request info.
thanks, I replied there. Lets try to keep it in Bugzilla so everything is visible to everyone that's interested. Hope it works after the steps I provided now Johannes -- GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Software Solutions Germany GmbH, Frankenstraße 146, 90461 Nürnberg, Germany Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)
On Fri, Feb 21, 2025 at 11:17 AM Joe Salmeri <jmscdba@gmail.com> wrote:
Since I use Wayland, XRDP isn't in my camp of things to use, but I have some suggestions on how to identify issues. $ sudo zypper install setroubleshoot-server $ sudo systemctl enable --now setroubleshootd.service $ sudo setenforce 0 Then set up XRDP and attempt a connection. You will see better information on SELinux issues in the journal, since permissive mode lets the denials flow without blocking. That can be used to file a bug report to fix the policy, contribute a policy fix to selinux-policy[1], and make a local fix for your needs. [1]: https://github.com/fedora-selinux/selinux-policy -- 真実はいつも一つ!/ Always, there's only one truth!
On Fri, Feb 21, 2025 at 11:17 AM Joe Salmeri <jmscdba@gmail.com> wrote:
On 2/21/25 11:45 AM, Neal Gompa wrote:
Hi Neal, Install of setroubleshoot-server worked fine but enable fails with: The unit files have no installation config (WantedBy=, RequiredBy=, UpheldBy=, Also=, or Alias= settings in the [Install] section, and DefaultInstance= for template units). This means they are not meant to be enabled or disabled using systemctl. Possible reasons for having these kinds of units are: • A unit may be statically enabled by being symlinked from another unit's .wants/, .requires/, or .upholds/ directory. • A unit's purpose may be to act as a helper for some other unit which has a requirement dependency on it. • A unit may be started when needed via activation (socket, path, timer, D-Bus, udev, scripted systemctl call, ...). • In case of template units, the unit is meant to be enabled with some instance name specified. Looks like the unit file is broken, however, I was able to successfully start the service. After setenforce 0, XRDP works ( like before when I switch to permissive mode ) but ausearch does not return any DENIED issues. Looking at the journal ( lots of messages unrelated to xrdp ) I found Feb 21 12:22:50 (systemd)[7273]: pam_unix(systemd-user:session): session opened for user XXXXXX(uid=1001) by XXXXXX(uid=0) Feb 21 12:22:50 (systemd)[7273]: pam_kwallet5(systemd-user:session): pam_kwallet5: not a graphical session, skipping. Use force_run parameter to ignore this. Feb 21 12:22:50 systemd[7273]: Queued start job for default target Main User Target. Feb 21 12:22:50 systemd[7273]: Created slice User Application Slice. Feb 21 12:22:50 xrdp-sesman[7255]: pam_unix(xrdp-sesman:session): session opened for user XXXXXX(uid=1001) by (uid=0) Feb 21 12:22:50 xrdp-sesman[7255]: pam_kwallet5(xrdp-sesman:session): pam_kwallet5: pam_sm_open_session Feb 21 12:22:50 xrdp-sesman[7313]: pam_kwallet5: final socket path: /run/user/1001/kwallet5.socket Feb 21 12:22:51 xrdp-sesman[7316]: Xvnc TigerVNC 1.14.1 - built ??? ?? ???? ??:??:?? Feb 21 12:22:51 xrdp-sesman[7316]: Copyright (C) 1999-2024 TigerVNC Team and many others (see README.rst) Feb 21 12:22:51 xrdp-sesman[7316]: See https://www.tigervnc.org for information on TigerVNC. Feb 21 12:22:51 xrdp-sesman[7316]: Underlying X server release 12101015 Feb 21 12:22:51 xrdp-sesman[7316]: libEGL warning: failed to open /dev/dri/card1: Permission denied Feb 21 12:22:51 xrdp-sesman[7316]: libEGL warning: failed to open /dev/dri/card1: Permission denied Feb 21 12:22:51 xrdp-sesman[7316]: libEGL warning: failed to open /dev/dri/card1: Permission denied Feb 21 12:22:51 xrdp-sesman[7316]: Fri Feb 21 12:22:51 2025 Feb 21 12:22:51 xrdp-sesman[7316]: vncext: VNC extension running! Feb 21 12:22:51 xrdp-sesman[7316]: vncext: Listening for VNC connections on local interface(s), port 6100 Feb 21 12:22:51 xrdp-sesman[7316]: vncext: created VNC server for screen 0 Feb 21 12:22:51 xrdp-sesman[7318]: The XKEYBOARD keymap compiler (xkbcomp) reports: Feb 21 12:22:51 xrdp-sesman[7318]: > Warning: Could not resolve keysym XF86RefreshRateToggle Feb 21 12:22:51 xrdp-sesman[7318]: > Warning: Could not resolve keysym XF86Accessibility Feb 21 12:22:51 xrdp-sesman[7318]: > Warning: Could not resolve keysym XF86DoNotDisturb Feb 21 12:22:51 xrdp-sesman[7318]: Errors from xkbcomp are not fatal to the X server Feb 21 12:22:51 xrdp-sesman[7316]: [mi] mieq: warning: overriding existing handler (nil) with 0x5638cba2fdf0 for event 2 Feb 21 12:22:51 xrdp-sesman[7316]: [mi] mieq: warning: overriding existing handler (nil) with 0x5638cba2fdf0 for event 3 Feb 21 12:22:51 xrdp-sesman[7332]: Environment variable $XAUTHORITY not set, ignoring. Possibly when in enforcing mode this is the problem ? xrdp-sesman[7316]: libEGL warning: failed to open /dev/dri/card1: Permission denied
When you use SELinux, this comes from a person that is RH Engineer, that a secondary package that install that does the SE Linux setting xrdp-selinux.x86_64 : SELinux policy module required tu run xrdp Do we not have such a package? I would recommend use it, because SELinux is a pain. It's great learning steap. On Fri, Feb 21, 2025 at 12:32 PM Joe Salmeri <jmscdba@gmail.com> wrote:
-- Terror PUP a.k.a Chuck "PUP" Payne ----------------------------------------- Discover it! Enjoy it! Share it! openSUSE Linux. ----------------------------------------- openSUSE -- Terrorpup openSUSE Advocate/openSUSE Member x/mastodon.social -- @terrorpup dicord -- terrorpup#3550 bluesky -- @terrorpup967.bsky.social uglyscale.press Register Linux Userid: 155363 openSUSE Community Member since 2008.
On Fri, Feb 21, 2025 at 12:50 PM Chuck Payne <terrorpup@gmail.com> wrote:
We do not. The policy module is built in the Fedora package[1] but not in ours. [1]: https://src.fedoraproject.org/rpms/xrdp/blob/rawhide/f/xrdp.spec -- 真実はいつも一つ!/ Always, there's only one truth!
On Fri, Feb 21, 2025 at 12:55 PM Neal Gompa <ngompa13@gmail.com> wrote:
Neal, If it's Fedora, that's a good start. Having to write SE Linux states, I can tell everyone is a pain. It's why when we can as RH Admins, we turn SE Linux from Enforcing to Permissive. A lot of apps don't play nice with SE Linux. Just wait, you think xrdp a pain, wait until you have to deal with Apache/Ngixn. I would recommend for now, try placing SELinux in Permissive mode, it will log everything, then you can use the output to the logs to write the correct SE Linux statements needs. Or download package from Rocky, that base on Enterprise version of RH, Fedora bleeding edge, stable, but bleeding edge. See how Rocky Linux does there SELinux. Just an FYI, the agencies I work with we are RH shop, I was able to remove Citrix Workstation by replacing the xrdp. Save money and time. -- Terror PUP a.k.a Chuck "PUP" Payne ----------------------------------------- Discover it! Enjoy it! Share it! openSUSE Linux. ----------------------------------------- openSUSE -- Terrorpup openSUSE Advocate/openSUSE Member x/mastodon.social -- @terrorpup dicord -- terrorpup#3550 bluesky -- @terrorpup967.bsky.social uglyscale.press Register Linux Userid: 155363 openSUSE Community Member since 2008.
On Fri, Feb 21, 2025 at 1:07 PM Chuck Payne <terrorpup@gmail.com> wrote:
I'm a bad person to complain about SELinux, as I helped implement it in openSUSE in the first place and I've gotten good at fixing things to work in enforcing mode using the tools and guides from Red Hat as well as guidance from folks like Thomas Cameron. I don't think it's that bad to work with, it just requires a bit more effort to adapt for your needs. -- 真実はいつも一つ!/ Always, there's only one truth!
On 2/21/25 1:07 PM, Chuck Payne wrote:
Chuck, Neil, TW did not previously have a security policy configured for XRDP. I reported this bug back on 11/25/2024 https://bugzilla.suse.com/show_bug.cgi?id=1233738 Johannes worked with me and prepared an updated policy for me to test. To test, I took an existing production VM and restored it as a test vm and then installed the updated policy and we eventually got it working. I wanted to wait updating the production machine and switching it to use selinux until after the updated policy was pushed to Factory. Once it hit Factory, I did the following: 1) Restored the test vm back to TW 20250106 Which had apparmor installed like production 2) Updated test vm to TW 20250216 ( matching production machine ) 3) Followed the instructions to install/config selinux found here https://en.opensuse.org/Portal:SELinux/ Setup#Setup_SELinux_on_existing_tumbleweed_systems After rebooting with selinux in enforcing mode XRDP didn't work AND ausearch didn't show any denied errors for it ( like it previously did ) Switch selinux to permissive mode and xrdp works. So it seems that an xrdp selinux policy was created which worked in initial testing but when I restored the test environment and updated to 20250216 and then followed the documentation to switch to selinux the fix does not work. That seems to indicate that either There is a difference with the policy I tested a month ago and what ended up in Factory OR 20250216 introduced some new requirements for the policy that didn't exist back when the test was done with the older TW build. I am still learning selinux, so possibly you could take a look at the bug report I created which details everything from the original testing up through the recent retest now that the new policy was added to Factory ? Thanks ! -- Regards, Joe
participants (5)
-
Andrei Borzenkov -
Chuck Payne -
Joe Salmeri -
Johannes Segitz -
Neal Gompa