Bug 1258453 - xrdp binaries labelled incorrectly, this prevents service start under systemd
Summary: xrdp binaries labelled incorrectly, this prevents service start under systemd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1244607 (view as bug list)
Depends On: 1177202 1244573
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-31 12:18 UTC by Lukas Vrabec
Modified: 2016-05-14 23:27 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.13.1-185.fc24
Doc Type: Bug Fix
Doc Text:
Clone Of: 1244573
Environment:
Last Closed: 2016-05-14 23:27:52 UTC
Type: Bug


Attachments (Terms of Use)

Description Lukas Vrabec 2015-08-31 12:18:04 UTC
+++ This bug was initially created as a clone of Bug #1244573 +++

Description of problem:

$ grep xrdp /etc/selinux/targeted/contexts/files/file_contexts
/usr/sbin/xrdp	--	system_u:object_r:unconfined_exec_t:s0
/usr/sbin/xrdp-sesman	--	system_u:object_r:unconfined_exec_t:s0


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-128.6.fc22.noarch

How reproducible:
Always.

Steps to Reproduce:
1. xrdp.service fails to start when SELinux is in enforcing mode.

Actual results:
No start.

Expected results:
Should start?

Additional info:

This makes it work:

# chcon -t bin_t /usr/sbin/xrdp
# chcon -t bin_t /usr/sbin/xrdp-sesman

--- Additional comment from Bojan Smojver on 2015-08-18 18:33:26 EDT ---

Reassigning in the hope of getting some feedback and getting this fixed.

--- Additional comment from Lukas Vrabec on 2015-08-31 08:17:24 EDT ---

Hi, 

We should create a new policy for this daemon.

Comment 1 Miroslav Grepl 2015-09-22 09:16:13 UTC
*** Bug 1244607 has been marked as a duplicate of this bug. ***

Comment 2 Bill Shirley 2016-01-28 14:11:41 UTC
I can confirm this bug and fix on RHEL 7 (Google VM).

[1:root@aps local]$ rpm -q xrdp
xrdp-0.9.0-4.el7.x86_64

WAS running (setenforce 0):
[1:root@aps local 148]$ ps -eZ | grep xrdp
system_u:unconfined_r:init_t:s0 11186 ?        00:00:00 xrdp-sesman
system_u:unconfined_r:init_t:s0 11187 ?        00:00:00 xrdp

/var/log/messages:
Jan 28 05:48:56 aps kernel: SELinux:  Context system_u:unconfined_r:init_t:s0 would be invalid if enforcing

[0:root@aps ~]$ ls -lZ /usr/sbin/xrdp*
-rwxr-xr-x. root root system_u:object_r:unconfined_exec_t:s0 /usr/sbin/xrdp
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/xrdp-chansrv
-rwxr-xr-x. root root system_u:object_r:unconfined_exec_t:s0 /usr/sbin/xrdp-sesman
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/xrdp-sessvc


# -----------------------
NOW after:
# chcon -t bin_t /usr/sbin/xrdp
# chcon -t bin_t /usr/sbin/xrdp-sesman

[1:root@aps local]$ ps -eZ | grep xrdp
system_u:system_r:unconfined_service_t:s0 15286 ? 00:00:00 xrdp-sesman
system_u:system_r:unconfined_service_t:s0 15287 ? 00:00:00 xrdp
system_u:system_r:unconfined_service_t:s0 15328 ? 00:00:01 xrdp
system_u:system_r:unconfined_service_t:s0 15333 ? 00:00:00 xrdp-sessvc
system_u:system_r:unconfined_service_t:s0 15334 ? 00:00:00 xrdp-sesman
system_u:system_r:unconfined_service_t:s0 15336 ? 00:00:00 xrdp-chansrv

and SElinux is in enforcing mode with no errors in /var/log/messages

I've connected from a Windows RDP client and all appears to run fine.

Comment 3 Jan Kurik 2016-02-24 15:50:50 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase

Comment 4 Fedora Update System 2016-05-10 12:47:45 UTC
selinux-policy-3.13.1-185.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0f4619cd21

Comment 5 Fedora Update System 2016-05-12 09:42:53 UTC
selinux-policy-3.13.1-185.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0f4619cd21

Comment 6 Fedora Update System 2016-05-14 23:27:32 UTC
selinux-policy-3.13.1-185.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.