Description of problem: It is possible to get the Enhanced Hyper-V session with Fedora 30 with the following: 1) configuring xrdp.ini according to https://github.com/microsoft/linux-vm-tools/blob/master/ubuntu/18.04/install.sh In addition the 'port' parameter needs to be port=vsock://-1:3389 2) configuring kernel modules and polkit as described in the script above. 3) configuring sesman.ini to run /usr/libexec/Xorg instead of Xorg (to avoid a global Xwrapper.config) (and also disabling root access) 4) Install a selinux policy to allow xrdp to access the vsock socket. 5) rebuild xrdp from the source package adding --enable-vsock to the SPEC build config. In short, it appears to be possible to get an enhanced F30 session by enabling vsock in the build, after which only proper sysadmin actions are required (config file editing and selinux policy). Version-Release number of selected component (if applicable): 0.9.12 How reproducible: Always Steps to Reproduce: See above Actual results: No Enhanced session possible Expected results: Enhanced session available after proper configuration. Additional info: This request is to add --enable-vsock in the SPEC build config, thus allowing for enhanced sessions after proper config files configuration, unless there are more important reasons not to enable this. A nice addition would be an updated selinux policy.
vsock will be enabled anytime soon, please hold.
Eagerly awaiting this support as well. The Ubuntu xrdp packages have vsock enabled, and it makes a huge difference when running under Hyper-V.
(In reply to Maarten Boekhold from comment #2) > Eagerly awaiting this support as well. The Ubuntu xrdp packages have vsock > enabled, and it makes a huge difference when running under Hyper-V. I've manually built the 0.9.12 RPM with --enable-vsock added, and I can confirm that with that one change it's possible to use Hyper-V Enhanced Mode to access a CentOS VM.
I just kicked off a whole bunch of vsock enabled builds in koji, including for F30. See whether they are any good for you and let us know.
Created attachment 1651675 [details] updated selinux policy xrdp-0.9.12-2.fc30 works as expected for me on F30. selinux still denies the xrdp service access to the vsock socket. Attached is a possible update to the selinux policy, that includes the suggestion from setroubleshoot. However, it might be worth a review.
Thanks for the contribution! Kicked off builds in koji with the new policy. If anything else turns up, please feel free to point out.
I've installed https://kojipkgs.fedoraproject.org//packages/xrdp/0.9.12/3.el8/x86_64/xrdp-0.9.12-3.el8.x86_64.rpm on my CentOS 8 VM, and I'm trying to figure out about this SELinux policy. sudo semodule -l | grep xrdb ==> no result /etc/sysconfig/selinux ==> SELINUX=enforcing XRDP doesn't work this way. If I change SELINUX=permissive it works fine. However, I do get 2 password prompts during login: Authentication is required to create a color managed d[....?] Authentication is required to refresh the system repositories
grep xrdb or xrdp?
(In reply to Bojan Smojver from comment #8) > grep xrdb or xrdp? Sorry for the typo, "grep xrdp"... I just double-checked. Not sure if this is relevant, but I cannot see anything in the xrdp-0.9.12-3.el8.x86_64.rpm file related to SELinux. Not in the contents nor in the scripts (rpm -qp --scripts). I'm a bit of a new-comer to the rpm world however so I'm not sure I've dug deep enough to be able to really confirm that.
You will need to install xrdp-selinux package.
(In reply to Bojan Smojver from comment #10) > You will need to install xrdp-selinux package. Hmmm, that depends on selinux-policy >= 3.14.3-20.el8, and I'm not sure where I can install that from for CentOS8. On CentOS this package seems to be part of the BaseOS repository, and the latest version available is 3.14.1-61.el8_0.2.
The builds in epel are done against rhel. I cannot remember off the top of my head whether we hardcode the version in the spec file. I'll check.
Seems to be picked up automatically by the build.
(In reply to Bojan Smojver from comment #13) > Seems to be picked up automatically by the build. So nothing we can do about this except wait till the CentOS team has updated selinux-policy to >= 3.14.3-20.el8 ?
You can try testing repos in CentOS. Maybe they have newer selinux packages there. Failing that, you can download th xrdp-selinux RPM, then install it with rpm -Uvh --nodeps. It may work.
(In reply to Bojan Smojver from comment #15) > You can try testing repos in CentOS. Maybe they have newer selinux packages > there. Failing that, you can download th xrdp-selinux RPM, then install it > with rpm -Uvh --nodeps. It may work. Thanks, that worked, and I'm now able to use XRDP with SELINUX=enforced on CentOS 8. There's still 2 annoying popups while launching the Gnome desktop, mentioned earlier: Authentication is required to create a color managed device Authentication is required to refresh the system repositories This seems to be a polkit issue. There is a good description [here](https://c-nergy.be/blog/?p=12073) about this, but focuses on Ubuntu. The Microsoft instructions for installing XRDP on Ubuntu VMs (https://github.com/microsoft/linux-vm-tools/blob/master/ubuntu/18.04/install.sh) address at least the Color Device policy using the following: # Configure the policy xrdp session cat > /etc/polkit-1/localauthority/50-local.d/45-allow-colord.pkla <<EOF [Allow Colord all Users] Identity=unix-user:* Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile ResultAny=no ResultInactive=no ResultActive=yes EOF This works on CentOD8 as well. The message about System repositories is discussed here: https://c-nergy.be/blog/?p=14051 Similar solution: cat > /etc/polkit-1/localauthority/50-local.d/46-allow-update-repo.pkla <<EOF [Allow Package Management all Users] Identity=unix-user:* Action=org.freedesktop.packagekit.system-sources-refresh ResultAny=yes ResultInactive=yes ResultActive=yes EOF Again, works the same on CentOS. Note that this does NOT give me the authorization to INSTALL packages. I still need to provide a password for that. This seem to be related to "dnf check-update" equivalent functionality only.
(In reply to Maarten Boekhold from comment #16) thank you for these valuable information, We are going to talk with xrdp developers to see if we can upstream these polkit files, or carry them in rpm file.
(In reply to Itamar Reis Peixoto from comment #17) If the goal is to get a rpm that needs no further configuration, then also the issue of blacklisting the vmw module should be considered (mentioned at step 2 of the initial report): I have verified that the module vmw_vsock_vmci_transport indeed conflicts with hv_sock.
(In reply to Maarten Boekhold from comment #14) > (In reply to Bojan Smojver from comment #13) > > Seems to be picked up automatically by the build. > > So nothing we can do about this except wait till the CentOS team has updated > selinux-policy to >= 3.14.3-20.el8 ? Guess this is solved now with the release of CentOS8 1911 today.
(In reply to mm19827 from comment #18) > (In reply to Itamar Reis Peixoto from comment #17) > > If the goal is to get a rpm that needs no further configuration, then also > the issue of blacklisting the vmw module should be considered (mentioned at > step 2 of the initial report): I have verified that the module > vmw_vsock_vmci_transport indeed conflicts with hv_sock. Not convinced of this. It's true that at the moment there's no way to use RDP over VSOCK with any VMWare product, but that doesn't mean such support won't come in the future...
(In reply to Bojan Smojver from comment #6) > Thanks for the contribution! Kicked off builds in koji with the new policy. > If anything else turns up, please feel free to point out. Works for me on F30.
(In reply to mm19827 from comment #21) > (In reply to Bojan Smojver from comment #6) > > Thanks for the contribution! Kicked off builds in koji with the new policy. > > If anything else turns up, please feel free to point out. > > Works for me on F30. The following steps work for me on a fresh VM installation on Hyper-V from the CentOS-8.1.1911-x86_64-dvd1.iso DVD: sudo dnf update sudo dnf install epel-release sudo dnf --enablerepo=epel-playground check-update sudo dnf --enablerepo=epel-playground install xrdp xorgxrdp sudo sed -i_orig -e 's/port=3389/port=vsock:\/\/-1:3389/g' /etc/xrdp/xrdp.ini sudo sed -i_orig -e 's/security_layer=negotiate/security_layer=rdp/g' /etc/xrdp/xrdp.ini sudo sed -i_orig -e 's/crypt_level=high/crypt_level=none/g' /etc/xrdp/xrdp.ini sudo sed -i_orig -e 's/bitmap_compression=true/bitmap_compression=false/g' /etc/xrdp/xrdp.ini sudo sed -i -e 's/FuseMountName=thinclient_drives/FuseMountName=shared-drives/g' /etc/xrdp/sesman.ini sudo echo "hv_sock" > /etc/modules-load.d/hv_sock.conf sudo echo "blacklist vmw_vsock_vmci_transport" > /etc/modprobe.d/blacklist_vmw_vsock_vmci_transport.conf sudo modprobe hv_sock sudo -s cat > /etc/polkit-1/localauthority/50-local.d/45-allow-colord.pkla <<EOF [Allow Colord all Users] Identity=unix-user:* Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile ResultAny=no ResultInactive=no ResultActive=yes EOF cat > /etc/polkit-1/localauthority/50-local.d/46-allow-update-repo.pkla <<EOF [Allow Package Management all Users] Identity=unix-user:* Action=org.freedesktop.packagekit.system-sources-refresh ResultAny=yes ResultInactive=yes ResultActive=yes EOF CTRL-D sudo systemctl enable xrdp sudo systemctl enable xrdp-sesman POWER OFF Set-VM -VMName FBE -EnhancedSessionTransportType HvSocket
FEDORA-EPEL-2020-8a94cd1032 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-8a94cd1032
FEDORA-2020-d6c71e5834 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-d6c71e5834
xrdp-0.9.12-6.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-963abed1f3
xrdp-0.9.12-6.el8 has been pushed to the Fedora EPEL 8 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-8a94cd1032
xrdp-0.9.12-6.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5ab02db727
xrdp-0.9.12-6.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-d6c71e5834
xrdp-0.9.12-6.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
xrdp-0.9.12-6.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
After installing the polkit rule from the RPM (/usr/share/polkit-1/rules.d/xrdp.rules), a SELinux alert occurs. For some reason, this does not happen if the policy is modified via localauthority as in comment 22. The SELinux denial is: SELinux is preventing colord from search access on the directory 1946. In this instance the directory 1946 looks like it is /proc/1946 or /proc/1946/task/1946 which are associated with the process gsd-color (pid 1946) I have no idea if this is a bug in colord or a consequence of the resolution of this bug, anyway I thought it was worth reporting. Except for the alert, the RDP session appears to start correctly. This is happening with xrdp-0.9.12-6.fc30 on F30.
Could you post the complete selinux alert detail here. Not quite sure what's going on, but definitely worth checking it out.
Created attachment 1668453 [details] colord selinux alert colord selinux alert attached
xrdp-0.9.12-6.el8 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report.
I just installed fresh F30, applied all updates from testing, installed xrdp and xorgxrdp, configured according to readme file, also installed group gnome. Cannot reproduce.
xrdp-0.9.12-6.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
I see what the problem is. Please adjust /etc/pam.d/xrdp-sesman file, as per readme file. Unfortunately, we cannot predict what kind of desktop people will run, so this file ships with upstream defaults.
(In reply to Bojan Smojver from comment #37) > I see what the problem is. Please adjust /etc/pam.d/xrdp-sesman file, as per > readme file. Unfortunately, we cannot predict what kind of desktop people > will run, so this file ships with upstream defaults. That was it, thanks. Sorry for the noise.