Bug 1787953 - Enable VSOCK in SPEC build config
Summary: Enable VSOCK in SPEC build config
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: xrdp
Version: 30
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Itamar Reis Peixoto
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-05 20:17 UTC by mm19827
Modified: 2020-03-09 13:11 UTC (History)
3 users (show)

Fixed In Version: xrdp-0.9.12-6.fc31 xrdp-0.9.12-6.fc30 xrdp-0.9.12-6.el8 xrdp-0.9.12-6.el7
Clone Of:
Environment:
Last Closed: 2020-03-01 22:24:44 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
updated selinux policy (890 bytes, text/plain)
2020-01-12 17:27 UTC, mm19827
no flags Details
colord selinux alert (1.75 KB, text/plain)
2020-03-08 16:23 UTC, mm19827
no flags Details

Description mm19827 2020-01-05 20:17:44 UTC
Description of problem:

It is possible to get the Enhanced Hyper-V session with Fedora 30 with the following:

1) configuring xrdp.ini according to
https://github.com/microsoft/linux-vm-tools/blob/master/ubuntu/18.04/install.sh
In addition the 'port' parameter needs to be 
port=vsock://-1:3389

2) configuring kernel modules and polkit as described in the script above.

3) configuring sesman.ini to run /usr/libexec/Xorg instead of Xorg (to avoid a global Xwrapper.config) (and also disabling root access)

4) Install a selinux policy to allow xrdp to access the vsock socket.

5) rebuild xrdp from the source package adding --enable-vsock to the SPEC build config.

In short, it appears to be possible to get an enhanced F30 session by enabling vsock in the build, after which only proper sysadmin actions are required (config file editing and selinux policy).

Version-Release number of selected component (if applicable):
0.9.12

How reproducible:
Always

Steps to Reproduce:
See above

Actual results:
No Enhanced session possible

Expected results:
Enhanced session available after proper configuration.

Additional info:
This request is to add --enable-vsock in the SPEC build config, thus allowing for enhanced sessions after proper config files configuration, unless there are more important reasons not to enable this.
A nice addition would be an updated selinux policy.

Comment 1 Itamar Reis Peixoto 2020-01-05 20:36:19 UTC
vsock will be enabled anytime soon, please hold.

Comment 2 Maarten Boekhold 2020-01-09 06:06:27 UTC
Eagerly awaiting this support as well. The Ubuntu xrdp packages have vsock enabled, and it makes a huge difference when running under Hyper-V.

Comment 3 Maarten Boekhold 2020-01-12 09:58:07 UTC
(In reply to Maarten Boekhold from comment #2)
> Eagerly awaiting this support as well. The Ubuntu xrdp packages have vsock
> enabled, and it makes a huge difference when running under Hyper-V.

I've manually built the 0.9.12 RPM with --enable-vsock added, and I can confirm that with that one change it's possible to use Hyper-V Enhanced Mode to access a CentOS VM.

Comment 4 Bojan Smojver 2020-01-12 10:57:41 UTC
I just kicked off a whole bunch of vsock enabled builds in koji, including for F30. See whether they are any good for you and let us know.

Comment 5 mm19827 2020-01-12 17:27:57 UTC
Created attachment 1651675 [details]
updated selinux policy

xrdp-0.9.12-2.fc30 works as expected for me on F30.

selinux still denies the xrdp service access to the vsock socket.
Attached is a possible update to the selinux policy, that includes the suggestion from setroubleshoot. However, it might be worth a review.

Comment 6 Bojan Smojver 2020-01-12 20:31:54 UTC
Thanks for the contribution! Kicked off builds in koji with the new policy. If anything else turns up, please feel free to point out.

Comment 7 Maarten Boekhold 2020-01-13 08:13:47 UTC
I've installed https://kojipkgs.fedoraproject.org//packages/xrdp/0.9.12/3.el8/x86_64/xrdp-0.9.12-3.el8.x86_64.rpm on my CentOS 8 VM, and I'm trying to figure out about this SELinux policy.

sudo semodule -l | grep xrdb ==> no result
/etc/sysconfig/selinux ==> SELINUX=enforcing

XRDP doesn't work this way. If I change SELINUX=permissive it works fine. However, I do get 2 password prompts during login:

Authentication is required to create a color managed d[....?]
Authentication is required to refresh the system repositories

Comment 8 Bojan Smojver 2020-01-13 08:44:22 UTC
grep xrdb or xrdp?

Comment 9 Maarten Boekhold 2020-01-13 09:13:20 UTC
(In reply to Bojan Smojver from comment #8)
> grep xrdb or xrdp?

Sorry for the typo, "grep xrdp"... I just double-checked.

Not sure if this is relevant, but I cannot see anything in the xrdp-0.9.12-3.el8.x86_64.rpm file related to SELinux. Not in the contents nor in the scripts (rpm -qp --scripts). I'm a bit of a new-comer to the rpm world however so I'm not sure I've dug deep enough to be able to really confirm that.

Comment 10 Bojan Smojver 2020-01-13 09:17:34 UTC
You will need to install xrdp-selinux package.

Comment 11 Maarten Boekhold 2020-01-13 10:54:30 UTC
(In reply to Bojan Smojver from comment #10)
> You will need to install xrdp-selinux package.

Hmmm, that depends on selinux-policy >= 3.14.3-20.el8, and I'm not sure where I can install that from for CentOS8. On CentOS this package seems to be part of the BaseOS repository, and the latest version available is 3.14.1-61.el8_0.2.

Comment 12 Bojan Smojver 2020-01-13 10:57:24 UTC
The builds in epel are done against rhel. I cannot remember off the top of my head whether we hardcode the version in the spec file. I'll check.

Comment 13 Bojan Smojver 2020-01-13 11:03:44 UTC
Seems to be picked up automatically by the build.

Comment 14 Maarten Boekhold 2020-01-14 07:29:54 UTC
(In reply to Bojan Smojver from comment #13)
> Seems to be picked up automatically by the build.

So nothing we can do about this except wait till the CentOS team has updated selinux-policy to >= 3.14.3-20.el8 ?

Comment 15 Bojan Smojver 2020-01-14 12:27:03 UTC
You can try testing repos in CentOS. Maybe they have newer selinux packages there. Failing that, you can download th xrdp-selinux RPM, then install it with rpm -Uvh --nodeps. It may work.

Comment 16 Maarten Boekhold 2020-01-15 06:25:45 UTC
(In reply to Bojan Smojver from comment #15)
> You can try testing repos in CentOS. Maybe they have newer selinux packages
> there. Failing that, you can download th xrdp-selinux RPM, then install it
> with rpm -Uvh --nodeps. It may work.

Thanks, that worked, and I'm now able to use XRDP with SELINUX=enforced on CentOS 8.

There's still 2 annoying popups while launching the Gnome desktop, mentioned earlier:


Authentication is required to create a color managed device
Authentication is required to refresh the system repositories

This seems to be a polkit issue. There is a good description
[here](https://c-nergy.be/blog/?p=12073) about this, but focuses on
Ubuntu.

The Microsoft instructions for installing XRDP on Ubuntu VMs
(https://github.com/microsoft/linux-vm-tools/blob/master/ubuntu/18.04/install.sh)
address at least the Color Device policy using the following:

# Configure the policy xrdp session
cat > /etc/polkit-1/localauthority/50-local.d/45-allow-colord.pkla <<EOF
[Allow Colord all Users]
Identity=unix-user:*
Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile
ResultAny=no
ResultInactive=no
ResultActive=yes
EOF

This works on CentOD8 as well.

The message about System repositories is discussed here: https://c-nergy.be/blog/?p=14051

Similar solution:

cat > /etc/polkit-1/localauthority/50-local.d/46-allow-update-repo.pkla <<EOF
[Allow Package Management all Users]
Identity=unix-user:*
Action=org.freedesktop.packagekit.system-sources-refresh
ResultAny=yes
ResultInactive=yes
ResultActive=yes
EOF

Again, works the same on CentOS. Note that this does NOT give me the
authorization to INSTALL packages. I still need to provide a password
for that. This seem to be related to "dnf check-update" equivalent
functionality only.

Comment 17 Itamar Reis Peixoto 2020-01-15 09:08:10 UTC
(In reply to Maarten Boekhold from comment #16)

thank you for these valuable information, We are going to talk with xrdp developers to see if we can upstream these polkit files, or carry them in rpm file.

Comment 18 mm19827 2020-01-15 14:01:59 UTC
(In reply to Itamar Reis Peixoto from comment #17)

If the goal is to get a rpm that needs no further configuration, then also the issue of blacklisting the vmw module should be considered (mentioned at step 2 of the initial report): I have verified that the module vmw_vsock_vmci_transport indeed conflicts with hv_sock.

Comment 19 Maarten Boekhold 2020-01-16 08:43:24 UTC
(In reply to Maarten Boekhold from comment #14)
> (In reply to Bojan Smojver from comment #13)
> > Seems to be picked up automatically by the build.
> 
> So nothing we can do about this except wait till the CentOS team has updated
> selinux-policy to >= 3.14.3-20.el8 ?

Guess this is solved now with the release of CentOS8 1911 today.

Comment 20 Maarten Boekhold 2020-01-16 08:44:57 UTC
(In reply to mm19827 from comment #18)
> (In reply to Itamar Reis Peixoto from comment #17)
> 
> If the goal is to get a rpm that needs no further configuration, then also
> the issue of blacklisting the vmw module should be considered (mentioned at
> step 2 of the initial report): I have verified that the module
> vmw_vsock_vmci_transport indeed conflicts with hv_sock.

Not convinced of this. It's true that at the moment there's no way to use RDP
over VSOCK with any VMWare product, but that doesn't mean such support won't
come in the future...

Comment 21 mm19827 2020-01-17 20:43:43 UTC
(In reply to Bojan Smojver from comment #6)
> Thanks for the contribution! Kicked off builds in koji with the new policy.
> If anything else turns up, please feel free to point out.

Works for me on F30.

Comment 22 Maarten Boekhold 2020-01-19 06:24:40 UTC
(In reply to mm19827 from comment #21)
> (In reply to Bojan Smojver from comment #6)
> > Thanks for the contribution! Kicked off builds in koji with the new policy.
> > If anything else turns up, please feel free to point out.
> 
> Works for me on F30.

The following steps work for me on a fresh VM installation on Hyper-V
from the CentOS-8.1.1911-x86_64-dvd1.iso DVD:

sudo dnf update
sudo dnf install epel-release
sudo dnf --enablerepo=epel-playground check-update
sudo dnf --enablerepo=epel-playground install xrdp xorgxrdp

sudo sed -i_orig -e 's/port=3389/port=vsock:\/\/-1:3389/g' /etc/xrdp/xrdp.ini
sudo sed -i_orig -e 's/security_layer=negotiate/security_layer=rdp/g' /etc/xrdp/xrdp.ini
sudo sed -i_orig -e 's/crypt_level=high/crypt_level=none/g' /etc/xrdp/xrdp.ini
sudo sed -i_orig -e 's/bitmap_compression=true/bitmap_compression=false/g' /etc/xrdp/xrdp.ini
sudo sed -i -e 's/FuseMountName=thinclient_drives/FuseMountName=shared-drives/g' /etc/xrdp/sesman.ini

sudo echo "hv_sock" > /etc/modules-load.d/hv_sock.conf
sudo echo "blacklist vmw_vsock_vmci_transport" > /etc/modprobe.d/blacklist_vmw_vsock_vmci_transport.conf
sudo modprobe hv_sock

sudo -s
cat > /etc/polkit-1/localauthority/50-local.d/45-allow-colord.pkla <<EOF
[Allow Colord all Users]
Identity=unix-user:*
Action=org.freedesktop.color-manager.create-device;org.freedesktop.color-manager.create-profile;org.freedesktop.color-manager.delete-device;org.freedesktop.color-manager.delete-profile;org.freedesktop.color-manager.modify-device;org.freedesktop.color-manager.modify-profile
ResultAny=no
ResultInactive=no
ResultActive=yes
EOF

cat > /etc/polkit-1/localauthority/50-local.d/46-allow-update-repo.pkla <<EOF
[Allow Package Management all Users]
Identity=unix-user:*
Action=org.freedesktop.packagekit.system-sources-refresh
ResultAny=yes
ResultInactive=yes
ResultActive=yes
EOF
CTRL-D

sudo systemctl enable xrdp
sudo systemctl enable xrdp-sesman

POWER OFF

Set-VM -VMName FBE -EnhancedSessionTransportType HvSocket

Comment 23 Fedora Update System 2020-02-22 00:03:25 UTC
FEDORA-EPEL-2020-8a94cd1032 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-8a94cd1032

Comment 24 Fedora Update System 2020-02-22 00:03:26 UTC
FEDORA-2020-d6c71e5834 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-d6c71e5834

Comment 25 Fedora Update System 2020-02-23 01:35:07 UTC
xrdp-0.9.12-6.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-963abed1f3

Comment 26 Fedora Update System 2020-02-23 01:35:21 UTC
xrdp-0.9.12-6.el8 has been pushed to the Fedora EPEL 8 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-8a94cd1032

Comment 27 Fedora Update System 2020-02-23 01:56:28 UTC
xrdp-0.9.12-6.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-5ab02db727

Comment 28 Fedora Update System 2020-02-23 02:17:44 UTC
xrdp-0.9.12-6.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-d6c71e5834

Comment 29 Fedora Update System 2020-03-01 22:24:44 UTC
xrdp-0.9.12-6.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 30 Fedora Update System 2020-03-01 23:19:40 UTC
xrdp-0.9.12-6.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 31 mm19827 2020-03-06 19:09:27 UTC
After installing the polkit rule from the RPM (/usr/share/polkit-1/rules.d/xrdp.rules), a SELinux alert occurs.
For some reason, this does not happen if the policy is modified via localauthority as in comment 22.

The SELinux denial is:
SELinux is preventing colord from search access on the directory 1946.

In this instance the directory 1946 looks like it is /proc/1946 or /proc/1946/task/1946 which are associated with the process gsd-color (pid 1946)
I have no idea if this is a bug in colord or a consequence of the resolution of this bug, anyway I thought it was worth reporting.

Except for the alert, the RDP session appears to start correctly.

This is happening with xrdp-0.9.12-6.fc30 on F30.

Comment 32 Bojan Smojver 2020-03-07 07:18:43 UTC
Could you post the complete selinux alert detail here. Not quite sure what's going on, but definitely worth checking it out.

Comment 33 mm19827 2020-03-08 16:23:12 UTC
Created attachment 1668453 [details]
colord selinux alert

colord selinux alert attached

Comment 34 Fedora Update System 2020-03-09 02:05:44 UTC
xrdp-0.9.12-6.el8 has been pushed to the Fedora EPEL 8 stable repository. If problems still persist, please make note of it in this bug report.

Comment 35 Bojan Smojver 2020-03-09 02:25:54 UTC
I just installed fresh F30, applied all updates from testing, installed xrdp and xorgxrdp, configured according to readme file, also installed group gnome. Cannot reproduce.

Comment 36 Fedora Update System 2020-03-09 02:30:17 UTC
xrdp-0.9.12-6.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 37 Bojan Smojver 2020-03-09 02:37:13 UTC
I see what the problem is. Please adjust /etc/pam.d/xrdp-sesman file, as per readme file. Unfortunately, we cannot predict what kind of desktop people will run, so this file ships with upstream defaults.

Comment 38 mm19827 2020-03-09 13:11:43 UTC
(In reply to Bojan Smojver from comment #37)
> I see what the problem is. Please adjust /etc/pam.d/xrdp-sesman file, as per
> readme file. Unfortunately, we cannot predict what kind of desktop people
> will run, so this file ships with upstream defaults.

That was it, thanks.
Sorry for the noise.


Note You need to log in before you can comment on or make changes to this bug.