2017-04-03 22:49:00 +00:00
|
|
|
Restarts
|
|
|
|
========
|
|
|
|
|
|
|
|
Service restarts after RPM package upgrades have been disabled on purpose.
|
|
|
|
This is to avoid a situation where an update is performed from within a
|
|
|
|
session running on xrdp, which can then cause dnf to only perform part of the
|
|
|
|
transaction and leave the system in a state that requires further manual
|
|
|
|
intervention, including removal of duplicate packages etc.
|
|
|
|
|
|
|
|
So, it will be up to the user/admin to restart xrdp service after any RPM
|
|
|
|
package upgrade. This is in line with what other GUI systems like Xorg and
|
|
|
|
Wayland do.
|
|
|
|
|
|
|
|
xorgxrdp
|
|
|
|
========
|
|
|
|
|
|
|
|
On Fedora, /usr/bin/Xorg is a script that starts either
|
|
|
|
/usr/libexec/Xorg.wrap, which is a SUID binary, or /usr/libexec/Xorg, if the
|
|
|
|
former does not exist. Xrdp binary makes sure that SUID of the Xorg.wrap
|
|
|
|
binary is not obeyed.
|
|
|
|
|
|
|
|
However, the Xorg.wrap has an additional hurdle to clear, because by default,
|
|
|
|
it will only allow users logged into the console to start it.
|
|
|
|
|
|
|
|
So, in order to run the Xorg xrdp session via xrogxrdp, normally a user
|
|
|
|
account not logged onto the console will be used. To avoid Xorg.wrap refusing
|
|
|
|
to run, put the following into /etc/X11/Xwrapper.config:
|
|
|
|
|
|
|
|
allowed_users = anybody
|
2017-04-08 06:24:24 +00:00
|
|
|
|
2019-09-15 11:40:59 +00:00
|
|
|
Note that xorgxrdp is not installed and configured by default. Each build
|
|
|
|
depends on specific binary version of Xorg, which tends to create very strict
|
|
|
|
installation dependencies that can be an inconvenience in EPEL.
|
|
|
|
|
2017-04-08 06:24:24 +00:00
|
|
|
SELinux
|
|
|
|
=======
|
|
|
|
|
2017-04-12 22:31:21 +00:00
|
|
|
Please note that you may need to install xrdp-selinux package in order to get
|
|
|
|
the required SELinux policy that will allow xrdp and associated processes to
|
2019-09-23 11:15:38 +00:00
|
|
|
run successfully if SELinux is enabled. On versions of Fedora and RHEL that
|
|
|
|
support weak dependencies, xrdp-selinux will be a recommended package.
|
2017-04-12 22:31:21 +00:00
|
|
|
|
|
|
|
WARNING: The policy module contains a rule that permits unconfined_service_t
|
|
|
|
processes to transition into unconfined_t. If xrdp is not the only service
|
|
|
|
that runs as unconfined_service_t on your system, this policy will allow any
|
|
|
|
other such service to transition as well.
|
2017-05-18 05:37:54 +00:00
|
|
|
|
2020-01-29 18:55:40 +00:00
|
|
|
Default configuration in /etc/pam.d/xrdp-sesman uses password-auth for auth,
|
|
|
|
account, password and session. This may result in an incorrect context for
|
|
|
|
the processes in the session. Please adjust this file to match your desktop
|
|
|
|
environment. An example for Gnome desktop is given in the file.
|
|
|
|
|
2017-05-18 05:37:54 +00:00
|
|
|
TigerVNC >= 1.8.0
|
|
|
|
=================
|
|
|
|
|
|
|
|
TigerVNC 1.8.0 enables clipboard support by default (i.e. no need to run
|
|
|
|
vncconfig), which may cause disconnections in xrdp. To avoid the issue, these
|
|
|
|
can be added to [Xvnc] stanza in /etc/xrdp/sesman.ini:
|
|
|
|
|
|
|
|
param=-AcceptCutText=0
|
|
|
|
param=-SendCutText=0
|
|
|
|
param=-SendPrimary=0
|
|
|
|
param=-SetPrimary=0
|
|
|
|
|
|
|
|
Of course, cut and paste support will not work with these set.
|
2017-08-10 00:42:06 +00:00
|
|
|
|
|
|
|
Runlevel
|
|
|
|
========
|
|
|
|
|
|
|
|
If the system is configured to boot into graphical target, you may experience
|
|
|
|
problems with xrdp Gnome sessions. In order to avoid this, put the system into
|
|
|
|
multi user target. Like this:
|
|
|
|
|
|
|
|
systemctl set-default multi-user.target
|
|
|
|
|
|
|
|
Then reboot.
|
2020-01-29 18:55:40 +00:00
|
|
|
|
|
|
|
VSOCK
|
|
|
|
========
|
|
|
|
An example of a how to set up xrdp with VSOCK can be found here:
|
|
|
|
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1787953#c22
|
|
|
|
|
|
|
|
Please note that polkit rules for active sessions, allowing access to colord
|
|
|
|
and repository updates are already shipped, but in a current, JavaScript
|
|
|
|
format.
|