2017-04-03 22:49:00 +00:00
|
|
|
Restarts
|
|
|
|
|
========
|
|
|
|
|
|
|
|
|
|
Service restarts after RPM package upgrades have been disabled on purpose.
|
|
|
|
|
This is to avoid a situation where an update is performed from within a
|
|
|
|
|
session running on xrdp, which can then cause dnf to only perform part of the
|
|
|
|
|
transaction and leave the system in a state that requires further manual
|
|
|
|
|
intervention, including removal of duplicate packages etc.
|
|
|
|
|
|
|
|
|
|
So, it will be up to the user/admin to restart xrdp service after any RPM
|
|
|
|
|
package upgrade. This is in line with what other GUI systems like Xorg and
|
|
|
|
|
Wayland do.
|
|
|
|
|
|
|
|
|
|
xorgxrdp
|
|
|
|
|
========
|
|
|
|
|
|
|
|
|
|
On Fedora, /usr/bin/Xorg is a script that starts either
|
|
|
|
|
/usr/libexec/Xorg.wrap, which is a SUID binary, or /usr/libexec/Xorg, if the
|
|
|
|
|
former does not exist. Xrdp binary makes sure that SUID of the Xorg.wrap
|
|
|
|
|
binary is not obeyed.
|
|
|
|
|
|
|
|
|
|
However, the Xorg.wrap has an additional hurdle to clear, because by default,
|
|
|
|
|
it will only allow users logged into the console to start it.
|
|
|
|
|
|
|
|
|
|
So, in order to run the Xorg xrdp session via xrogxrdp, normally a user
|
|
|
|
|
account not logged onto the console will be used. To avoid Xorg.wrap refusing
|
|
|
|
|
to run, put the following into /etc/X11/Xwrapper.config:
|
|
|
|
|
|
|
|
|
|
allowed_users = anybody
|
2017-04-08 06:24:24 +00:00
|
|
|
|
|
|
|
|
SELinux
|
|
|
|
|
=======
|
|
|
|
|
|
|
|
|
|
Please note that you may need to add an SELinux policy module in order to run
|
|
|
|
|
xrdp successfully under Fedora with SELinux enabled. One way to do this is to
|
|
|
|
|
put SELinux into permissive mode and build the policy from the denials you see
|
|
|
|
|
in the audit logs.
|
|
|
|
|
|
|
|
|
|
We are working on making this part of the default installation, but it is not
|
|
|
|
|
quite there yet as of this writing.
|
