README.Fedora: VSOCK support.

README.Fedora: possibly incorrect SELinux context of the session. Add polkit-1 rules for colord access and repo refresh.
2020-01-30 05:55:40 +11:00 · 2020-01-30 05:55:40 +11:00 · ca00d54484
parent d012f391c4
commit ca00d54484
3 changed files with 40 additions and 1 deletions
--- a/README.Fedora
+++ b/README.Fedora
@ -45,6 +45,11 @@ processes to transition into unconfined_t. If xrdp is not the only service
 that runs as unconfined_service_t on your system, this policy will allow any
 other such service to transition as well.

+Default configuration in /etc/pam.d/xrdp-sesman uses password-auth for auth,
+account, password and session. This may result in an incorrect context for
+the processes in the session. Please adjust this file to match your desktop
+environment. An example for Gnome desktop is given in the file.
+
 TigerVNC >= 1.8.0
 =================

@ -69,3 +74,13 @@ multi user target. Like this:
 systemctl set-default multi-user.target

 Then reboot.
+
+VSOCK
+========
+An example of a how to set up xrdp with VSOCK can be found here:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1787953#c22
+
+Please note that polkit rules for active sessions, allowing access to colord
+and repository updates are already shipped, but in a current, JavaScript
+format.
--- a/xrdp-polkit-1.rules
+++ b/xrdp-polkit-1.rules
@ -0,0 +1,14 @@
+polkit.addRule(function(action, subject) {
+    if ((action.id == "org.freedesktop.color-manager.create-device" ||
+         action.id == "org.freedesktop.color-manager.create-profile"||
+         action.id == "org.freedesktop.color-manager.delete-device" ||
+         action.id == "org.freedesktop.color-manager.delete-profile" ||
+         action.id == "org.freedesktop.color-manager.modify-device" ||
+         action.id == "org.freedesktop.color-manager.modify-profile" ||
+         action.id == "org.freedesktop.packagekit.system-sources-refresh") &&
+        subject.active == true) {
+            return polkit.Result.YES;
+    }
+
+    return polkit.Result.NOT_HANDLED;
+});
--- a/xrdp.spec
+++ b/xrdp.spec
@ -13,7 +13,7 @@ Summary:   Open source remote desktop protocol (RDP) server
 Name:      xrdp
 Epoch:     1
 Version:   0.9.12
-Release:   3%{?dist}
+Release:   4%{?dist}
 License:   ASL 2.0
 URL:       http://www.xrdp.org/
 Source0:   https://github.com/neutrinolabs/xrdp/releases/download/v%{version}/xrdp-%{version}.tar.gz
@ -23,6 +23,7 @@ Source3:   xrdp.logrotate
 Source4:   openssl.conf
 Source5:   README.Fedora
 Source6:   xrdp.te
+Source6:   xrdp-polkit-1.rules
 Patch0:    xrdp-0.9.9-sesman.patch
 Patch1:    xrdp-0.9.11-xrdp-ini.patch
 Patch2:    xrdp-0.9.4-service.patch
@ -41,6 +42,7 @@ BuildRequires: pkgconfig(openssl)
 BuildRequires: pkgconfig(pixman-1)
 BuildRequires: pkgconfig(systemd)
 BuildRequires: nasm
+BuildRequires: polkit-devel

 BuildRequires: checkpolicy, selinux-policy-devel
 BuildRequires: %{_hardlink}
@ -133,6 +135,9 @@ cd -
 %{__mv} -f %{buildroot}%{_sysconfdir}/xrdp/startwm.sh %{buildroot}%{_libexecdir}/xrdp/
 %{__mv} -f %{buildroot}%{_sysconfdir}/xrdp/reconnectwm.sh %{buildroot}%{_libexecdir}/xrdp/

+#install xrdp.rules /usr/share/polkit-1/rules.d
+%{__install} -Dp -m 644 %{SOURCE6} %{buildroot}%{_datadir}/polkit-1/rules.d/xrdp.rules
+
 # SELinux policy module
 for selinuxvariant in %{selinux_variants}
 do
@ -269,6 +274,11 @@ fi
 %{_datadir}/selinux/*/%{name}.pp

 %changelog
+* Thu Jan 30 2020 Bojan Smojver <bojan@rexurive.com> - 1:0.9.12-4
+- README.Fedora: VSOCK support
+- README.Fedora: possibly incorrect SELinux context of the sessions
+- Add polkit-1 rules for colord access and repo refresh
+
 * Mon Jan 13 2020 Bojan Smojver <bojan@rexurive.com> - 1:0.9.12-3
 - Add vsock items to SELinux policy (thanks to mm19827 of gmail.com)