From ca00d54484bcf4e74b6a36ec7ec85839d605cb35 Mon Sep 17 00:00:00 2001 From: Bojan Smojver Date: Thu, 30 Jan 2020 05:55:40 +1100 Subject: [PATCH] README.Fedora: VSOCK support. README.Fedora: possibly incorrect SELinux context of the session. Add polkit-1 rules for colord access and repo refresh. --- README.Fedora | 15 +++++++++++++++ xrdp-polkit-1.rules | 14 ++++++++++++++ xrdp.spec | 12 +++++++++++- 3 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 xrdp-polkit-1.rules diff --git a/README.Fedora b/README.Fedora index 58a593f..a839c7e 100644 --- a/README.Fedora +++ b/README.Fedora @@ -45,6 +45,11 @@ processes to transition into unconfined_t. If xrdp is not the only service that runs as unconfined_service_t on your system, this policy will allow any other such service to transition as well. +Default configuration in /etc/pam.d/xrdp-sesman uses password-auth for auth, +account, password and session. This may result in an incorrect context for +the processes in the session. Please adjust this file to match your desktop +environment. An example for Gnome desktop is given in the file. + TigerVNC >= 1.8.0 ================= @@ -69,3 +74,13 @@ multi user target. Like this: systemctl set-default multi-user.target Then reboot. + +VSOCK +======== +An example of a how to set up xrdp with VSOCK can be found here: + +https://bugzilla.redhat.com/show_bug.cgi?id=1787953#c22 + +Please note that polkit rules for active sessions, allowing access to colord +and repository updates are already shipped, but in a current, JavaScript +format. diff --git a/xrdp-polkit-1.rules b/xrdp-polkit-1.rules new file mode 100644 index 0000000..8dfec5d --- /dev/null +++ b/xrdp-polkit-1.rules @@ -0,0 +1,14 @@ +polkit.addRule(function(action, subject) { + if ((action.id == "org.freedesktop.color-manager.create-device" || + action.id == "org.freedesktop.color-manager.create-profile"|| + action.id == "org.freedesktop.color-manager.delete-device" || + action.id == "org.freedesktop.color-manager.delete-profile" || + action.id == "org.freedesktop.color-manager.modify-device" || + action.id == "org.freedesktop.color-manager.modify-profile" || + action.id == "org.freedesktop.packagekit.system-sources-refresh") && + subject.active == true) { + return polkit.Result.YES; + } + + return polkit.Result.NOT_HANDLED; +}); diff --git a/xrdp.spec b/xrdp.spec index fb08936..82c8e5d 100644 --- a/xrdp.spec +++ b/xrdp.spec @@ -13,7 +13,7 @@ Summary: Open source remote desktop protocol (RDP) server Name: xrdp Epoch: 1 Version: 0.9.12 -Release: 3%{?dist} +Release: 4%{?dist} License: ASL 2.0 URL: http://www.xrdp.org/ Source0: https://github.com/neutrinolabs/xrdp/releases/download/v%{version}/xrdp-%{version}.tar.gz @@ -23,6 +23,7 @@ Source3: xrdp.logrotate Source4: openssl.conf Source5: README.Fedora Source6: xrdp.te +Source6: xrdp-polkit-1.rules Patch0: xrdp-0.9.9-sesman.patch Patch1: xrdp-0.9.11-xrdp-ini.patch Patch2: xrdp-0.9.4-service.patch @@ -41,6 +42,7 @@ BuildRequires: pkgconfig(openssl) BuildRequires: pkgconfig(pixman-1) BuildRequires: pkgconfig(systemd) BuildRequires: nasm +BuildRequires: polkit-devel BuildRequires: checkpolicy, selinux-policy-devel BuildRequires: %{_hardlink} @@ -133,6 +135,9 @@ cd - %{__mv} -f %{buildroot}%{_sysconfdir}/xrdp/startwm.sh %{buildroot}%{_libexecdir}/xrdp/ %{__mv} -f %{buildroot}%{_sysconfdir}/xrdp/reconnectwm.sh %{buildroot}%{_libexecdir}/xrdp/ +#install xrdp.rules /usr/share/polkit-1/rules.d +%{__install} -Dp -m 644 %{SOURCE6} %{buildroot}%{_datadir}/polkit-1/rules.d/xrdp.rules + # SELinux policy module for selinuxvariant in %{selinux_variants} do @@ -269,6 +274,11 @@ fi %{_datadir}/selinux/*/%{name}.pp %changelog +* Thu Jan 30 2020 Bojan Smojver - 1:0.9.12-4 +- README.Fedora: VSOCK support +- README.Fedora: possibly incorrect SELinux context of the sessions +- Add polkit-1 rules for colord access and repo refresh + * Mon Jan 13 2020 Bojan Smojver - 1:0.9.12-3 - Add vsock items to SELinux policy (thanks to mm19827 of gmail.com)