Go to file
Bojan Smojver c89b807752 Rework starting of Xorg to use setpriv, directly from xrdp.
Document SELinux deficiencies.
2017-04-08 16:24:24 +10:00
.gitignore Upload xrdp-0.9.2.tar.gz 2017-03-29 23:59:01 -07:00
openssl.conf Add expanded openssl.conf to sources, use no location in certificate 2017-01-22 22:23:24 -08:00
README.Fedora Rework starting of Xorg to use setpriv, directly from xrdp. 2017-04-08 16:24:24 +10:00
sources Upload xrdp-0.9.2.tar.gz 2017-03-29 23:59:01 -07:00
xrdp-0.9.2-service.patch Bump up to 0.9.2. 2017-03-31 11:37:08 +11:00
xrdp-0.9.2-sesman.patch Rework starting of Xorg to use setpriv, directly from xrdp. 2017-04-08 16:24:24 +10:00
xrdp-0.9.2-setpriv.patch Rework starting of Xorg to use setpriv, directly from xrdp. 2017-04-08 16:24:24 +10:00
xrdp-0.9.2-xrdp-ini.patch Bump up to 0.9.2. 2017-03-31 11:37:08 +11:00
xrdp-sesman.pamd upgrade to 0.9.0 2015-07-15 14:34:45 -03:00
xrdp.logrotate Fix log file rotation. 2017-02-16 10:02:51 +11:00
xrdp.spec Rework starting of Xorg to use setpriv, directly from xrdp. 2017-04-08 16:24:24 +10:00
xrdp.sysconfig initial version 2009-08-14 18:01:35 +00:00

Restarts
========

Service restarts after RPM package upgrades have been disabled on purpose.
This is to avoid a situation where an update is performed from within a
session running on xrdp, which can then cause dnf to only perform part of the
transaction and leave the system in a state that requires further manual
intervention, including removal of duplicate packages etc.

So, it will be up to the user/admin to restart xrdp service after any RPM
package upgrade. This is in line with what other GUI systems like Xorg and
Wayland do.

xorgxrdp
========

On Fedora, /usr/bin/Xorg is a script that starts either
/usr/libexec/Xorg.wrap, which is a SUID binary, or /usr/libexec/Xorg, if the
former does not exist. Xrdp binary makes sure that SUID of the Xorg.wrap
binary is not obeyed.

However, the Xorg.wrap has an additional hurdle to clear, because by default,
it will only allow users logged into the console to start it.

So, in order to run the Xorg xrdp session via xrogxrdp, normally a user
account not logged onto the console will be used. To avoid Xorg.wrap refusing
to run, put the following into /etc/X11/Xwrapper.config:

allowed_users = anybody

SELinux
=======

Please note that you may need to add an SELinux policy module in order to run
xrdp successfully under Fedora with SELinux enabled. One way to do this is to
put SELinux into permissive mode and build the policy from the denials you see
in the audit logs.

We are working on making this part of the default installation, but it is not
quite there yet as of this writing.