|
|
2824937 |
Restarts
|
|
|
2824937 |
========
|
|
|
2824937 |
|
|
|
2824937 |
Service restarts after RPM package upgrades have been disabled on purpose.
|
|
|
2824937 |
This is to avoid a situation where an update is performed from within a
|
|
|
2824937 |
session running on xrdp, which can then cause dnf to only perform part of the
|
|
|
2824937 |
transaction and leave the system in a state that requires further manual
|
|
|
2824937 |
intervention, including removal of duplicate packages etc.
|
|
|
2824937 |
|
|
|
2824937 |
So, it will be up to the user/admin to restart xrdp service after any RPM
|
|
|
2824937 |
package upgrade. This is in line with what other GUI systems like Xorg and
|
|
|
2824937 |
Wayland do.
|
|
|
2824937 |
|
|
|
2824937 |
xorgxrdp
|
|
|
2824937 |
========
|
|
|
2824937 |
|
|
|
2824937 |
On Fedora, /usr/bin/Xorg is a script that starts either
|
|
|
2824937 |
/usr/libexec/Xorg.wrap, which is a SUID binary, or /usr/libexec/Xorg, if the
|
|
|
2824937 |
former does not exist. Xrdp binary makes sure that SUID of the Xorg.wrap
|
|
|
2824937 |
binary is not obeyed.
|
|
|
2824937 |
|
|
|
2824937 |
However, the Xorg.wrap has an additional hurdle to clear, because by default,
|
|
|
2824937 |
it will only allow users logged into the console to start it.
|
|
|
2824937 |
|
|
|
2824937 |
So, in order to run the Xorg xrdp session via xrogxrdp, normally a user
|
|
|
2824937 |
account not logged onto the console will be used. To avoid Xorg.wrap refusing
|
|
|
2824937 |
to run, put the following into /etc/X11/Xwrapper.config:
|
|
|
2824937 |
|
|
|
2824937 |
allowed_users = anybody
|
|
|
c89b807 |
|
|
|
c89b807 |
SELinux
|
|
|
c89b807 |
=======
|
|
|
c89b807 |
|
|
|
c89b807 |
Please note that you may need to add an SELinux policy module in order to run
|
|
|
c89b807 |
xrdp successfully under Fedora with SELinux enabled. One way to do this is to
|
|
|
c89b807 |
put SELinux into permissive mode and build the policy from the denials you see
|
|
|
c89b807 |
in the audit logs.
|
|
|
c89b807 |
|
|
|
c89b807 |
We are working on making this part of the default installation, but it is not
|
|
|
c89b807 |
quite there yet as of this writing.
|