282493
Restarts
282493
========
282493
282493
Service restarts after RPM package upgrades have been disabled on purpose.
282493
This is to avoid a situation where an update is performed from within a
282493
session running on xrdp, which can then cause dnf to only perform part of the
282493
transaction and leave the system in a state that requires further manual
282493
intervention, including removal of duplicate packages etc.
282493
282493
So, it will be up to the user/admin to restart xrdp service after any RPM
282493
package upgrade. This is in line with what other GUI systems like Xorg and
282493
Wayland do.
282493
282493
xorgxrdp
282493
========
282493
282493
On Fedora, /usr/bin/Xorg is a script that starts either
282493
/usr/libexec/Xorg.wrap, which is a SUID binary, or /usr/libexec/Xorg, if the
282493
former does not exist. Xrdp binary makes sure that SUID of the Xorg.wrap
282493
binary is not obeyed.
282493
282493
However, the Xorg.wrap has an additional hurdle to clear, because by default,
282493
it will only allow users logged into the console to start it.
282493
282493
So, in order to run the Xorg xrdp session via xrogxrdp, normally a user
282493
account not logged onto the console will be used. To avoid Xorg.wrap refusing
282493
to run, put the following into /etc/X11/Xwrapper.config:
282493
282493
allowed_users = anybody
c89b80
0c1109
Note that xorgxrdp is not installed and configured by default. Each build
0c1109
depends on specific binary version of Xorg, which tends to create very strict
0c1109
installation dependencies that can be an inconvenience in EPEL.
0c1109
c89b80
SELinux
c89b80
=======
c89b80
294ba5
Please note that you may need to install xrdp-selinux package in order to get
294ba5
the required SELinux policy that will allow xrdp and associated processes to
97b0b9
run successfully if SELinux is enabled. On versions of Fedora and RHEL that
97b0b9
support weak dependencies, xrdp-selinux will be a recommended package.
294ba5
294ba5
WARNING: The policy module contains a rule that permits unconfined_service_t
294ba5
processes to transition into unconfined_t. If xrdp is not the only service
294ba5
that runs as unconfined_service_t on your system, this policy will allow any
294ba5
other such service to transition as well.
12a8dc
ca00d5
Default configuration in /etc/pam.d/xrdp-sesman uses password-auth for auth,
ca00d5
account, password and session. This may result in an incorrect context for
ca00d5
the processes in the session. Please adjust this file to match your desktop
ca00d5
environment. An example for Gnome desktop is given in the file.
ca00d5
12a8dc
TigerVNC >= 1.8.0
12a8dc
=================
12a8dc
12a8dc
TigerVNC 1.8.0 enables clipboard support by default (i.e. no need to run
12a8dc
vncconfig), which may cause disconnections in xrdp. To avoid the issue, these
12a8dc
can be added to [Xvnc] stanza in /etc/xrdp/sesman.ini:
12a8dc
12a8dc
param=-AcceptCutText=0
12a8dc
param=-SendCutText=0
12a8dc
param=-SendPrimary=0
12a8dc
param=-SetPrimary=0
12a8dc
12a8dc
Of course, cut and paste support will not work with these set.
f5708a
f5708a
Runlevel
f5708a
========
f5708a
f5708a
If the system is configured to boot into graphical target, you may experience
f5708a
problems with xrdp Gnome sessions. In order to avoid this, put the system into
f5708a
multi user target. Like this:
f5708a
f5708a
systemctl set-default multi-user.target
f5708a
f5708a
Then reboot.
ca00d5
ca00d5
VSOCK
ca00d5
========
ca00d5
An example of a how to set up xrdp with VSOCK can be found here:
ca00d5
ca00d5
https://bugzilla.redhat.com/show_bug.cgi?id=1787953#c22
ca00d5
ca00d5
Please note that polkit rules for active sessions, allowing access to colord
ca00d5
and repository updates are already shipped, but in a current, JavaScript
ca00d5
format.