Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fail to connect to Fedora with the nightly build due to selinux #4267

Closed
Tracked by #3565
TLCFEM opened this issue May 3, 2023 · 13 comments
Closed
Tracked by #3565

Fail to connect to Fedora with the nightly build due to selinux #4267

TLCFEM opened this issue May 3, 2023 · 13 comments
Labels
bug Something isn't working duplicate This issue or pull request already exists

Comments

@TLCFEM
Copy link

TLCFEM commented May 3, 2023

Bug Description

Environment: Fedora 36 to 38 with gnome. With the specfic configuration, connection is not possible with error: Fail to connect via rendezvous server: Please try later.

How to Reproduce

  1. Install fresh Fedora VM.
  2. Disable wayland via etc/gdm/custom.conf
  3. Install nightly build.
  4. Try to connect via a second device, either a phone, or a PC.

Expected Behavior

Successful connection.

Operating system(s) on local side and remote side

Win/Android -> Fedora

RustDesk Version(s) on local side and remote side

nightly -> nightly

Screenshots

N/A

Additional Context

Running Fedora with gnome on both physical machine and virtual machine.

Tested version 1.1.9 and the nightly build. The former works but the latter does not.

With wayland enabled, it is possible to connect by confirming sharing screen on the target machine with the nightly build.

Tested both self-hosting and default configuration, which does not affect the behaviour.

Tested with both android and win local sides, which does not affect the behaviour.

Not sure what information is required to ease debugging. Please instruct if any.
@TLCFEM TLCFEM added the bug Something isn't working label May 3, 2023
@TLCFEM
Copy link
Author

TLCFEM commented May 3, 2023

Also tested with a debian based distro (Xubuntu 22.04) which works with the nightly build.

@rustdesk rustdesk added the invalid This doesn't seem right label May 3, 2023
@rustdesk rustdesk closed this as completed May 3, 2023
@TLCFEM
Copy link
Author

TLCFEM commented May 3, 2023

@rustdesk any suggestions if you do not think this is valid?

@rustdesk
Copy link
Owner

rustdesk commented May 3, 2023

#388
#1597 (comment)

@rustdesk rustdesk added duplicate This issue or pull request already exists and removed invalid This doesn't seem right labels May 3, 2023
@TLCFEM
Copy link
Author

TLCFEM commented May 11, 2023

Tried disabling "Direct IP Access", and also tried appending "/r" to the id, both do not work. Any comments?

@NoisyCoil
Copy link

Hi there, non-developer here. I am having multiple issues after upgrading to Fedora 38 as well. Based on some troubleshooting I did, if both "Direct IP access" and Wayland are disabled, yours may be an issue with selinux.

Try this: quit the rustdesk application if you have it open, stop the rustdesk systemd service, set selinux in permissive mode and then restart the service,

sudo systemctl stop rustdesk
sudo setenforce 0
sudo systemctl start rustdesk

Then try connecting to your Fedora 38 machine. If it works, the issue is with selinux. Don't forget to reset selinux to enforcing mode once you are done,

sudo setenforce 1

If the issue is with selinux, the only way I found to make the current rustdesk nightly work under X11 is to permanently disable the rustdesk systemd service (that is, unless you want to permanently disable selinux, which you should not do). Perhaps the developers will want to comment on the consequences of doing so, until they find a fix. I found that rustdesk still works on X11 with the service disabled (although you will probably need to manually open the rustdesk application in order to connect to your machine, since then rustdesk will not be running in the background).

For the developers, I believe these are the relevant selinux logs in this situation:

may 28 19:09:45 fedora audit[13827]: AVC avc:  denied  { name_connect } for  pid=13827 comm="tokio-runtime-w" dest=21116 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
mag 28 19:09:51 fedora audit[13827]: AVC avc:  denied  { name_connect } for  pid=13827 comm="tokio-runtime-w" dest=21116 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
may 28 19:10:03 fedora audit[13827]: AVC avc:  denied  { name_connect } for  pid=13827 comm="tokio-runtime-w" dest=21116 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

@TLCFEM
Copy link
Author

TLCFEM commented May 29, 2023
edited

@NoisyCoil Thanks, confirmed, sudo setenforce 0 would make it work.

@NoisyCoil
Copy link

NoisyCoil commented May 29, 2023
edited

Great. If so, @rustdesk could perhaps remove the duplicate label from this issue, re-open it, and modify its title to reflect that RustDesk nightly has issues on Fedora 38 (or earlier?) due to selinux?

For more context, here are the complete selinux logs from journald:

 AVC avc:  denied  { connectto } for  pid=PID comm="rustdesk" path="/run/user/1000/bus" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
 AVC avc:  denied  { execute } for  pid=PID comm="rustdesk" name="sudo" dev="vda3" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1
 AVC avc:  denied  { execute_no_trans } for  pid=PID comm="rustdesk" path="/usr/bin/sudo" dev="vda3" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1
 AVC avc:  denied  { map } for  pid=PID comm="sudo" path="/usr/bin/sudo" dev="vda3" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1
 AVC avc:  denied  { name_connect } for  pid=PID comm="rustdesk" dest=21116 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1
 AVC avc:  denied  { name_connect } for  pid=PID comm="tokio-runtime-w" dest=21116 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1
 AVC avc:  denied  { open } for  pid=PID comm="rustdesk" path="/dev/input/event7" dev="devtmpfs" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=1
 AVC avc:  denied  { open } for  pid=PID comm="rustdesk" path="/dev/uinput" dev="devtmpfs" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=1
 AVC avc:  denied  { open } for  pid=PID comm="rustdesk" path="/tmp/RustDesk/ipc.pid" dev="tmpfs" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
 AVC avc:  denied  { open } for  pid=PID comm="rustdesk" path="/tmp/RustDesk/ipc_uinput_control.pid" dev="tmpfs" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
 AVC avc:  denied  { open } for  pid=PID comm="rustdesk" path="/tmp/RustDesk/ipc_uinput_keyboard.pid" dev="tmpfs" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
 AVC avc:  denied  { read open } for  pid=PID comm="rustdesk" path="/usr/bin/sudo" dev="vda3" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1
 AVC avc:  denied  { read } for  pid=PID comm="sudo" path="/usr/bin/sudo" dev="vda3" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1
 AVC avc:  denied  { setattr } for  pid=PID comm="rustdesk" name="ipc.pid" dev="tmpfs" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
 AVC avc:  denied  { setattr } for  pid=PID comm="rustdesk" name="ipc_uinput_control.pid" dev="tmpfs" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
 AVC avc:  denied  { setattr } for  pid=PID comm="rustdesk" name="ipc_uinput_keyboard.pid" dev="tmpfs" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
 AVC avc:  denied  { write } for  pid=PID comm="rustdesk" name="bus" dev="tmpfs" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=1
 AVC avc:  denied  { write } for  pid=PID comm="rustdesk" name="ipc.pid" dev="tmpfs" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
 AVC avc:  denied  { write } for  pid=PID comm="rustdesk" name="ipc_uinput_control.pid" dev="tmpfs" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
 AVC avc:  denied  { write } for  pid=PID comm="rustdesk" name="ipc_uinput_keyboard.pid" dev="tmpfs" ino=INO scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1

Some notes:

  • The above log entries are not ordered chronologically, but rather alphabetically, in order to remove duplicates
  • The selinux issues affect both X11 and Wayland. However, the workaround of disabling the rustdesk systemd service only works on X11, since AFAIK the service is strictly required on Wayland to deal with input
  • Regardless of selinux, at the moment RustDesk does not work on Wayland on a default and up-to-date installation of Fedora 38 due to a bug in the Mutter compositor which broke screen sharing in version 44.1. This issue has likely already been solved, and screen sharing will probably work again in v44.2. It does not affect X11 nor KDE on Wayland (Plasma) since these do not use Mutter, nor probably GNOME on Wayland with a different compositor. A quick fix until Mutter 44.2 is released is to downgrade to v44.0 (tested). Edit: I forgot to mention that the issue with Mutter is probably not Fedora-specific. It shows up in Fedora 38 because v44.1 is the most recent Mutter release in its repositories (Fixed on Mutter 44.2)

@TLCFEM TLCFEM changed the title Fail to connect to Fedora withe the nightly build Fail to connect to Fedora with the nightly build due to selinux May 29, 2023
@NoisyCoil
Copy link

@rustdesk Any decision on whether this issue should be re-opened, as it is not fixed?

@rustdesk rustdesk mentioned this issue Jun 10, 2023
Open
42 tasks
@rustdesk
Copy link
Owner

rustdesk commented Jun 10, 2023
edited

tracked by #3565

@NoisyCoil
Copy link

I will point out for future reference that this issue is not Android-specific (on the local side), but may affect Android as well as any other OS (like Fedora as per title) that uses selinux on the remote side.

Thanks.

This was referenced Jul 18, 2023
Open
Closed
@rustdesk
Copy link
Owner

rustdesk commented Sep 3, 2023
edited

Here is a workaround #3565 (comment)

https://rustdesk.com/docs/en/client/linux/selinux/

@rustdesk rustdesk mentioned this issue Feb 17, 2024
Closed
@tuxmaster5000
Copy link

Other tools like anydesk will work out of the box. So it looks like an general design problem of rustdesk. And disable SELinux is extreme bad idea in the view of security.

@rustdesk
Copy link
Owner

rustdesk commented Feb 17, 2024
edited

Totally agree with you, so we added it into our milestone, #918
@fufesou

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tuxmaster5000 @TLCFEM @rustdesk @NoisyCoil