Gnome Remote Desktop with SELinux enforced

Hi,
Has anybody managed to make gnome-remote-desktop work without disabling SELinux?
I tried to allow what was denied (using audit2allow output), but it didn’t help.

May 01 19:52:51 fedora gnome-remote-de[88868]: Init TPM credentials failed because No TPM device found, using GKeyFile as fallback
May 01 19:52:51 fedora systemd[1]: Started gnome-remote-desktop.service - GNOME Remote Desktop.
May 01 19:52:51 fedora gnome-remote-de[88868]: RDP server started
May 01 19:53:02 fedora gnome-remote-de[88868]: [RDP] Sending server redirection
May 01 19:53:02 fedora gnome-remote-desktop-daemon[88868]: [19:53:02:452] [88868:00015b52] [ERROR][com.freerdp.core.transport] - [transport_read_layer]: BIO_read retries exceeded
May 01 19:53:02 fedora gnome-remote-desktop-daemon[88868]: [19:53:02:452] [88868:00015b52] [ERROR][com.freerdp.core.peer] - [transport_read_layer]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
May 01 19:53:02 fedora gnome-remote-de[88868]: Unable to check file descriptor, closing connection
May 01 19:53:02 fedora gnome-remote-de[88868]: RDP server stopped
May 01 19:53:02 fedora systemd[1]: gnome-remote-desktop.service: Deactivated successfully.
May 01 19:53:02 fedora systemd[1]: gnome-remote-desktop.service: Consumed 1.562s CPU time.

FTR: https://bugzilla.redhat.com/show_bug.cgi?id=2271661

1 Like

See this Remote login won't work - #2

Setting selinux to permissive did not work for me. Here’s the error message from Windows:

[Window Title]
Remote Desktop Connection

[Content]
Remote Desktop can't connect to the remote computer for one of these reasons:

1) Remote access to the server is not enabled
2) The remote computer is turned off
3) The remote computer is not available on the network

Make sure the remote computer is turned on and connected to the network, and that remote access is enabled.

[^] Hide details  [OK]

[Expanded Information]
Error code: 0x204
Extended error code: 0x0
Timestamp (UTC): 05/03/24 06:29:22 PM

Press Ctrl+C to copy.

I’ve added myself to the bugzilla email chain; there’s no point in me troubleshooting this any further. I’ll just wait for it to get fixed.

  • Firewall: Check if your firewall is blocking incoming connections on the RDP port (default 3389).
    You might need to open the port temporarily for testing purposes.

  • Network Connectivity: Ensure the client trying to connect can reach your Fedora machine on the network. Verify IP addresses and firewalls on both machines. Ping your Fedora machine from the client machine to test basic network reachability.

  • Client Configuration: Double-check the RDP client settings on the machine trying to connect.
    Make sure the client’s RDP settings like hostname/IP and port (3389) match your Fedora machine.

1 Like

This is a GNOME 46 new feature that doesn’t work for me. It connects fine when the Fedora machine is logged in. With GNOME 46 it’s supposed to connect when the Fedora machine is logged out, but it doesn’t, even with SELINUX set to permissive.

1 Like

This indicates that your specific problem is unrelated to SELinux.
There might be a race condition for shared and headless instances competing over the same socket and resulting in service failure.

That’s a good sign, because I absolutely despise troubleshooting SELinux. :wink:

Are there logfiles I can look at? If it’s not SELinux, it might be something related to Silverblue / Bluefin. I just yesterday switched over from Silverblue 40 to Bluefin 40, but it was having the same problem on Fedora 40. There was another issue with Fedora 40 during the transition from beta to release; apparently the upgrade from GNOME remote desktop was stuck at 45 for a while.

1 Like

Log out of the graphical sessions and connect over SSH, verify that GDM is the only TTY session, the remote desktop service is active and listening on the relevant port, then try connecting over RDP while monitoring the logs over SSH:

loginctl list-sessions
systemctl status gnome-remote-desktop.service
sudo ss -lnpAinet | grep -e :3389 -e gnome-remote
journalctl -f -u gnome-remote-desktop.service

Back to the main topic:

tee /tmp/grd.te << EOF > /dev/null
module grd 1.0;
require {
    type system_dbusd_t;
    type unconfined_service_t;
    type xdm_t;
    class tcp_socket { getattr getopt read setopt shutdown write };
}
allow system_dbusd_t unconfined_service_t:tcp_socket { read write };
allow xdm_t unconfined_service_t:tcp_socket { getattr getopt read setopt shutdown write };
EOF
checkmodule -M -m -o /tmp/grd.mod /tmp/grd.te
semodule_package -o /tmp/grd.pp -m /tmp/grd.mod
sudo semodule -i /tmp/grd.pp
2 Likes

Thanks @vgaetera, I can confirm this module works for me!

1 Like

I’m on Silverblue and I get this when I connect by IP (hostname gives DNS error, even though I can connect from a Linux machine to a Windows machine using hostname on the same network).

However, I don’t know what “selinux” or that code block is, but I’m actively looking for a solution. It this applicable to my troubles and if so, could someone please explain how to utilize it?

@eobet the code block in @vgaetera 's message is a list of commands that you can run in a terminal in order to allow the gnome-remote-desktop (aka grd) to access the resources it needs.

You can copy-paste in a terminal to run it directly, you don’t need to know what is SELinux (or what are SELinux modules, or that the tee ... EOF command is just a fancy way to create a file without opening an editor). But IMO it’s a good learning opportunity, and you’re very likely to bump against SELinux again in the future.

FWIW I ran the commands and now gnome-remote-desktop works (running on Bazzite/ublue).

2 Likes

Thank you for the clarification!

Well, it did something because I now get a different error message:

Do I need to type anything after the username (like for my windows machine, where I need to type the full e-mail address for the Microsoft account, for example)?

No, you need to enter the user and the password exactly as they are defined in the Desktop Sharing | Login Details section.