https://bugs.kde.org/show_bug.cgi?id=521776
Darwin Lee <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] | |om --- Comment #3 from Darwin Lee <[email protected]> --- Confirmed on Fedora Linux 44 KDE with Plasma/KRDP 6.7.0. Environment: * Fedora Linux 44 KDE Plasma Desktop Edition * Kernel: 7.0.12-201.fc44.x86_64 * KRDP: 6.7.0-1.fc44.x86_64 * FreeRDP: 3.27.1-1.fc44.x86_64 * Plasma Workspace: 6.7.0-1.fc44.x86_64 * systemd: 259.6-1.fc44.x86_64 * PAM: 1.7.2-1.fc44.x86_64 * SELinux policy: 44.3-1.fc44 * KDE Plasma Wayland session * SELinux enforcing Hardware: * Lenovo Yoga 14sARH 2021, machine type 82LB * AMD Ryzen 7 4800H * AMD Renoir Radeon Vega graphics using the amdgpu driver The same local username and password authenticate successfully with: ``` pamtester login USERNAME authenticate ``` Result: ``` pamtester: successfully authenticated ``` However, KRDP fails with: ``` pam_unix(login:auth): authentication failure pam_authenticate failure PostConnect failed ``` The packaged user service contains: ``` NoNewPrivileges=true ``` Before the workaround: ``` NoNewPrivileges=yes NoNewPrivs: 1 ``` SELinux also records the following during each failed login: ``` avc: denied { nnp_transition } comm=krdp_session scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:chkpwd_t:s0-s0:c0.c1023 tclass=process2 ``` Temporarily running `setenforce 0` did not fix the authentication failure, which is consistent with the kernel `no_new_privs` flag remaining active independently of SELinux enforcement. The following user-service override fixes the issue: ``` [Service] NoNewPrivileges=false ``` After restarting the service: ``` NoNewPrivileges=no NoNewPrivs: 0 ``` The same username and password then authenticate successfully, while SELinux remains enforcing. The issue was reproduced with Microsoft Remote Desktop Connection and Remote Desktop Manager on Windows, as well as Windows App on macOS. -- You are receiving this mail because: You are watching all bug changes.
