Merge pull request #325 from fufesou/doc/selinux

selinux, check /var/log/audit/audit.log to see if there's any deny
2025-01-13 17:58:18 +01:00 · 2023-10-22 12:57:15 +08:00 · 2023-10-22 12:57:15 +08:00 · dc161e1431
commit dc161e1431
parent e74eeb15e1 e0b966c214
4 changed files with 25 additions and 10 deletions
--- a/content/client/linux/SELinux/_index.en.md
+++ b/content/client/linux/SELinux/_index.en.md
@ -109,8 +109,8 @@ allow init_t user_tmp_t:file map;
 Run:

 ```bash
-checkmodule -M -m -o rustdesk.mod rustdesk.te && semodule_package -o rustdesk.pp -m rustdesk.mod && sudo semodule -i rustdesk.pp
-sudo semodule -l | grep rustdesk
+$ checkmodule -M -m -o rustdesk.mod rustdesk.te && semodule_package -o rustdesk.pp -m rustdesk.mod && sudo semodule -i rustdesk.pp
+$ sudo semodule -l | grep rustdesk
 ```

 ### Create A Type "rustdesk_t"
--- a/content/client/linux/SELinux/_index.zh-cn.md
+++ b/content/client/linux/SELinux/_index.zh-cn.md
@ -108,8 +108,8 @@ allow init_t user_tmp_t:file map;
 执行：

 ```bash
-checkmodule -M -m -o rustdesk.mod rustdesk.te && semodule_package -o rustdesk.pp -m rustdesk.mod && sudo semodule -i rustdesk.pp
-sudo semodule -l | grep rustdesk
+$ checkmodule -M -m -o rustdesk.mod rustdesk.te && semodule_package -o rustdesk.pp -m rustdesk.mod && sudo semodule -i rustdesk.pp
+$ sudo semodule -l | grep rustdesk
 ```

 ### 新建 rustdesk_t 的类型
--- a/content/client/linux/_index.en.md
+++ b/content/client/linux/_index.en.md
@ -55,7 +55,15 @@ Please **reboot** to make above changes taking effect.

 #### Permissions Issue

-If you find that RustDesk's --server process is not running, that is, there is no output when executing `ps -ef | grep -E 'rustdesk +--server'`.
-Then it's probably a permissions issue.
+If SELinux is enabled, RustDesk will not work properly in either X11 or Wayland environments.

-Please refer to [SELinux](./selinux/) for adding SELinux policies.
+You can run:
+
+```bash
+$ sudo grep 'comm="rustdesk"' /var/log/audit/audit.log | tail -1
+type=AVC msg=audit(1697902459.165:707): avc:  denied  { name_connect } for  pid=31346 comm="rustdesk" dest=53330 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0
+```
+
+**NOTE**: The number in parentheses after audit is timestamp.
+
+If the output contains `avc: denied`, you need to add SElinux policies, please refer to [SELinux](./selinux/).
--- a/content/client/linux/_index.zh-cn.md
+++ b/content/client/linux/_index.zh-cn.md
@ -57,8 +57,15 @@ RustDesk 现在有实验性的 Wayland 支持，您可能需要下载 [nightly v

 #### 权限问题

-如果您发现 RustDesk 的 --server 进程没有启动，即执行 `ps -ef | grep -E 'rustdesk +--server'` 没有输出。
-那么很可能是权限问题。
+如果启用了 SELinux ，那么无论是 X11 环境 还是 Wayland 环境， RustDesk 都无法正常工作。

+您可以运行如下命令：

-SELinux 权限添加请参考[SELinux](./selinux/)。
+```bash
+$ sudo grep 'comm="rustdesk"' /var/log/audit/audit.log | tail -1
+type=AVC msg=audit(1697902459.165:707): avc:  denied  { name_connect } for  pid=31346 comm="rustdesk" dest=53330 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket permissive=0
+```
+
+**注意**: audit 后面括号内的数字是时间戳。
+
+如果有 `avc: denied` 的输出，则需要添加 SElinux 策略，请参考[SELinux](./selinux/)。