In order for selinux enabled desktops to have proper context after logging in, pam files need "session optional pam_selinux.so" entry. KDE pam files (/etc/pam.d/kde /etc/pam.d/kde-np) are installed by kde-base/kdebase-pam as they are provided with package it should be easy to either add selinux enabled ones or modify the existing ones. Reproducible: Always
Can we consider an include somewhere so that this is immediately done for all necessary services? How does pam.d/kde and pam.d/kde-np currently look like (to they include anything)?
BTW, it is documented in the selinux handbook that you currently have to do this manually yourself.
By default they look like this: # cat /etc/pam.d/kde #%PAM-1.0 auth required pam_nologin.so auth include system-auth account include system-auth password include system-auth session include system-auth # cat /etc/pam.d/kde-np #%PAM-1.0 auth required pam_nologin.so auth required pam_permit.so account include system-auth password include system-auth session include system-auth
Perhaps we can add it to /etc/pam.d/system-auth and have it working for everything/everyone. I'll try that out on a few test systems to see if it doesn't corrupt other stuff.
@Sven Vermulen, the much simpler solving attempt: https://bugs.gentoo.org/show_bug.cgi?id=433173 Excuse me to not have seen this bug here earlier ...
So the system-local-login configuration (pam) makes more sense then. Sorry for not having tested it through though
Ah, system-local-login sources system-login which uses pam_selinux, so I guess this is resolved now?