systemd --user sessions currently get launched as init_t, and user processes end up as initrc_t accordingly. It seems that all that's required is to add session required pam_selinux.so open before pam_systemd.so in the systemd-user pam file. Perhaps requisite is more appropriate than required here, to ensure the systemd instance will get launched with the proper context? Not exactly my area of expertise. There are still a few AVC denials between systemd / dbus user -> xdm_var_lib_t as a result of this, as the display manager usually also runs its own systemd user instance.
I just found /usr/lib/pam.d/systemd-user, their default seems a bit better: # SPDX-License-Identifier: LGPL-2.1-or-later # This file is part of systemd. # # Used by systemd --user instances. -account sufficient pam_systemd_home.so account sufficient pam_unix.so no_pass_expiry account required pam_permit.so session required pam_selinux.so close session required pam_selinux.so nottys open session required pam_loginuid.so session optional pam_keyinit.so force revoke session required pam_namespace.so -session optional pam_systemd_home.so session optional pam_systemd.so So close followed by nottys + open is likely the better solution. Side note: we don't seem to be calling pam_namespace anywhere?
I wrongly assumed the file was from pambase.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27e8a693ee6afa4ae673f1f4625fae81b86ad86f commit 27e8a693ee6afa4ae673f1f4625fae81b86ad86f Author: Rahul Sandhu <rahul@sandhuservices.dev> AuthorDate: 2024-09-23 17:36:58 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2024-09-26 19:15:20 +0000 sys-apps/systemd: call pam_selinux.so in pam config for systemd-user Currently, systemd --user sessions get launched with the wrong context, init_t. Let's fix our pam config for systemd-user by calling pam_selinux.so with close and nottys open like upstream does. Closes: https://bugs.gentoo.org/908759 Signed-off-by: Rahul Sandhu <rahul@sandhuservices.dev> Closes: https://github.com/gentoo/gentoo/pull/38747 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/systemd/files/systemd-user-selinux.pam | 7 +++++++ sys-apps/systemd/systemd-254.13.ebuild | 6 +++++- sys-apps/systemd/systemd-254.16.ebuild | 6 +++++- sys-apps/systemd/systemd-254.17.ebuild | 6 +++++- sys-apps/systemd/systemd-254.18.ebuild | 6 +++++- sys-apps/systemd/systemd-255.10.ebuild | 6 +++++- sys-apps/systemd/systemd-255.11.ebuild | 6 +++++- sys-apps/systemd/systemd-255.12.ebuild | 6 +++++- sys-apps/systemd/systemd-255.7-r1.ebuild | 6 +++++- sys-apps/systemd/systemd-256.1-r3.ebuild | 6 +++++- sys-apps/systemd/systemd-256.2.ebuild | 6 +++++- sys-apps/systemd/systemd-256.4.ebuild | 6 +++++- sys-apps/systemd/systemd-256.5.ebuild | 6 +++++- sys-apps/systemd/systemd-256.6.ebuild | 6 +++++- sys-apps/systemd/systemd-9999.ebuild | 6 +++++- 15 files changed, 77 insertions(+), 14 deletions(-)
