systemd --user sessions currently get launched as init_t, and user processes end up as initrc_t accordingly. It seems that all that's required is to add session required pam_selinux.so open before pam_systemd.so in the systemd-user pam file. Perhaps requisite is more appropriate than required here, to ensure the systemd instance will get launched with the proper context? Not exactly my area of expertise. There are still a few AVC denials between systemd / dbus user -> xdm_var_lib_t as a result of this, as the display manager usually also runs its own systemd user instance.
I just found /usr/lib/pam.d/systemd-user, their default seems a bit better: # SPDX-License-Identifier: LGPL-2.1-or-later # This file is part of systemd. # # Used by systemd --user instances. -account sufficient pam_systemd_home.so account sufficient pam_unix.so no_pass_expiry account required pam_permit.so session required pam_selinux.so close session required pam_selinux.so nottys open session required pam_loginuid.so session optional pam_keyinit.so force revoke session required pam_namespace.so -session optional pam_systemd_home.so session optional pam_systemd.so So close followed by nottys + open is likely the better solution. Side note: we don't seem to be calling pam_namespace anywhere?