Summary: | sys-auth/pambase: systemd user sessions launch with wrong SELinux context | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Jannik Glückert <jannik.glueckert> |
Component: | Current packages | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | CC: | sam, selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=894450 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Jannik Glückert
2023-06-18 09:23:18 UTC
I just found /usr/lib/pam.d/systemd-user, their default seems a bit better: # SPDX-License-Identifier: LGPL-2.1-or-later # This file is part of systemd. # # Used by systemd --user instances. -account sufficient pam_systemd_home.so account sufficient pam_unix.so no_pass_expiry account required pam_permit.so session required pam_selinux.so close session required pam_selinux.so nottys open session required pam_loginuid.so session optional pam_keyinit.so force revoke session required pam_namespace.so -session optional pam_systemd_home.so session optional pam_systemd.so So close followed by nottys + open is likely the better solution. Side note: we don't seem to be calling pam_namespace anywhere? |