Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 908759

Summary: sys-auth/pambase: systemd user sessions launch with wrong SELinux context
Product: Gentoo Linux Reporter: Jannik Glückert <jannik.glueckert>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: UNCONFIRMED ---    
Severity: normal CC: sam, selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Package list:
Runtime testing required: ---

Description Jannik Glückert 2023-06-18 09:23:18 UTC
systemd --user sessions currently get launched as init_t, and user processes end up as initrc_t accordingly.

It seems that all that's required is to add
session required open
before in the systemd-user pam file.

Perhaps requisite is more appropriate than required here, to ensure the systemd instance will get launched with the proper context? Not exactly my area of expertise.

There are still a few AVC denials between systemd / dbus user -> xdm_var_lib_t as a result of this, as the display manager usually also runs its own systemd user instance.
Comment 1 Jannik Glückert 2023-07-02 14:44:08 UTC
I just found /usr/lib/pam.d/systemd-user, their default seems a bit better:

# SPDX-License-Identifier: LGPL-2.1-or-later
# This file is part of systemd.
# Used by systemd --user instances.

-account sufficient
account  sufficient no_pass_expiry
account  required

session  required close
session  required nottys open
session  required
session  optional force revoke
session  required
-session optional
session  optional

So close followed by nottys + open is likely the better solution.

Side note: we don't seem to be calling pam_namespace anywhere?