Bug 908759

Summary:	sys-apps/systemd: systemd user sessions launch with wrong SELinux context
Product:	Gentoo Linux	Reporter:	Jannik Glückert <jannik.glueckert>
Component:	Current packages	Assignee:	Gentoo systemd Team <systemd>
Status:	RESOLVED FIXED
Severity:	normal	CC:	sam, selinux
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=894450 https://github.com/gentoo/gentoo/pull/38747
Whiteboard:
Package list:		Runtime testing required:	---

Description Jannik Glückert 2023-06-18 09:23:18 UTC

systemd --user sessions currently get launched as init_t, and user processes end up as initrc_t accordingly.

It seems that all that's required is to add
session required pam_selinux.so open
before pam_systemd.so in the systemd-user pam file.

Perhaps requisite is more appropriate than required here, to ensure the systemd instance will get launched with the proper context? Not exactly my area of expertise.

There are still a few AVC denials between systemd / dbus user -> xdm_var_lib_t as a result of this, as the display manager usually also runs its own systemd user instance.

Comment 1 Jannik Glückert 2023-07-02 14:44:08 UTC

I just found /usr/lib/pam.d/systemd-user, their default seems a bit better:

# SPDX-License-Identifier: LGPL-2.1-or-later
# This file is part of systemd.
#
# Used by systemd --user instances.

-account sufficient pam_systemd_home.so
account  sufficient pam_unix.so no_pass_expiry
account  required   pam_permit.so

session  required   pam_selinux.so close
session  required   pam_selinux.so nottys open
session  required   pam_loginuid.so
session  optional   pam_keyinit.so force revoke
session  required   pam_namespace.so
-session optional   pam_systemd_home.so
session  optional   pam_systemd.so

So close followed by nottys + open is likely the better solution.

Side note: we don't seem to be calling pam_namespace anywhere?

Comment 2 Sam James archtester

2024-09-24 05:51:49 UTC

I wrongly assumed the file was from pambase.

Comment 3 Larry the Git Cow gentoo-dev

2024-09-26 19:15:26 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27e8a693ee6afa4ae673f1f4625fae81b86ad86f

commit 27e8a693ee6afa4ae673f1f4625fae81b86ad86f
Author:     Rahul Sandhu <rahul@sandhuservices.dev>
AuthorDate: 2024-09-23 17:36:58 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2024-09-26 19:15:20 +0000

    sys-apps/systemd: call pam_selinux.so in pam config for systemd-user
    
    Currently, systemd --user sessions get launched with the wrong context,
    init_t. Let's fix our pam config for systemd-user by calling
    pam_selinux.so with close and nottys open like upstream does.
    
    Closes: https://bugs.gentoo.org/908759
    Signed-off-by: Rahul Sandhu <rahul@sandhuservices.dev>
    Closes: https://github.com/gentoo/gentoo/pull/38747
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 sys-apps/systemd/files/systemd-user-selinux.pam | 7 +++++++
 sys-apps/systemd/systemd-254.13.ebuild          | 6 +++++-
 sys-apps/systemd/systemd-254.16.ebuild          | 6 +++++-
 sys-apps/systemd/systemd-254.17.ebuild          | 6 +++++-
 sys-apps/systemd/systemd-254.18.ebuild          | 6 +++++-
 sys-apps/systemd/systemd-255.10.ebuild          | 6 +++++-
 sys-apps/systemd/systemd-255.11.ebuild          | 6 +++++-
 sys-apps/systemd/systemd-255.12.ebuild          | 6 +++++-
 sys-apps/systemd/systemd-255.7-r1.ebuild        | 6 +++++-
 sys-apps/systemd/systemd-256.1-r3.ebuild        | 6 +++++-
 sys-apps/systemd/systemd-256.2.ebuild           | 6 +++++-
 sys-apps/systemd/systemd-256.4.ebuild           | 6 +++++-
 sys-apps/systemd/systemd-256.5.ebuild           | 6 +++++-
 sys-apps/systemd/systemd-256.6.ebuild           | 6 +++++-
 sys-apps/systemd/systemd-9999.ebuild            | 6 +++++-
 15 files changed, 77 insertions(+), 14 deletions(-)