Bug 908759

Summary:	sys-auth/pambase: systemd user sessions launch with wrong SELinux context
Product:	Gentoo Linux	Reporter:	Jannik Glückert <jannik.glueckert>
Component:	Current packages	Assignee:	Gentoo's Team for Core System packages <base-system>
Status:	UNCONFIRMED ---
Severity:	normal	CC:	sam, selinux
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=894450
Whiteboard:
Package list:		Runtime testing required:	---

Description Jannik Glückert 2023-06-18 09:23:18 UTC

systemd --user sessions currently get launched as init_t, and user processes end up as initrc_t accordingly.

It seems that all that's required is to add
session required pam_selinux.so open
before pam_systemd.so in the systemd-user pam file.

Perhaps requisite is more appropriate than required here, to ensure the systemd instance will get launched with the proper context? Not exactly my area of expertise.

There are still a few AVC denials between systemd / dbus user -> xdm_var_lib_t as a result of this, as the display manager usually also runs its own systemd user instance.

Comment 1 Jannik Glückert 2023-07-02 14:44:08 UTC

I just found /usr/lib/pam.d/systemd-user, their default seems a bit better:

# SPDX-License-Identifier: LGPL-2.1-or-later
# This file is part of systemd.
#
# Used by systemd --user instances.

-account sufficient pam_systemd_home.so
account  sufficient pam_unix.so no_pass_expiry
account  required   pam_permit.so

session  required   pam_selinux.so close
session  required   pam_selinux.so nottys open
session  required   pam_loginuid.so
session  optional   pam_keyinit.so force revoke
session  required   pam_namespace.so
-session optional   pam_systemd_home.so
session  optional   pam_systemd.so

So close followed by nottys + open is likely the better solution.

Side note: we don't seem to be calling pam_namespace anywhere?