The systemd-user pam config we are shipping is as follows: --- account include system-auth session required pam_loginuid.so session include system-auth session optional pam_systemd.so --- However, on SELinux systems we must also add 2 lines such that it is: --- account include system-auth session required pam_selinux.so close session required pam_selinux.so nottys open session required pam_loginuid.so session include system-auth session optional pam_systemd.so --- These 2 pam_selinux.so lines are to ensure that the systemd user manager gets the correct SELinux context when the user logs in. Otherwise, the user manager will fail to start and the user will have a broken login session.
Upstream's pam config for systemd --user supports this: https://github.com/systemd/systemd/blob/main/src/login/systemd-user.in Also to note, there are other rules in upstream's config related to systemd-homed that likely should be considered.
Regarding this. I changed systemd-user so that I could get proper user context when logging in. It was the only way I could get context and roles working. You might be able to get a smaller file, I doubt you need all of this. But for now, this works. Just in case someone is also looking for some fix. account include system-auth session required pam_loginuid.so session include system-auth session optional pam_systemd.so # -------------------- auth include system-auth account include system-auth password include system-auth session required pam_loginuid.so session required pam_selinux.so close session include system-auth session required pam_selinux.so open # Include additional session modules as needed session optional pam_keyinit.so force revoke session optional pam_namespace.so session optional pam_systemd.so
(In reply to Kenton Groombridge from comment #0) > > These 2 pam_selinux.so lines are to ensure that the systemd user manager > gets the correct SELinux context when the user logs in. Otherwise, the user > manager will fail to start and the user will have a broken login session. I did not have those two lines yet. How does such a broken user session look like? After adding the two a reboot is required, re-login is not enough. # before: (sysadm_r)@myhost ~ # ps auxZ|grep "systemd --user" system_u:system_r:init_t:s0 mschiff 1607 0.0 0.0 29628 17356 ? Ss 20:37 0:00 /usr/lib/systemd/systemd --user --deserialize=12 # after: (sysadm_r)@myhost ~ # ps auxZ|grep "systemd --user" staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 mschiff 1535 0.3 0.0 29632 17528 ? Ss 22:38 0:00 /usr/lib/systemd/systemd --user