On 2/16/2022 08:12, Russell Coker wrote:
This patch adds a role for the xdm program. It's needed by sddm because it uses PAM to run it's own worker process and thus needs to do all the checks for a valid session for it's own UID.
IMO this is a bug in the code.
Index: refpolicy-2.20220216/config/appconfig-mcs/seusers =================================================================== --- refpolicy-2.20220216.orig/config/appconfig-mcs/seusers +++ refpolicy-2.20220216/config/appconfig-mcs/seusers @@ -1,2 +1,3 @@ root:unconfined_u:s0-mcs_systemhigh __default__:unconfined_u:s0-mcs_systemhigh +sddm:xdm:s0
Did you try sddm:system_u instead? That seems like it could make the change a bit simpler, since we won't need the additional xdm_r.
Also, config changes should be reflected in the appconfig-standard and appconfig-mls configs, in addition to -mcs.
-- Chris PeBenito
