Here is a new patch for sddm using PAM for it's own helper. This one uses system_r instead of xdm_r and has patches for all 3 versions of the policy config. I think it's ready for inclusion. Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx> Index: refpolicy-2.20220217/policy/modules/services/xserver.te =================================================================== --- refpolicy-2.20220217.orig/policy/modules/services/xserver.te +++ refpolicy-2.20220217/policy/modules/services/xserver.te @@ -843,6 +843,9 @@ manage_files_pattern(xserver_t, xdm_tmp_ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +# for sddm to use pam for greeter, sddm greeter needs execmod +allow xdm_t xdm_tmpfs_t:file execmod; + # Run Xorg.wrap can_exec(xserver_t, xserver_exec_t) Index: refpolicy-2.20220217/config/appconfig-mcs/seusers =================================================================== --- refpolicy-2.20220217.orig/config/appconfig-mcs/seusers +++ refpolicy-2.20220217/config/appconfig-mcs/seusers @@ -1,2 +1,3 @@ root:unconfined_u:s0-mcs_systemhigh __default__:unconfined_u:s0-mcs_systemhigh +sddm:xdm:s0 Index: refpolicy-2.20220217/policy/users =================================================================== --- refpolicy-2.20220217.orig/policy/users +++ refpolicy-2.20220217/policy/users @@ -27,6 +27,7 @@ gen_user(system_u,, system_r, s0, s0 - m gen_user(user_u, user, user_r, s0, s0) gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(xdm, user, system_r, s0, s0) # Until order dependence is fixed for users: ifdef(`direct_sysadm_daemon',` Index: refpolicy-2.20220217/config/appconfig-mcs/xdm_default_contexts =================================================================== --- /dev/null +++ refpolicy-2.20220217/config/appconfig-mcs/xdm_default_contexts @@ -0,0 +1 @@ +system_r:xdm_t:s0 system_r:xdm_t:s0 Index: refpolicy-2.20220217/config/appconfig-mls/xdm_default_contexts =================================================================== --- /dev/null +++ refpolicy-2.20220217/config/appconfig-mls/xdm_default_contexts @@ -0,0 +1 @@ +system_r:xdm_t:s0 system_r:xdm_t:s0 Index: refpolicy-2.20220217/config/appconfig-standard/xdm_default_contexts =================================================================== --- /dev/null +++ refpolicy-2.20220217/config/appconfig-standard/xdm_default_contexts @@ -0,0 +1 @@ +system_r:xdm_t system_r:xdm_t
