These desktop managers have a pam stack and that includes
/etc/pam.d/systemd-user which provides the user with a systemd --user
instance
If you do not add a seuser for these DM-users then their systemd --user
instance ends up with system_u:system_r:init_t:s0 (the context of pid1
which creates these systemd --user instances)
One possible solution would be if we could add clauses to pam config
files like for example:
if ! (user sddm) {
session ... pam_selinux.so ...
}
But not sure if something like that is even possible, and even if it was
possible, some parts of the DE need selinux in the pam stack (for
logging in the user)
But yes the main issue is the pam_selinux call in the pam_systemd
stack. Ideally we maintain some kind of compatibility with systems that
have pam_systemd and ones that do not
The alternative way is indeed to create a seuser so that we can tell
pam_selinux explicitly to stay is system_r:xdm_t:s0 (so the systemd
--user instance for the DE user will run in xdm_t and so all the
transitions will be the same whether the DE starts it via systemd --user
or manually starts it.
--
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
