Package: selinux-policy-default Version: 2:2.20190201-7 Followup-For: Bug #874191
I realised that the log messages I provided above refer to gdm's systemd --user instance. Looking more carefully, on the Fedora system I see: systemd[1]: Starting User Manager for UID 1673000001... audit[236830]: USER_ACCT pid=236830 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="sam" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' systemd[236830]: pam_selinux(systemd-user:session): Open Session systemd[236830]: pam_selinux(systemd-user:session): Username= sam SELinux User= unconfined_u Level= s0-s0:c0.c1023 systemd[236830]: pam_selinux(systemd-user:session): Set executable context: [] -> [unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023] systemd[236830]: pam_selinux(systemd-user:session): Security Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Assigned audit[236830]: USER_ROLE_CHANGE pid=236830 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' systemd[236830]: pam_selinux(systemd-user:session): conversation failed systemd[236830]: pam_selinux(systemd-user:session): Set key creation context to unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 systemd[236830]: pam_selinux(systemd-user:session): Key Creation Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Assigned systemd[236830]: pam_selinux(systemd-user:session): conversation failed systemd[236830]: pam_unix(systemd-user:session): session opened for user sam by (uid=0) audit[236830]: USER_START pid=236830 uid=0 auid=1673000001 ses=13 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss acct="sam" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Note that we have "Username= sam" so we're looking at the right messages this time! Based on this it looks like the mechanism by which 'systemd --user' transitions from init_t to unconfined_t is via pam_selinux.so. By contrast, when logging on to my Debian system: audit[9657]: USER_ACCT pid=9657 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_permit,pam_sss acct="sam.morris@ad.domain.example" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' audit[9657]: CRED_ACQ pid=9657 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred grantors=pam_permit acct="sam.morris@ad.domain.example" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' systemd[9657]: pam_selinux(systemd-user:session): Open Session audit[8280]: AVC avc: denied { read } for pid=8280 comm="polkitd" name="userdb" dev="tmpfs" ino=18467 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1 audit[8280]: AVC avc: denied { map } for pid=8280 comm="polkitd" path="/etc/passwd" dev="dm-2" ino=133411 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 audit[8280]: AVC avc: denied { connectto } for pid=8280 comm="polkitd" path="/run/systemd/userdb/io.systemd.DynamicUser" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1 systemd[9657]: pam_selinux(systemd-user:session): Username= sam.morris@ad.domain.example SELinux User= unconfined_u Level= s0-s0:c0.c1023 systemd[9657]: pam_selinux(systemd-user:session): Unable to get valid context for sam.morris@ad.domain.example systemd[9657]: pam_selinux(systemd-user:session): conversation failed systemd[9657]: pam_unix(systemd-user:session): session opened for user sam.morris@ad.domain.example by (uid=0) audit[9657]: USER_START pid=9657 uid=0 auid=876099160 ses=10 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_limits,pam_permit,pam_unix,pam_systemd acct="sam.morris@ad.domain.example" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' I can reproduce this with the test program at <https://github.com/yrro/selinux-scratch>: $ build/se user=sam.morris@ad.domain.example seuser=unconfined_u; level=s0-s0:c0.c1023 get_ordered_context_list_with_level: Invalid argument Perhaps this is expected, since there is no entry for init_t in /etc/selinux/default/contexts/default_contexts; on the other hand, adding an entry such as: system_u:system_r:init_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 ... doesn't make a difference. On the other hand, my Fedora machine doesn't have an entry for init_t in the default_contexts file, and: $ ./se user=sam seuser=unconfined_u; level=s0-s0:c0.c1023 1 contexts [0]: unconfined_u:unconfined_r:unconfined_t:so-s0:c0.c1023 -- System Information: Debian Release: 10.3 APT prefers stable-debug APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 'stable-updates'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_USER Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Permissive - Policy name: default Versions of packages selinux-policy-default depends on: ii libselinux1 3.0-1+b1 ii libsemanage1 2.8-2 ii libsepol1 3.0-1 ii policycoreutils 2.8-1 ii selinux-utils 3.0-1+b1 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.8-1 ii setools 4.2.0-1 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- no debconf information