Package: selinux-policy-default
Version: 2:2.20190201-7
Followup-For: Bug #874191
I realised that the log messages I provided above refer to gdm's systemd
--user instance.
Looking more carefully, on the Fedora system I see:
systemd[1]: Starting User Manager for UID 1673000001...
audit[236830]: USER_ACCT pid=236830 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting
grantors=pam_unix,pam_sss,pam_permit acct="sam" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'
systemd[236830]: pam_selinux(systemd-user:session): Open Session
systemd[236830]: pam_selinux(systemd-user:session): Username= sam SELinux
User= unconfined_u Level= s0-s0:c0.c1023
systemd[236830]: pam_selinux(systemd-user:session): Set executable context:
[] -> [unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023]
systemd[236830]: pam_selinux(systemd-user:session): Security Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Assigned
audit[236830]: USER_ROLE_CHANGE pid=236830 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='pam:
default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
systemd[236830]: pam_selinux(systemd-user:session): conversation failed
systemd[236830]: pam_selinux(systemd-user:session): Set key creation
context to unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
systemd[236830]: pam_selinux(systemd-user:session): Key Creation Context
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Assigned
systemd[236830]: pam_selinux(systemd-user:session): conversation failed
systemd[236830]: pam_unix(systemd-user:session): session opened for user
sam by (uid=0)
audit[236830]: USER_START pid=236830 uid=0 auid=1673000001 ses=13
subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open
grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss
acct="sam" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
Note that we have "Username= sam" so we're looking at the right messages
this time! Based on this it looks like the mechanism by which 'systemd
--user' transitions from init_t to unconfined_t is via pam_selinux.so.
By contrast, when logging on to my Debian system:
audit[9657]: USER_ACCT pid=9657 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting
grantors=pam_permit,pam_sss acct="[email protected]"
exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit[9657]: CRED_ACQ pid=9657 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred grantors=pam_permit
acct="[email protected]" exe="/lib/systemd/systemd" hostname=?
addr=? terminal=? res=success'
systemd[9657]: pam_selinux(systemd-user:session): Open Session
audit[8280]: AVC avc: denied { read } for pid=8280 comm="polkitd"
name="userdb" dev="tmpfs" ino=18467 scontext=system_u:system_r:policykit_t:s0
tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
audit[8280]: AVC avc: denied { map } for pid=8280 comm="polkitd"
path="/etc/passwd" dev="dm-2" ino=133411
scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:etc_t:s0
tclass=file permissive=1
audit[8280]: AVC avc: denied { connectto } for pid=8280 comm="polkitd"
path="/run/systemd/userdb/io.systemd.DynamicUser"
scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:init_t:s0
tclass=unix_stream_socket permissive=1
systemd[9657]: pam_selinux(systemd-user:session): Username=
[email protected] SELinux User= unconfined_u Level= s0-s0:c0.c1023
systemd[9657]: pam_selinux(systemd-user:session): Unable to get valid
context for [email protected]
systemd[9657]: pam_selinux(systemd-user:session): conversation failed
systemd[9657]: pam_unix(systemd-user:session): session opened for user
[email protected] by (uid=0)
audit[9657]: USER_START pid=9657 uid=0 auid=876099160 ses=10
subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open
grantors=pam_selinux,pam_selinux,pam_loginuid,pam_limits,pam_permit,pam_unix,pam_systemd
acct="[email protected]" exe="/lib/systemd/systemd" hostname=?
addr=? terminal=? res=success'
I can reproduce this with the test program at
<https://github.com/yrro/selinux-scratch>:
$ build/se
[email protected]
seuser=unconfined_u; level=s0-s0:c0.c1023
get_ordered_context_list_with_level: Invalid argument
Perhaps this is expected, since there is no entry for init_t in
/etc/selinux/default/contexts/default_contexts; on the other hand,
adding an entry such as:
system_u:system_r:init_t:s0 user_r:user_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
... doesn't make a difference. On the other hand, my Fedora machine
doesn't have an entry for init_t in the default_contexts file, and:
$ ./se
user=sam
seuser=unconfined_u; level=s0-s0:c0.c1023
1 contexts
[0]: unconfined_u:unconfined_r:unconfined_t:so-s0:c0.c1023
-- System Information:
Debian Release: 10.3
APT prefers stable-debug
APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'),
(550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500,
'stable-updates'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default
Versions of packages selinux-policy-default depends on:
ii libselinux1 3.0-1+b1
ii libsemanage1 2.8-2
ii libsepol1 3.0-1
ii policycoreutils 2.8-1
ii selinux-utils 3.0-1+b1
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.8-1
ii setools 4.2.0-1
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
