I originally reported this upstream as I didn't even consider SELinux initially. The denials I was getting were: type=AVC msg=audit(1688321821.033:2282): avc: denied { transition } for pid=386427 comm="greetd" path="/usr/bin/bash" dev="dm-1" ino=1720366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 echo 'type=AVC msg=audit(1688321821.033:2282): avc: denied { transition } for pid=386427 comm="greetd" path="/usr/bin/bash" dev="dm-1" ino=1720366 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0' | audit2allow -M greetd-pol ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i greetd-pol.pp --- After making the above policy change everything works. Reproducible: Always Steps to Reproduce: 1. Attempt to login (on silverblue) Actual Results: Logging in is not possible Expected Results: Logging in success See the URL for some additional, but maybe unnecessary context.
I see the URL field is not shown - https://lists.sr.ht/~kennylevinsen/greetd-devel/%3CCAPc+dhm80-J4k7HZuge+XQ-zuVC5HO4K+r4Z-JUnDEjGAUjGLA%40mail.gmail.com%3E#%3CCAPc+dhm80-J4k7HZuge+XQ-zuVC5HO4K+r4Z-JUnDEjGAUjGLA@mail.gmail.com%3E
> scontext=system_u:system_r:unconfined_service_t:s0 That doesn't look right. `/usr/bin/greetd` should be labeled as `system_u:object_r:xdm_exec_t:s0` and transition to `system_u:system_r:xdm_t:s0-*` on start. Can you check if you have `greetd-selinux` installed and there's no unlabeled greetd binary in /usr/local/bin?
$ ls -lZ /usr/bin/greetd -rwxr-xr-x. 3 root root system_u:object_r:bin_t:s0 839488 Dec 31 1969 /usr/bin/greetd* $ rpm -q greetd-selinux greetd-selinux-0.9.0-4.fc38.noarch There are no other greetd binaries. I can try reinstalling greetd if you'd like, but how do I undo the policy changes that were recommended above? Also, I'm sorry that I failed to mention that this is on Silverblue. $ rpm -ql greetd-selinux /usr/share/selinux/packages/targeted/greetd.pp.bz2 /var/lib/selinux/targeted/active/modules/200/greetd I noticed that the second file isn't on the filesystem. But when I installed it inside a toolbox container it is present as expected.
On a clean Sericea VM: $ rpm-ostree install greetd tuigreet $ systemctl reboot <...> $ rpm-ostree status ... LayeredPackages: greetd tuigreet $ ls -Z /usr/bin/greetd system_u:object_r:xdm_exec_t:s0 /usr/bin/greetd # semodule -lfull |grep greetd 200 greetd pp # semodule -lstandard |grep greetd greetd # semanage fcontext -l |grep greetd /etc/greetd(/.*)? all files system_u:object_r:xdm_etc_t:s0 /usr/bin/greetd regular file system_u:object_r:xdm_exec_t:s0 /var/lib/greetd(/.*)? all files system_u:object_r:xdm_var_lib_t:s0 /var/run/greetd[^/]*\.sock socket system_u:object_r:xdm_var_run_t:s0 /var/run/greetd\.run regular file system_u:object_r:xdm_var_run_t:s0 I'm pretty sure this worked on Silverblue as well. Have no idea what went wrong on your system. Do you see the same output from the semodule/semanage commands above? Is there anything in the journal mentioning SELinux module errors? > how do I undo the policy changes that were recommended above? semodule -r greetd-pol
Apologies, I'm closing this. I'm running my own Ublue image and recognize now that there are all kinds of things that can go wrong in doing so. https://github.com/ublue-os/main/issues/223