[SELinux] SELinux set to anything except "permissive" causes issues with UDisks usage

[mcdope]

Understood

No, I'm just too lazy to provide the data you request for a bug

Text

This was already triaged in #199. It seems SELinux prevents accessing UDisks (or dbus? tbd) from the pam module at least on tty.

Maybe this was also the cause for #141, but this is waiting for reporter feedback.

Todos: [ ] Find a working SELinux config (except setting it to permissive :stuck_out_tongue: ) [ ] Document that config for source installs [ ] Ship that config with the packages if possible

[mcdope]

Doc on how to diagnose such stuff: https://www.redhat.com/sysadmin/diagnose-selinux-violations

... and even better, it mentions a tool to turn a fail log into an allowance config.

[mcdope]

Maybe fixed by #229, will test in the coming days...

[mcdope]

Seems to actually be fixed by that, lol. So SELinux just didn't liked my crappy C.

pamusb-check reports "fine", sudo works, login doesn't work though. still investigating. At least it doesn't crash anymore

[mcdope]

nvm, still broken on tty :D

[mcdope]

Interestingly, the behaviour is different on F40

[mcdope]

Got it working on tty login 🥳

... now let's fix graphical logins...

[mcdope]

Actually - this fixed GDM as well :O Nice surprise.

[mcdope]

Still getting the dbus errors from https://github.com/mcdope/pam_usb/issues/201#issuecomment-2214750336 on F37 though. Unrelated I guess?

[mcdope]

Considering it's now working on the latest Fedora with the new profile, and lack of feedback and/or interest, and lack of distributions actually shipping SELinux... This is done.

Will merge the Fedora profile I've created, but it won't be installed by default or shipped in packages. Instead I will add a wiki entry pointing to the files and how to install them, also having a tutorial on how to create your own profile.