cosmic-greeter fails to log in to cosmic session when SELinux is set to ENFORCING

[ryanabx]

start-cosmic works fine, cosmic-session works fine, so I'm pretty confused and I've been trying to figure out why cosmic-greeter won't log in to the session properly. All I get is a brief black screen with a panic in greetd:

thread 'main' panicked at greetd/src/session/worker.rs:200:14:
unable to exec: EACCES

I tried looking at it with RUST_BACKTRACE=full but the stack trace was completely unhelpful, going through a lot of unknown areas and some libc areas

I have these dependencies installed (not including dependencies derived from build depends) (Fedora)

• greetd
• greetd-selinux
• dbus
• pam
• cosmic-comp
• fprintd-pam

[Drakulix]

Seems more like a greetd issue than a cosmic-greeter one?
Just a shot in the dark, does disabling selinux fix it?

[ryanabx]

I'll give it a go tonight (i.e. you'll hear from me in about 6 hours)

[ryanabx]

It was SELinux after all, I'll rename this issue and keep it open for tracking purposes, unless it would be preferred to close it

[Drakulix]

Feel free to keep this open, but I don't think there is something actionable for us, as this is likely a greetd-selinux problem.

[ryanabx]

Feel free to keep this open, but I don't think there is something actionable for us, as this is likely a greetd-selinux problem.

Makes sense, I'll file an upstream issue, and link it here when I do. Probably will keep this open just so people who stumble upon the issue know what's going on

[rrahl0]

@ryanabx, could you please reference the upstream issue, as I can't find it.

[ryanabx]

@ryanabx, could you please reference the upstream issue, as I can't find it.

My bad, I actually forgot to file that issue 😅

[rivenirvana]

Any updates regarding this issue? Is it confirmed to be a greetd-selinux problem?

[lauretano]

I'm excited about cosmic but sad about it being unavailable on my "production" workstations due to the selinuxing, so did some digging. the upstream issue discussion

Based on more recent discussion, a couple triggers include the rpm-ostree and OCI build processes and their handling of labeling.

Red Hat Bug 2224162 - selinux denial prevents logging in

see also ublue-os/main#223

and much more recent discussion here ostreedev/ostree-rs-ext#388

Mostly related threads, mentioning silverblue, ublue oci images, and even bluebuild custom oci images based on ublue and silverblue itself. I'm using a mix of those across all of my daily linux workstations oops.

[rrahl0]

are we sure it's actually greetd? I used the fedora server qcow2 image and installed cosmic (so no gnome is available) and it works out of the box.

[rivenirvana]

FWIW, I installed ryanabx's COPR on a F40 GNOME Workstation and I can log into COSMIC just fine as well.

[rrahl0]

@rivenirvana are you using gdm or cosmic-greeter (greetd)

[Drakulix]

are we sure it's actually greetd? I used the fedora server qcow2 image and installed cosmic (so no gnome is available) and it works out of the box.

It seems to be a combination of using greetd with SElinux and a read-only image based desktop.