SUMMARY *** NOTE: If you are reporting a crash, please try to attach a backtrace with debug symbols. See https://community.kde.org/Guidelines_and_HOWTOs/Debugging/How_to_create_useful_crash_reports *** STEPS TO REPRODUCE 1. Install the Fedora Workstation 36 KDE Spin and apply all updates 2. Edit the "/etc/selinux/config" file and put SELinux in permissive mode because the following steps won't work in "enforcing" mode. 2. Create a new Linux user and use "sudo semanage login" to map that new Linux user onto the SELinux user "user_u" 3. Reboot and login as that restricted user OBSERVED RESULT You will see interesting AVC's such as: SELinux is preventing plasmashell from watch access on the directory / SELinux is preventing plasmashell from watch access on the file /etc/passwd. SELinux is preventing ksmserver-logou from watch access on the file /etc/passwd. SELinux is preventing kwin_wayland from write access on the file /tmp/#118 EXPECTED RESULT I kinda expected that maybe the KDE login mechanism would be modular or at least use a standard PAM and not need direct access to any sensitive system resources. I understand if temporary files need to be stored in the user directory. I was hoping to create SELinux restricted accounts on this Fedora Workstation that would not need direct access to any sensitive system resources. I'm still trying to wrap my head around how Wayland and modern window managers work. I just assumed that maybe things like sddm and the Wayland compositor would both run as daemons with root level permissions and the Wayland clients would run with the same system permissions as the "logged in user". Perhaps having the compositor and sddm both running as root would block or confuse the communication between the clients and the compositor. I just don't know. Sorry. SOFTWARE/OS VERSIONS Windows: macOS: Linux/KDE Plasma: Fedora Workstation 36 KDE Spin: kernel: 5.18.13-200.fc36.x86_64 (available in About System) KDE Plasma Version: 5.25.3 KDE Frameworks Version: 5.96.0 Qt Version: 5.15.3 ADDITIONAL INFORMATION
Sorry we didn't manage to get to this yet. In fact it's advantageous for the compositor to not run as root on Wayland, and KWin doesn't; it runs in userspace. Is this still a problem for your today? Are you sure it's our issue, as opposed to simply a lack of SELinux configuration to accommodate what you're trying to do?
๐๐งน โ ๏ธ This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information, then set the bug status to REPORTED. If there is no change for at least 30 days, it will be automatically closed as RESOLVED WORKSFORME. For more information about our bug triaging procedures, please read https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging. Thank you for helping us make KDE software even better for everyone!
๐๐งน This bug has been in NEEDSINFO status with no change for at least 30 days. Closing as RESOLVED WORKSFORME.