Enabling systemd-homed managed user&home dir during Fedora install

Hi.

Before posting here I was looking elsewhere on how to install Fedora with systemd-homed managed user&home dir. Many posts/HOWTOs/etc instructs on how to add/convert users to systemd-homed controlled variants on already existing installations, but is there a way to install Fedora afresh with systemd-homed managed/controlled user ?

Regards
ArtūrasB.

2 Likes

Do you have a link, to see to what you are referring?

That’s systemd-homed, systemd’s subsystem to manage user home directories together with user - Home Directories. I found multiple examples/cases on how to convert existing “traditional” users with home directories into ones managed by systemd-homed after Linux is installed, but I cannot find information in how to install a Linux distro (e.g., Fedora) with systemd-homed managed user and user’s home dir without the need to do post-install conversion.

All right, update of my findings on the subject. As I interpret various bug reports, blog/social media posts, etc, few thing are still missing for homed not only for it’s use during installation, but for post-install user conversions as well:

  • SELinux policies for homed for “normal” homed operations, e.g., user creation, etc. That’s about distros using SELinux.
  • Adjustments to logging in (e.g., GNOME/KDE/etc sessions) frameworks/configurations, so logging via GUI will result into proper unlock and use of users’ home directories managed by homed.
  • It might be more “loose ends” which I haven’t found during my week long “research”.

My personal conclusions:

  • Homed is not ready for prime time End-to-End, not at least for simple installation/post-install conversions. It is mature enough as a technology alone, but not in combination with other bits and pieces.
  • It is possible to convert regular Linux users/create new homed users if one is familiar with SELinux policies and knows how to create it for homed. Or in distros which do not have SELinux enabled. Of course, it is always possible to disable SELinux completely or switch to permissive mode, but that is not recommended way as it opens installation to more security threats.
  • Similarly with PAM - if one has knowledge on how to setup PAM modules and its configs, it might work for logging in via GUI to homed-managed users.

I’m using Fedora which employs SELinux and I do not have enough knowledge (e.g., beyond tutorials, howtos, instructions) of homed, PAM, SELinux, I leave the idea of converting my user to homed managed user for now.

Regards
Artūras B.

1 Like

Hi.

There is an update to my quest in making homed user working on the FW37 now:

  1. Set SELinux to the permissive mode.
  2. Create user with homectl as per your needs.
  3. Enable PAM modules with the “sudo authselect sssd with-systemd-home”.
  4. While still in the permissive mode of SELinux, use SELinux Troubleshooter to create required policies in order to let homed to run normally after you set SELinux back to the enforcing mode.
  5. Set SELinux back to enforcing mode.

I’m on the step No 4 as I’m not familiar with SELinux enough to create required policies successfully. In the permissive mode homed managed user works just fine (GUI login, Yubikey to unlock/sign in, etc ), but I’d like to make it properly - with proper policies and SELinux set to enforcing mode.

Managed to get rid of SELinux alerts by adding proper context file types to both my user homedir file and its mount dir under /home. The if I set SELinux mode back to enforcing, then I cannot login to GNOME. SELinux Troubleshooter shows no alerts. Logs show failed assertion on src/home/homed-home.c:2697, function home_dispatch_acquire(). And there is log entry about missing loopback device - “Failed to allocate loopback context: No such device”

UPDATE: found similar issue where the storage type might be a suspect - SELinux blocking homed · Issue #1222 · fedora-selinux/selinux-policy · GitHub

What is it your trying to do? I have been using homed since silverblue 30. I have pretty much squished most bugs to make it run successfully with minimal effort.

Well, nothing extraordinary - I want to create an user managed by systemd-homed and use my FW37 installation with that user logged in. I managed to create such user with homectl after I set SELinux to the permissive mode. I fixed issues with PAM. I thought I fixed my SELinux issues with the SELinux Troubleshooter app by setting policies and file context, but even if all SELinux alerts are gone, I’m unable to login to my system with SELinux in the restrictive mode, only in the permissive.

Did you build a custom selinux policy? I have rebuilt mine 100’s of times trying to correct all my errors. Would you like to use my policy or correct yours?

I run commands to create SELinux policies which where suggested by SELinux Troubleshooter until there were no SELinux alerts. I’d rather try yours as I’m not experienced with SELinux enough to correct or make my own. I saw your replay to my question in the GitHub, there was a link to your custom policy.