Package: src:lightdm Severity: normal Version: 1.32.0-3 Tags: patch Forwarded: https://github.com/canonical/lightdm/pull/319
For Debian Edu 12, I tested the various features of Arctica Greeter (arctica-greeter src:pkg in Debian). The Arctica Greeter provides a feature called guest session login. With this, users can log into a host using one-time sessions. The guest user accounts gets created on the fly on login and gets removed after the session. A password is not required for guest session login.
In Debian 12, the login into an X11 desktop (such as MATE or Xfce4) takes a long time to bring up the session. This delay is caused by a missing apparmor rule in light.
diff --git a/data/apparmor/lightdm-guest-session.in b/data/apparmor/lightdm-guest-session.in
index 3239c54b..f4938c7c 100644 --- a/data/apparmor/lightdm-guest-session.in +++ b/data/apparmor/lightdm-guest-session.in @@ -18,6 +18,7 @@ /usr/bin/sogou-qimpanel-watchdog ix, /usr/bin/sogou-sys-notify ix, /tmp/sogou-qimpanel:* rwl, + /run/user/*/ICEauthority-l l, # Allow ibus unix (bind, listen) type=stream addr="@tmp/ibus/*", Here comes the description of the proposed patch:data/apparmor/lightdm-guest-session.in: Allow l operation on /run/user/*/ICEauthority-l.
This resolves long login delays into X11 guest sessions when using
Arctica Greeter (forked from Unity Greeter). While waiting for the
desktop to appear, the screen stays black and a non-WM'ed dialog box
appears on screen, saying: "Could not update ICEauthority file
/run/user/<guest-uid>/ICEauthority".
When testing with MATE desktop, apparmor denies esp. creating this link
operation:
operation="link" class="file" profile="<path-to>/lightdm-guest-session"
name="/run/user/997/ICEauthority-l" pid=<pid> comm="mate-session"
requested_mask="l" denied_mask="l" fsuid=<fsuid> ouid=<ouid>
target="/run/user/<uidnumber>/ICEauthority-c"
Similar in Xfce4:
operation="link" class="file" profile="<path-to>/lightdm-guest-session"
name="/run/user/997/ICEauthority-l" pid=<pid> comm="iceauth"
requested_mask="l" denied_mask="l" fsuid=<fsuid> ouid=<ouid>
target="/run/user/<uidnumber>/ICEauthority-c"
It would be awesome if this could get resolved in the near future in
Debian unstable and Debian bookworm. I can provide some help with
these uploads if wanted by the maintainers.
Thanks+Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net
>From 206320128f9636b814af76230ad64ed3b5e36fb8 Mon Sep 17 00:00:00 2001 From: Mike Gabriel <mike.gabr...@das-netzwerkteam.de> Date: Thu, 24 Aug 2023 11:19:02 +0200 Subject: [PATCH] data/apparmor/lightdm-guest-session.in: Allow l operation on /run/user/*/ICEauthority-l. This resolves long login delays into X11 guest sessions when using Arctica Greeter (forked from Unity Greeter). While waiting for the desktop to appear, the screen stays black and a non-WM'ed dialog box appears on screen, saying: "Could not update ICEauthority file /run/user/<guest-uid>/ICEauthority". When testing with MATE desktop, apparmor denies esp. creating this link operation: operation="link" class="file" profile="<path-to>/lightdm-guest-session" name="/run/user/997/ICEauthority-l" pid=<pid> comm="mate-session" requested_mask="l" denied_mask="l" fsuid=<fsuid> ouid=<ouid> target="/run/user/<uidnumber>/ICEauthority-c" Similar in Xfce4: operation="link" class="file" profile="<path-to>/lightdm-guest-session" name="/run/user/997/ICEauthority-l" pid=<pid> comm="iceauth" requested_mask="l" denied_mask="l" fsuid=<fsuid> ouid=<ouid> target="/run/user/<uidnumber>/ICEauthority-c" Signed-off-by: Mike Gabriel <mike.gabr...@das-netzwerkteam.de> --- data/apparmor/lightdm-guest-session.in | 1 + 1 file changed, 1 insertion(+) diff --git a/data/apparmor/lightdm-guest-session.in b/data/apparmor/lightdm-guest-session.in index 3239c54b..f4938c7c 100644 --- a/data/apparmor/lightdm-guest-session.in +++ b/data/apparmor/lightdm-guest-session.in @@ -18,6 +18,7 @@ /usr/bin/sogou-qimpanel-watchdog ix, /usr/bin/sogou-sys-notify ix, /tmp/sogou-qimpanel:* rwl, + /run/user/*/ICEauthority-l l, # Allow ibus unix (bind, listen) type=stream addr="@tmp/ibus/*", -- 2.39.2
pgpzIdZySe3BE.pgp
Description: Digitale PGP-Signatur
