Does not work with greetd on Fedora 41

[v-Nyo]

Which version of pam_usb are you running?

0.8.5

Which distribution are you using?

Fedora 41

Which login manager and desktop environment are you using?

Greetd/Tuigreet + Hyprland

What happened?

Login only works when 'setenforce 0'. But 'audit2allow -b' does not print any violations.
Apparently it's not SELinux? #241 (comment)

Help would be greatly appreciated.

#------ journalctl -xeu greetd (with debug option in pam_usb)

Dez 27 16:52:50 nyo greetd[26703]: pam_unix(greetd-greeter:session): session opened for user greetd(uid=987) by (uid=0)
Dez 27 16:53:00 nyo pam_usb[26807]: Authentication request for user "nyo" (greetd)
Dez 27 16:53:00 nyo pam_usb[26807]: deny_remote is disabled. Skipping local check.
Dez 27 16:53:00 nyo greetd[26807]: [src/local.c:277] deny_remote is disabled. Skipping local check.
Dez 27 16:53:00 nyo pam_usb[26807]: Searching for "Samsung" in the hardware database...
Dez 27 16:53:00 nyo pam_usb[26807]: Authentication device "Samsung" is connected.
Dez 27 16:53:00 nyo greetd[26807]: [src/volume.c:105] Searching for volume with uuid 44aaa629-8317-4554-afb9-f9b98581f4de.
Dez 27 16:53:00 nyo greetd[26807]: [src/volume.c:130] Found mount points: (null)
Dez 27 16:53:00 nyo greetd[26807]: [src/volume.c:145] Found volume 44aaa629-8317-4554-afb9-f9b98581f4de.
Dez 27 16:53:00 nyo greetd[26807]: [src/volume.c:044] Attempting to mount device /dev/mmcblk0p1.
Dez 27 16:53:00 nyo pam_usb[26807]: Performing one time pad verification...
Dez 27 16:53:00 nyo pam_usb[26807]: Searching for volume with uuid 44aaa629-8317-4554-afb9-f9b98581f4de.
Dez 27 16:53:00 nyo pam_usb[26807]: Found mount points: (null)
Dez 27 16:53:00 nyo pam_usb[26807]: Found volume 44aaa629-8317-4554-afb9-f9b98581f4de.
Dez 27 16:53:00 nyo pam_usb[26807]: Attempting to mount device /dev/mmcblk0p1.
Dez 27 16:53:00 nyo greetd[26807]: [src/volume.c:058] Mounted device /dev/mmcblk0p1 to /run/media/root/Samsung.
Dez 27 16:53:00 nyo pam_usb[26807]: Mounted device /dev/mmcblk0p1 to /run/media/root/Samsung.
Dez 27 16:53:00 nyo greetd[26807]: [src/pad.c:049] Directory /run/media/root/Samsung/.pamusb does not exist, creating it.
Dez 27 16:53:00 nyo greetd[26807]: [src/pad.c:052] Unable to create directory /run/media/root/Samsung/.pamusb: Permission denied
Dez 27 16:53:00 nyo pam_usb[26807]: Directory /run/media/root/Samsung/.pamusb does not exist, creating it.
Dez 27 16:53:00 nyo greetd[26807]: [src/volume.c:196] Attempting to unmount /dev/mmcblk0p1 from /run/media/root/Samsung.
Dez 27 16:53:00 nyo pam_usb[26807]: Unable to create directory /run/media/root/Samsung/.pamusb: Permission denied
Dez 27 16:53:00 nyo pam_usb[26807]: Pad checking failed!
Dez 27 16:53:00 nyo pam_usb[26807]: Attempting to unmount /dev/mmcblk0p1 from /run/media/root/Samsung.
Dez 27 16:53:00 nyo greetd[26807]: [src/volume.c:209] Unmount succeeded.
Dez 27 16:53:00 nyo pam_usb[26807]: Unmount succeeded.
Dez 27 16:53:00 nyo pam_usb[26807]: Access denied.
Dez 27 16:53:07 nyo greetd(pam_google_authenticator)[26807]: Accepted google_authenticator for nyo
Dez 27 16:53:07 nyo greetd[26807]: gkr-pam: unable to locate daemon control file
Dez 27 16:53:07 nyo greetd[26807]: gkr-pam: stashed password to try later in open session
Dez 27 16:53:07 nyo greetd[26807]: pam_unix(greetd:session): session opened for user nyo(uid=1000) by nyo(uid=0)
Dez 27 16:53:07 nyo greetd[26807]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring

Pam_usb config:

<?xml version="1.0" ?>
<configuration>
	<defaults>
	</defaults>
	<devices>
		<device id="Samsung">
			<model>SN16G</model>
			<serial>0xXXXXXXXX</serial>
			<volume_uuid>f6e2dd17-3c60-4608-9215-a17a24921986</volume_uuid>
	</device></devices>
	<users>
		<user id="nyo">
			<option name="quiet">true</option>
			<agent event="lock">
                                <cmd>hyprctl -i 1 dispatch 'exec pidof hyprlock || hyprlock '</cmd>
                                <cmd>hyprctl -i 0 dispatch 'exec pidof hyprlock || hyprlock '</cmd>
                                <cmd>hyprctl -i 1 dispatch dpms off</cmd>
                                <cmd>hyprctl -i 0 dispatch dpms off</cmd>
                                <cmd>hyprctl -i 0 dispatch 'exec pactl set-sink-mute @DEFAULT_SINK@ on'</cmd>
                                <cmd>hyprctl -i 1 dispatch 'exec pactl set-sink-mute @DEFAULT_SINK@ on'</cmd>
                                <cmd>hyprctl -i 1 dispatch 'exec playerctl pause'</cmd>
                                <cmd>hyprctl -i 0 dispatch 'exec playerctl pause'</cmd>
                        </agent>
                        <agent event="unlock">
                                <cmd>hyprctl -i 1 dispatch 'exec pidof hyprlock || hyprlock '</cmd>
                                <cmd>hyprctl -i 0 dispatch 'exec pidof hyprlock || hyprlock '</cmd>
                                <cmd>hyprctl -i 0 dispatch dpms on</cmd>
                                <cmd>hyprctl -i 1 dispatch dpms on</cmd>
                                <cmd>hyprctl -i 0 dispatch 'exec pactl set-sink-mute @DEFAULT_SINK@ off'</cmd>
                                <cmd>hyprctl -i 1 dispatch 'exec pactl set-sink-mute @DEFAULT_SINK@ off'</cmd>
                                <cmd>pkill -USR1 hyprlock</cmd>			</agent>
			<device>Samsung</device></user></users>
	<services>
		<service id="pamusb-agent"><option name="deny_remote">false</option></service>
		<service id="greetd"><option name="deny_remote">false</option></service>
		<service id="polkit-1"><option name="deny_remote">false</option></service>
		<service id="login"><option name="deny_remote">false</option></service>
	</services>
</configuration>

#--------------- /etc/pam.d/system-auth

# Generated by authselect
# Do not modify this file manually, use authselect instead. Any user changes will be overwritten.
# You can stop authselect from managing your configuration by calling 'authselect opt-out'.
# See authselect(8) for more details.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
#----------------------------------------
auth        required                                     pam_unix.so nullok
auth        sufficient                                   pam_usb.so
auth        sufficient                                   pam_google_authenticator.so
#auth        sufficient                                   pam_unix.so nullok
#----------------------------------------
auth        required                                     pam_deny.so

account     required                                     pam_unix.so

password    requisite                                    pam_pwquality.so
password    sufficient                                   pam_unix.so yescrypt shadow nullok use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so

#----------- /etc/pam.d/greetd

#%PAM-1.0
auth       substack    system-auth
-auth       optional    pam_gnome_keyring.so
-auth       optional    pam_kwallet5.so
-auth       optional    pam_kwallet.so
auth       include     postlogin

account    required    pam_sepermit.so
account    required    pam_nologin.so
account    include     system-auth

password   include     system-auth

session    required    pam_selinux.so close
session    required    pam_loginuid.so
session    required    pam_selinux.so open
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    include     system-auth
-session    optional    pam_gnome_keyring.so auto_start
-session    optional    pam_kwallet5.so auto_start
-session    optional    pam_kwallet.so auto_start
session    include     postlogin

#----------- /etc/pam.d/greetd-greeter
#%PAM-1.0

# Load environment from /etc/environment and ~/.pam_environment
auth            required pam_env.so

# Always let the greeter start without authentication
auth            required pam_permit.so

# No action required for account management
account         required pam_permit.so

# Can't change password
password        required pam_deny.so

# Setup session
session         required pam_unix.so
session         optional pam_systemd.so

#------------- /etc/greetd/config.toml

[terminal]
# The VT to run the greeter on. Can be "next", "current" or a number
# designating the VT.
vt = 1

# The default session, also known as the greeter.
[default_session]
command = "tuigreet --remember -t --asterisks --cmd Hyprland"
user = "greetd"

#--- sudo ausearch -c 'greetd' / 'login' does not find anything after created a profile for greetd a few days ago...

module custom-greetd 1.0;

require {
        type user_home_t;
        type unlabeled_t;
        type xdm_t;
        class file { create getattr open read rename setattr write };
}

#============= xdm_t ==============

#!!!! This avc is allowed in the current policy
allow xdm_t unlabeled_t:file { getattr open read };

#!!!! This avc is allowed in the current policy
allow xdm_t user_home_t:file { create rename setattr write };

module custom-login 1.0;

require {
        type user_home_t;
        type unlabeled_t;
        type dosfs_t;
        type local_login_t;
        type user_home_dir_t;
        class file { create getattr open read rename setattr unlink write };
        class dir { getattr search };
}

#============= local_login_t ==============

#!!!! This avc is allowed in the current policy
allow local_login_t dosfs_t:dir { getattr search };

#!!!! This avc is allowed in the current policy
allow local_login_t dosfs_t:file { getattr open read setattr write };

#!!!! This avc is allowed in the current policy
allow local_login_t unlabeled_t:dir { getattr search };

#!!!! This avc is allowed in the current policy
allow local_login_t unlabeled_t:file { getattr open read };

#!!!! This avc is allowed in the current policy
allow local_login_t user_home_dir_t:file { create getattr open read rename setattr unlink write };

#!!!! This avc is allowed in the current policy
allow local_login_t user_home_t:file { getattr open read unlink write };

Output of "pamusb-check --debug whoami"

* Authentication request for user "nyo" (pamusb-check)
[src/local.c:281] Checking whether the caller (pamusb-check) is local or not...
[src/local.c:298] 	Checking pid  10778 (pamusb-check)...
[src/local.c:298] 	Checking pid   9081 (/bin/zsh)...
[src/local.c:298] 	Checking pid   9062 (kitty)...
[src/local.c:298] 	Checking pid      1 (/usr/lib/systemd/systemd)...
[src/local.c:339] 	Using DISPLAY :0 for utmp search
[src/local.c:053] 	No utmp entry found for tty ":0"
[src/local.c:353] 	Trying to get tty from display server
[src/local.c:363] 		Failed, no result while trying to get TTY from display server
[src/local.c:368] 	Trying to get tty by DISPLAY
[src/local.c:376] 		Failed, no result while searching utmp for display :0 owned by user nyo
[src/local.c:392] 	Trying to check for remote access by loginctl
[src/local.c:250] 		loginctl considers this session to be remote: no
[src/local.c:397] 	loginctl says this session is local
[src/local.c:441] No remote access detected, seems to be local request - allowing.
* Searching for "Samsung" in the hardware database...
* Authentication device "Samsung" is connected.
* Performing one time pad verification...
[src/volume.c:105] Searching for volume with uuid f6e2dd17-3c60-4608-9215-a17a24921986.
[src/volume.c:130] Found mount points: (null)
[src/volume.c:145] Found volume f6e2dd17-3c60-4608-9215-a17a24921986.
[src/volume.c:044] Attempting to mount device /dev/mmcblk0p1.
[src/volume.c:058] Mounted device /dev/mmcblk0p1 to /run/media/nyo/Samsung.
[src/pad.c:317] Loading device pad...
[src/pad.c:327] Loading system pad...
[src/pad.c:343] Pad match.
[src/pad.c:176] Checking whether pads are expired or not...
[src/pad.c:204] Pads were generated 1230 seconds ago, not updating.
[src/volume.c:196] Attempting to unmount /dev/mmcblk0p1 from /run/media/nyo/Samsung.
[src/volume.c:209] Unmount succeeded.
* Access granted.

Output of "w"

15:57:13 up 46 min,  2 users,  load average: 0,76, 0,69, 0,47
USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
nyo      tty1      15:14   42:41   8:23   0.65s kitty
nyo                15:14   43:30   0.00s  0.56s /usr/lib/systemd/systemd --user

2 sessions listed.

Output of "loginctl"

SESSION  UID USER SEAT  LEADER CLASS   TTY  IDLE SINCE
      2 1000 nyo  seat0 5139   user    tty1 yes  43min ago
      3 1000 nyo   -    5321   manager -    no   -

[v-Nyo]

Maybe I should mention that I am using BTRFS on the sdcard? Will try FAT and report back if anything changes

[v-Nyo]

Local Check fails so this line is definitely necessary:
<service id="greetd"><option name="deny_remote">false</option></service>
No sure if there is an alternative

[v-Nyo]

Okay FAT drives work. So greetd works with the local check fix, selinux profile and a FAT drive.

IDK why but hyprlock also works now (also with BTRFS)

[v-Nyo]

I tried to make BTRFS work with normal FS permissions, ALC policies like:

setfacl -R -m g:greetd:rw .pamusb
setfacl -d -m g:greetd:rw .pamusb

And udev rules like:
ENV{ID_FS_UUID}=="3250e711-e251-48bb-a3b7-5c81656b799f", ENV{UDISKS_FILESYSTEM_SHARED}="1" , GROUP="greetd" , MODE="0770"

Couldn't get it to work.
I don't understand the mounting process.
PLS send help.

[v-Nyo]

I assume those are the files for the mounting process?
https://github.com/mcdope/pam_usb/blob/master/src/volume.c
https://github.com/mcdope/pam_usb/blob/master/src/device.c

Don't have a clue what I should change