WIP: systemd dbus to varlink transition (logind)

[aerusso]

It looks like systemd is now using /run/systemd/io.systemd.Login (as part of varlink?)

I'm running into this issue:

type=AVC msg=audit(1767029869.633:25522): avc:  denied  { connectto } for  pid=33412 comm="sshd-session" path="/run/systemd/io.systemd.Login" scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=unix_stream_socket permissive=0

I suspect this problem may affect much more than just my particular ssh issue, and the fix here addresses it pretty well by giving access to logind through the unix domain socket wherever . How should we handle this? Rename the interface? Create a new one and just make sure that both the old and the new are used together?

My proximate issue is solved by just adding the permission into auth_use_pam_systemd, so maybe only add it there; i.e., make a new interface systemd_connectto_logind_socket and put it in auth_use_pam_systemd. I can modify this PR to do that.

[0xC0ncord]

I'm also hitting the same problems with systemd 259. I think the solution poised here is sufficient, since the same interface also allows the dbus chat access.

In the future as more components of systemd migrate to varlink, we could more tightly control access by using file transitions based on the name of the unix sockets created in /run/systemd.