On a fresh Fedora install with SELinux enforcing (the default), every login attempt fails with "Compositor exited with status 1". The atrium binary has no SELinux file context, so the daemon runs in the unconfined_service_t domain, which Fedora's policy does not allow to perform the process domain transition that pam_selinux.so sets up.
AVC denial:
audit: AVC avc: denied { transition } for pid=2158 comm="atrium"
scontext=system_u:system_r:unconfined_service_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0
tclass=process permissive=0
Workaround: label the binary with the standard Fedora display-manager type:
sudo dnf install policycoreutils-python-utils
sudo semanage fcontext -a -t xdm_exec_t '/usr/local/bin/atrium'
sudo restorecon -v /usr/local/bin/atrium
sudo systemctl restart atrium
This is persistent across system relabels. After login works, suppress two additional AVCs (xdm_t cannot exec udevadm or unlink files in /var/lib/atrium/) with a generated local module:
sudo ausearch -m AVC -ts recent | audit2allow -M atrium-local
sudo semodule -i atrium-local.pp
Proposed fix (near-term): add data/selinux/atrium.fc to the repository assigning xdm_exec_t to /usr/local/bin/atrium, install it as part of the Fedora build, and run restorecon from the install script. This reuses the standard xdm_t domain and requires no new policy modules.
Long-term: write a minimal SELinux policy module that gives atrium its own atrium_t / atrium_exec_t domain pair, covering user domain transitions, DRM/input device access, logind D-Bus, VT allocation, PAM/audit, udevadm, and /var/lib/atrium/ state.
On a fresh Fedora install with SELinux enforcing (the default), every login attempt fails with "Compositor exited with status 1". The atrium binary has no SELinux file context, so the daemon runs in the
unconfined_service_tdomain, which Fedora's policy does not allow to perform the process domain transition thatpam_selinux.sosets up.AVC denial:
Workaround: label the binary with the standard Fedora display-manager type:
sudo dnf install policycoreutils-python-utils sudo semanage fcontext -a -t xdm_exec_t '/usr/local/bin/atrium' sudo restorecon -v /usr/local/bin/atrium sudo systemctl restart atriumThis is persistent across system relabels. After login works, suppress two additional AVCs (
xdm_tcannot execudevadmor unlink files in/var/lib/atrium/) with a generated local module:sudo ausearch -m AVC -ts recent | audit2allow -M atrium-local sudo semodule -i atrium-local.ppProposed fix (near-term): add
data/selinux/atrium.fcto the repository assigningxdm_exec_tto/usr/local/bin/atrium, install it as part of the Fedora build, and runrestoreconfrom the install script. This reuses the standardxdm_tdomain and requires no new policy modules.Long-term: write a minimal SELinux policy module that gives atrium its own
atrium_t/atrium_exec_tdomain pair, covering user domain transitions, DRM/input device access, logind D-Bus, VT allocation, PAM/audit,udevadm, and/var/lib/atrium/state.