Use with file context rules labeling plasmalogin binaries as xdm_exec_t instead
This commit is contained in:
parent
d9c434f619
commit
4e91804f0a
4 changed files with 32 additions and 15 deletions
7
sonic-login-manager-selinux/plasmalogin-selinux.fc
Normal file
7
sonic-login-manager-selinux/plasmalogin-selinux.fc
Normal file
|
|
@ -0,0 +1,7 @@
|
||||||
|
# Label the plasmalogin daemon and helper binaries as X display manager
|
||||||
|
# executables so they run in the xdm_t domain on SELinux enforcing systems.
|
||||||
|
|
||||||
|
/usr/bin/plasmalogin -- system_u:object_r:xdm_exec_t:s0
|
||||||
|
/usr/libexec/plasmalogin-helper -- system_u:object_r:xdm_exec_t:s0
|
||||||
|
/usr/libexec/plasmalogin-helper-start-x11user -- system_u:object_r:xdm_exec_t:s0
|
||||||
|
/usr/libexec/plasma-login-greeter -- system_u:object_r:xdm_exec_t:s0
|
||||||
|
|
@ -1,12 +1,10 @@
|
||||||
module plasmalogin-selinux 1.0;
|
module plasmalogin-selinux 1.0;
|
||||||
|
|
||||||
require {
|
require {
|
||||||
type unconfined_t;
|
|
||||||
type xdm_exec_t;
|
type xdm_exec_t;
|
||||||
class file { entrypoint execute };
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Allow the plasmalogin process to execute the X11 user helper binary
|
# File context rules for plasmalogin binaries are defined in the
|
||||||
# which is labeled as xdm_exec_t. This is needed when the plasmalogin
|
# accompanying .fc file. Labeling the daemon and helper binaries as
|
||||||
# daemon is not running in the xdm_t domain on SELinux enforcing systems.
|
# xdm_exec_t lets systemd transition plasmalogin into the xdm_t domain,
|
||||||
allow unconfined_t xdm_exec_t:file { entrypoint execute };
|
# which already has the required permissions to run X11 user sessions.
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,11 @@
|
||||||
Name: sonic-login-manager-selinux
|
Name: sonic-login-manager-selinux
|
||||||
Version: 1.0
|
Version: 1.0.1
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: SELinux policy module for Sonic Login Manager
|
Summary: SELinux policy module for Sonic Login Manager
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: https://github.com/Sonic-DE/sonic-login-manager
|
URL: https://github.com/Sonic-DE/sonic-login-manager
|
||||||
Source0: plasmalogin-selinux.te
|
Source0: plasmalogin-selinux.te
|
||||||
|
Source1: plasmalogin-selinux.fc
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
|
|
@ -15,34 +16,42 @@ Requires(post): policycoreutils
|
||||||
Requires(postun): policycoreutils
|
Requires(postun): policycoreutils
|
||||||
|
|
||||||
%description
|
%description
|
||||||
SELinux policy module that allows Sonic Login Manager to launch
|
SELinux policy module that labels the Sonic Login Manager binaries as
|
||||||
X11 user sessions when running under SELinux enforcing mode.
|
xdm_exec_t so systemd runs the daemon in the xdm_t domain. This lets
|
||||||
|
Sonic Login Manager launch X11 user sessions under SELinux enforcing
|
||||||
|
mode without granting broad unconfined_t permissions.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -c -T
|
%setup -c -T
|
||||||
cp %{SOURCE0} .
|
cp %{SOURCE0} .
|
||||||
|
cp %{SOURCE1} .
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# Compile the SELinux type enforcement file into a loadable module package
|
# Compile the SELinux type enforcement file and file context rules into a loadable module package
|
||||||
checkmodule -M -m -o plasmalogin-selinux.mod plasmalogin-selinux.te
|
checkmodule -M -m -o plasmalogin-selinux.mod plasmalogin-selinux.te
|
||||||
semodule_package -o plasmalogin-selinux.pp -m plasmalogin-selinux.mod
|
semodule_package -o plasmalogin-selinux.pp -m plasmalogin-selinux.mod -f plasmalogin-selinux.fc
|
||||||
|
|
||||||
%install
|
%install
|
||||||
install -D -m 644 plasmalogin-selinux.pp %{buildroot}%{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp
|
install -D -m 644 plasmalogin-selinux.pp %{buildroot}%{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp
|
||||||
|
|
||||||
%post
|
%post
|
||||||
# Load the SELinux policy module
|
# Load the SELinux policy module and apply file contexts to the plasmalogin binaries
|
||||||
semodule -i %{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp || :
|
semodule -i %{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp || :
|
||||||
|
restorecon -Rv /usr/bin/plasmalogin /usr/libexec/plasmalogin-helper /usr/libexec/plasmalogin-helper-start-x11user /usr/libexec/plasma-login-greeter || :
|
||||||
|
|
||||||
%postun
|
%postun
|
||||||
if [ $1 -eq 0 ]; then
|
if [ $1 -eq 0 ]; then
|
||||||
# Remove the SELinux policy module on package uninstall
|
# Remove the SELinux policy module and restore default file contexts on uninstall
|
||||||
semodule -r plasmalogin-selinux || :
|
semodule -r plasmalogin-selinux || :
|
||||||
|
restorecon -Rv /usr/bin/plasmalogin /usr/libexec/plasmalogin-helper /usr/libexec/plasmalogin-helper-start-x11user /usr/libexec/plasma-login-greeter || :
|
||||||
fi
|
fi
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp
|
%{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 30 2026 Anders da Silva Rytter Hansen <andersrh@users.noreply.github.com> - 1.0.1-1
|
||||||
|
- Use with file context rules labeling plasmalogin binaries as xdm_exec_t instead
|
||||||
|
|
||||||
* Tue Jun 30 2026 Anders da Silva Rytter Hansen <andersrh@users.noreply.github.com> - 1.0-1
|
* Tue Jun 30 2026 Anders da Silva Rytter Hansen <andersrh@users.noreply.github.com> - 1.0-1
|
||||||
- Initial package with SELinux allow rule for plasmalogin-helper-start-x11user
|
- Initial package with SELinux allow rule for plasmalogin-helper-start-x11user
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
Name: sonic-login-manager
|
Name: sonic-login-manager
|
||||||
Version: 6.6.4
|
Version: 6.6.4
|
||||||
Release: 12%{?dist}
|
Release: 13%{?dist}
|
||||||
License: BSD-3-Clause and CC0-1.0 and (GPL-2.0-only or GPL-3.0-only) and GPL-2.0-or-later and LGPL-2.0-or-later and LGPL-2.1-or-later
|
License: BSD-3-Clause and CC0-1.0 and (GPL-2.0-only or GPL-3.0-only) and GPL-2.0-or-later and LGPL-2.0-or-later and LGPL-2.1-or-later
|
||||||
Summary: QML based login manager for SonicDE
|
Summary: QML based login manager for SonicDE
|
||||||
|
|
||||||
|
|
@ -211,6 +211,9 @@ desktop-file-validate %{buildroot}/%{_datadir}/applications/kcm_plasmalogin.desk
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 30 2026 Anders da Silva Rytter Hansen <andersrh@users.noreply.github.com> - 6.6.4-13
|
||||||
|
- Add SELinux policy dependency to label plasmalogin binaries as xdm_exec_t
|
||||||
|
|
||||||
* Fri Apr 10 2026 Steve Cossette <farchord@gmail.com> - 6.6.4-1
|
* Fri Apr 10 2026 Steve Cossette <farchord@gmail.com> - 6.6.4-1
|
||||||
- 6.6.4
|
- 6.6.4
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue