diff --git a/sonic-login-manager-selinux/plasmalogin-selinux.fc b/sonic-login-manager-selinux/plasmalogin-selinux.fc new file mode 100644 index 0000000..8b06360 --- /dev/null +++ b/sonic-login-manager-selinux/plasmalogin-selinux.fc @@ -0,0 +1,7 @@ +# Label the plasmalogin daemon and helper binaries as X display manager +# executables so they run in the xdm_t domain on SELinux enforcing systems. + +/usr/bin/plasmalogin -- system_u:object_r:xdm_exec_t:s0 +/usr/libexec/plasmalogin-helper -- system_u:object_r:xdm_exec_t:s0 +/usr/libexec/plasmalogin-helper-start-x11user -- system_u:object_r:xdm_exec_t:s0 +/usr/libexec/plasma-login-greeter -- system_u:object_r:xdm_exec_t:s0 diff --git a/sonic-login-manager-selinux/plasmalogin-selinux.te b/sonic-login-manager-selinux/plasmalogin-selinux.te index 2acbf27..871f0d5 100644 --- a/sonic-login-manager-selinux/plasmalogin-selinux.te +++ b/sonic-login-manager-selinux/plasmalogin-selinux.te @@ -1,12 +1,10 @@ module plasmalogin-selinux 1.0; require { - type unconfined_t; type xdm_exec_t; - class file { entrypoint execute }; } -# Allow the plasmalogin process to execute the X11 user helper binary -# which is labeled as xdm_exec_t. This is needed when the plasmalogin -# daemon is not running in the xdm_t domain on SELinux enforcing systems. -allow unconfined_t xdm_exec_t:file { entrypoint execute }; +# File context rules for plasmalogin binaries are defined in the +# accompanying .fc file. Labeling the daemon and helper binaries as +# xdm_exec_t lets systemd transition plasmalogin into the xdm_t domain, +# which already has the required permissions to run X11 user sessions. diff --git a/sonic-login-manager-selinux/sonic-login-manager-selinux.spec b/sonic-login-manager-selinux/sonic-login-manager-selinux.spec index c6cce72..0d21040 100644 --- a/sonic-login-manager-selinux/sonic-login-manager-selinux.spec +++ b/sonic-login-manager-selinux/sonic-login-manager-selinux.spec @@ -1,10 +1,11 @@ Name: sonic-login-manager-selinux -Version: 1.0 +Version: 1.0.1 Release: 1%{?dist} Summary: SELinux policy module for Sonic Login Manager License: MIT URL: https://github.com/Sonic-DE/sonic-login-manager Source0: plasmalogin-selinux.te +Source1: plasmalogin-selinux.fc BuildArch: noarch @@ -15,34 +16,42 @@ Requires(post): policycoreutils Requires(postun): policycoreutils %description -SELinux policy module that allows Sonic Login Manager to launch -X11 user sessions when running under SELinux enforcing mode. +SELinux policy module that labels the Sonic Login Manager binaries as +xdm_exec_t so systemd runs the daemon in the xdm_t domain. This lets +Sonic Login Manager launch X11 user sessions under SELinux enforcing +mode without granting broad unconfined_t permissions. %prep %setup -c -T cp %{SOURCE0} . +cp %{SOURCE1} . %build -# Compile the SELinux type enforcement file into a loadable module package +# Compile the SELinux type enforcement file and file context rules into a loadable module package checkmodule -M -m -o plasmalogin-selinux.mod plasmalogin-selinux.te -semodule_package -o plasmalogin-selinux.pp -m plasmalogin-selinux.mod +semodule_package -o plasmalogin-selinux.pp -m plasmalogin-selinux.mod -f plasmalogin-selinux.fc %install install -D -m 644 plasmalogin-selinux.pp %{buildroot}%{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp %post -# Load the SELinux policy module +# Load the SELinux policy module and apply file contexts to the plasmalogin binaries semodule -i %{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp || : +restorecon -Rv /usr/bin/plasmalogin /usr/libexec/plasmalogin-helper /usr/libexec/plasmalogin-helper-start-x11user /usr/libexec/plasma-login-greeter || : %postun if [ $1 -eq 0 ]; then - # Remove the SELinux policy module on package uninstall + # Remove the SELinux policy module and restore default file contexts on uninstall semodule -r plasmalogin-selinux || : + restorecon -Rv /usr/bin/plasmalogin /usr/libexec/plasmalogin-helper /usr/libexec/plasmalogin-helper-start-x11user /usr/libexec/plasma-login-greeter || : fi %files %{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp %changelog +* Tue Jun 30 2026 Anders da Silva Rytter Hansen - 1.0.1-1 +- Use with file context rules labeling plasmalogin binaries as xdm_exec_t instead + * Tue Jun 30 2026 Anders da Silva Rytter Hansen - 1.0-1 -- Initial package with SELinux allow rule for plasmalogin-helper-start-x11user +- Initial package with SELinux allow rule for plasmalogin-helper-start-x11user \ No newline at end of file diff --git a/sonic-login-manager/sonic-login-manager.spec b/sonic-login-manager/sonic-login-manager.spec index e0c9750..c66922c 100644 --- a/sonic-login-manager/sonic-login-manager.spec +++ b/sonic-login-manager/sonic-login-manager.spec @@ -2,7 +2,7 @@ Name: sonic-login-manager Version: 6.6.4 -Release: 12%{?dist} +Release: 13%{?dist} License: BSD-3-Clause and CC0-1.0 and (GPL-2.0-only or GPL-3.0-only) and GPL-2.0-or-later and LGPL-2.0-or-later and LGPL-2.1-or-later Summary: QML based login manager for SonicDE @@ -211,9 +211,8 @@ desktop-file-validate %{buildroot}/%{_datadir}/applications/kcm_plasmalogin.desk %changelog -* Tue Jun 30 2026 Anders da Silva Rytter Hansen - 6.6.4-12 -- Add SELinux policy module to allow plasmalogin to launch X11 user sessions -- Remove with_X11 condition since we will always be using X11 +* Tue Jun 30 2026 Anders da Silva Rytter Hansen - 6.6.4-13 +- Add SELinux policy dependency to label plasmalogin binaries as xdm_exec_t * Fri Apr 10 2026 Steve Cossette - 6.6.4-1 - 6.6.4