diff --git a/sonic-login-manager-selinux/plasmalogin-selinux.te b/sonic-login-manager-selinux/plasmalogin-selinux.te new file mode 100644 index 0000000..2acbf27 --- /dev/null +++ b/sonic-login-manager-selinux/plasmalogin-selinux.te @@ -0,0 +1,12 @@ +module plasmalogin-selinux 1.0; + +require { + type unconfined_t; + type xdm_exec_t; + class file { entrypoint execute }; +} + +# Allow the plasmalogin process to execute the X11 user helper binary +# which is labeled as xdm_exec_t. This is needed when the plasmalogin +# daemon is not running in the xdm_t domain on SELinux enforcing systems. +allow unconfined_t xdm_exec_t:file { entrypoint execute }; diff --git a/sonic-login-manager-selinux/sonic-login-manager-selinux.spec b/sonic-login-manager-selinux/sonic-login-manager-selinux.spec new file mode 100644 index 0000000..c6cce72 --- /dev/null +++ b/sonic-login-manager-selinux/sonic-login-manager-selinux.spec @@ -0,0 +1,48 @@ +Name: sonic-login-manager-selinux +Version: 1.0 +Release: 1%{?dist} +Summary: SELinux policy module for Sonic Login Manager +License: MIT +URL: https://github.com/Sonic-DE/sonic-login-manager +Source0: plasmalogin-selinux.te + +BuildArch: noarch + +BuildRequires: selinux-policy-devel +BuildRequires: checkpolicy +Requires: selinux-policy-targeted +Requires(post): policycoreutils +Requires(postun): policycoreutils + +%description +SELinux policy module that allows Sonic Login Manager to launch +X11 user sessions when running under SELinux enforcing mode. + +%prep +%setup -c -T +cp %{SOURCE0} . + +%build +# Compile the SELinux type enforcement file into a loadable module package +checkmodule -M -m -o plasmalogin-selinux.mod plasmalogin-selinux.te +semodule_package -o plasmalogin-selinux.pp -m plasmalogin-selinux.mod + +%install +install -D -m 644 plasmalogin-selinux.pp %{buildroot}%{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp + +%post +# Load the SELinux policy module +semodule -i %{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp || : + +%postun +if [ $1 -eq 0 ]; then + # Remove the SELinux policy module on package uninstall + semodule -r plasmalogin-selinux || : +fi + +%files +%{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp + +%changelog +* Tue Jun 30 2026 Anders da Silva Rytter Hansen - 1.0-1 +- Initial package with SELinux allow rule for plasmalogin-helper-start-x11user diff --git a/sonic-login-manager/sonic-login-manager.spec b/sonic-login-manager/sonic-login-manager.spec index aeffd69..d336acc 100644 --- a/sonic-login-manager/sonic-login-manager.spec +++ b/sonic-login-manager/sonic-login-manager.spec @@ -2,7 +2,7 @@ Name: sonic-login-manager Version: 6.6.4 -Release: 10%{?dist} +Release: 12%{?dist} License: BSD-3-Clause and CC0-1.0 and (GPL-2.0-only or GPL-3.0-only) and GPL-2.0-or-later and LGPL-2.0-or-later and LGPL-2.1-or-later Summary: QML based login manager for SonicDE @@ -73,9 +73,9 @@ BuildRequires: kf6-rpm-macros # for jxl support Requires: kf6-kimageformats%{?_isa} -%if %{with x11} Requires: xorg-x11-xinit -%endif +Requires: sonic-login-manager-selinux + %{?systemd_requires} Requires: kf6-filesystem