Compare commits

...
Sign in to create a new pull request.

1 commit

Author SHA1 Message Date
4e91804f0a Use with file context rules labeling plasmalogin binaries as xdm_exec_t instead
Some checks failed
Build RPMs / build (sonic-interface-libraries.spec) (push) Failing after 9s
Build RPMs / build (sonic-win.spec) (push) Failing after 9s
Build RPMs / build (sonic-workspace.spec) (push) Failing after 6s
2026-06-30 17:16:16 -03:00
4 changed files with 32 additions and 15 deletions

View file

@ -0,0 +1,7 @@
# Label the plasmalogin daemon and helper binaries as X display manager
# executables so they run in the xdm_t domain on SELinux enforcing systems.
/usr/bin/plasmalogin -- system_u:object_r:xdm_exec_t:s0
/usr/libexec/plasmalogin-helper -- system_u:object_r:xdm_exec_t:s0
/usr/libexec/plasmalogin-helper-start-x11user -- system_u:object_r:xdm_exec_t:s0
/usr/libexec/plasma-login-greeter -- system_u:object_r:xdm_exec_t:s0

View file

@ -1,12 +1,10 @@
module plasmalogin-selinux 1.0;
require {
type unconfined_t;
type xdm_exec_t;
class file { entrypoint execute };
}
# Allow the plasmalogin process to execute the X11 user helper binary
# which is labeled as xdm_exec_t. This is needed when the plasmalogin
# daemon is not running in the xdm_t domain on SELinux enforcing systems.
allow unconfined_t xdm_exec_t:file { entrypoint execute };
# File context rules for plasmalogin binaries are defined in the
# accompanying .fc file. Labeling the daemon and helper binaries as
# xdm_exec_t lets systemd transition plasmalogin into the xdm_t domain,
# which already has the required permissions to run X11 user sessions.

View file

@ -1,10 +1,11 @@
Name: sonic-login-manager-selinux
Version: 1.0
Version: 1.0.1
Release: 1%{?dist}
Summary: SELinux policy module for Sonic Login Manager
License: MIT
URL: https://github.com/Sonic-DE/sonic-login-manager
Source0: plasmalogin-selinux.te
Source1: plasmalogin-selinux.fc
BuildArch: noarch
@ -15,34 +16,42 @@ Requires(post): policycoreutils
Requires(postun): policycoreutils
%description
SELinux policy module that allows Sonic Login Manager to launch
X11 user sessions when running under SELinux enforcing mode.
SELinux policy module that labels the Sonic Login Manager binaries as
xdm_exec_t so systemd runs the daemon in the xdm_t domain. This lets
Sonic Login Manager launch X11 user sessions under SELinux enforcing
mode without granting broad unconfined_t permissions.
%prep
%setup -c -T
cp %{SOURCE0} .
cp %{SOURCE1} .
%build
# Compile the SELinux type enforcement file into a loadable module package
# Compile the SELinux type enforcement file and file context rules into a loadable module package
checkmodule -M -m -o plasmalogin-selinux.mod plasmalogin-selinux.te
semodule_package -o plasmalogin-selinux.pp -m plasmalogin-selinux.mod
semodule_package -o plasmalogin-selinux.pp -m plasmalogin-selinux.mod -f plasmalogin-selinux.fc
%install
install -D -m 644 plasmalogin-selinux.pp %{buildroot}%{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp
%post
# Load the SELinux policy module
# Load the SELinux policy module and apply file contexts to the plasmalogin binaries
semodule -i %{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp || :
restorecon -Rv /usr/bin/plasmalogin /usr/libexec/plasmalogin-helper /usr/libexec/plasmalogin-helper-start-x11user /usr/libexec/plasma-login-greeter || :
%postun
if [ $1 -eq 0 ]; then
# Remove the SELinux policy module on package uninstall
# Remove the SELinux policy module and restore default file contexts on uninstall
semodule -r plasmalogin-selinux || :
restorecon -Rv /usr/bin/plasmalogin /usr/libexec/plasmalogin-helper /usr/libexec/plasmalogin-helper-start-x11user /usr/libexec/plasma-login-greeter || :
fi
%files
%{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp
%changelog
* Tue Jun 30 2026 Anders da Silva Rytter Hansen <andersrh@users.noreply.github.com> - 1.0.1-1
- Use with file context rules labeling plasmalogin binaries as xdm_exec_t instead
* Tue Jun 30 2026 Anders da Silva Rytter Hansen <andersrh@users.noreply.github.com> - 1.0-1
- Initial package with SELinux allow rule for plasmalogin-helper-start-x11user

View file

@ -2,7 +2,7 @@
Name: sonic-login-manager
Version: 6.6.4
Release: 12%{?dist}
Release: 13%{?dist}
License: BSD-3-Clause and CC0-1.0 and (GPL-2.0-only or GPL-3.0-only) and GPL-2.0-or-later and LGPL-2.0-or-later and LGPL-2.1-or-later
Summary: QML based login manager for SonicDE
@ -211,6 +211,9 @@ desktop-file-validate %{buildroot}/%{_datadir}/applications/kcm_plasmalogin.desk
%changelog
* Tue Jun 30 2026 Anders da Silva Rytter Hansen <andersrh@users.noreply.github.com> - 6.6.4-13
- Add SELinux policy dependency to label plasmalogin binaries as xdm_exec_t
* Fri Apr 10 2026 Steve Cossette <farchord@gmail.com> - 6.6.4-1
- 6.6.4