SonicDE-rpmspecs/sonic-login-manager-selinux/sonic-login-manager-selinux.spec
Anders da Silva Rytter Hansen 4e91804f0a
Some checks failed
Build RPMs / build (sonic-interface-libraries.spec) (push) Failing after 9s
Build RPMs / build (sonic-win.spec) (push) Failing after 9s
Build RPMs / build (sonic-workspace.spec) (push) Failing after 6s
Use with file context rules labeling plasmalogin binaries as xdm_exec_t instead
2026-06-30 17:16:16 -03:00

57 lines
No EOL
2.2 KiB
RPMSpec

Name: sonic-login-manager-selinux
Version: 1.0.1
Release: 1%{?dist}
Summary: SELinux policy module for Sonic Login Manager
License: MIT
URL: https://github.com/Sonic-DE/sonic-login-manager
Source0: plasmalogin-selinux.te
Source1: plasmalogin-selinux.fc
BuildArch: noarch
BuildRequires: selinux-policy-devel
BuildRequires: checkpolicy
Requires: selinux-policy-targeted
Requires(post): policycoreutils
Requires(postun): policycoreutils
%description
SELinux policy module that labels the Sonic Login Manager binaries as
xdm_exec_t so systemd runs the daemon in the xdm_t domain. This lets
Sonic Login Manager launch X11 user sessions under SELinux enforcing
mode without granting broad unconfined_t permissions.
%prep
%setup -c -T
cp %{SOURCE0} .
cp %{SOURCE1} .
%build
# Compile the SELinux type enforcement file and file context rules into a loadable module package
checkmodule -M -m -o plasmalogin-selinux.mod plasmalogin-selinux.te
semodule_package -o plasmalogin-selinux.pp -m plasmalogin-selinux.mod -f plasmalogin-selinux.fc
%install
install -D -m 644 plasmalogin-selinux.pp %{buildroot}%{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp
%post
# Load the SELinux policy module and apply file contexts to the plasmalogin binaries
semodule -i %{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp || :
restorecon -Rv /usr/bin/plasmalogin /usr/libexec/plasmalogin-helper /usr/libexec/plasmalogin-helper-start-x11user /usr/libexec/plasma-login-greeter || :
%postun
if [ $1 -eq 0 ]; then
# Remove the SELinux policy module and restore default file contexts on uninstall
semodule -r plasmalogin-selinux || :
restorecon -Rv /usr/bin/plasmalogin /usr/libexec/plasmalogin-helper /usr/libexec/plasmalogin-helper-start-x11user /usr/libexec/plasma-login-greeter || :
fi
%files
%{_datadir}/selinux/packages/targeted/plasmalogin-selinux.pp
%changelog
* Tue Jun 30 2026 Anders da Silva Rytter Hansen <andersrh@users.noreply.github.com> - 1.0.1-1
- Use with file context rules labeling plasmalogin binaries as xdm_exec_t instead
* Tue Jun 30 2026 Anders da Silva Rytter Hansen <andersrh@users.noreply.github.com> - 1.0-1
- Initial package with SELinux allow rule for plasmalogin-helper-start-x11user