From 73798e518eeae368f871f00197cd175fba0cf390 Mon Sep 17 00:00:00 2001 From: Anders da Silva Rytter Hansen Date: Tue, 30 Jun 2026 16:00:30 -0300 Subject: [PATCH] SE policy test --- Dockerfile | 10 +++++++++- selinux/plasmalogin-selinux.te | 12 ++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 selinux/plasmalogin-selinux.te diff --git a/Dockerfile b/Dockerfile index badf0a5..734aa27 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ RUN dnf config-manager --add-repo https://copr.fedorainfracloud.org/coprs/g/xlib # This may be necessary for the speakers and internal microphone RUN dnf install -y alsa-sof-firmware -RUN dnf install xorg-x11-xinit xorg-x11-xinit-session xkbcomp xinput xlibre-xserver-Xorg xlibre-xserver-common xlibre-xf86-input-libinput cage weston xrandr -y +RUN dnf install xorg-x11-xinit xkbcomp xinput xlibre-xserver-Xorg xlibre-xserver-common xlibre-xf86-input-libinput cage weston xrandr -y RUN dnf install --allowerasing -y \ sonic-workspace \ @@ -29,6 +29,14 @@ RUN dnf install --allowerasing -y sonic-keybind-daemon sonic-frameworks-windowsy RUN dnf remove -y sddm && \ dnf install --allowerasing -y sonic-login-manager +RUN dnf install -y selinux-policy-devel checkpolicy + +COPY selinux/plasmalogin-selinux.te /tmp/plasmalogin-selinux.te +RUN checkmodule -M -m -o /tmp/plasmalogin-selinux.mod /tmp/plasmalogin-selinux.te && \ + semodule_package -o /tmp/plasmalogin-selinux.pp -m /tmp/plasmalogin-selinux.mod && \ + semodule -i /tmp/plasmalogin-selinux.pp && \ + rm -f /tmp/plasmalogin-selinux.* + RUN dnf install -y fish distrobox nvtop intel-media-driver libva-intel-driver htop firefox # Remove plocate to avoid updatedb going crazy with scanning the file system once a day diff --git a/selinux/plasmalogin-selinux.te b/selinux/plasmalogin-selinux.te new file mode 100644 index 0000000..2acbf27 --- /dev/null +++ b/selinux/plasmalogin-selinux.te @@ -0,0 +1,12 @@ +module plasmalogin-selinux 1.0; + +require { + type unconfined_t; + type xdm_exec_t; + class file { entrypoint execute }; +} + +# Allow the plasmalogin process to execute the X11 user helper binary +# which is labeled as xdm_exec_t. This is needed when the plasmalogin +# daemon is not running in the xdm_t domain on SELinux enforcing systems. +allow unconfined_t xdm_exec_t:file { entrypoint execute };