-
-
Save swinzy/35e79b20553c8863e0c642f8d801da7f to your computer and use it in GitHub Desktop.
| # !/bin/bash | |
| # Reference: https://copr.fedorainfracloud.org/coprs/principis/howdy/ | |
| # sudo required | |
| if ! [ $(id -u) = 0 ]; then | |
| echo "Root privilege is needed. Please rerun the script as root." >&2 | |
| exit 1 | |
| fi | |
| SUDO_CFG="/etc/pam.d/sudo" | |
| GDM_CFG="/etc/pam.d/gdm-password" | |
| SUDO_PATTERN='1i\' # Append to the first line | |
| GDM_PATTERN='/auth.*substack.*password-auth/i\' # Append before password-auth line | |
| HOWDY_PAM="auth sufficient pam_python.so /lib64/security/howdy/pam.py" | |
| HOWDY_DLIB="/lib64/security/howdy/dlib-data" | |
| # Configure sudo | |
| sed -i "$SUDO_PATTERN$HOWDY_PAM" $SUDO_CFG | |
| # Configure GDM | |
| sed -i "$GDM_PATTERN$HOWDY_PAM" $GDM_CFG | |
| # Configure Permission | |
| chmod o+x $HOWDY_DLIB | |
| # Configure SELinux | |
| MODULE=$(cat << EOF | |
| module howdy 1.0; | |
| require { | |
| type lib_t; | |
| type xdm_t; | |
| type v4l_device_t; | |
| type sysctl_vm_t; | |
| class chr_file map; | |
| class file { create getattr open read write }; | |
| class dir add_name; | |
| } | |
| #============= xdm_t ============== | |
| allow xdm_t lib_t:dir add_name; | |
| allow xdm_t lib_t:file { create write }; | |
| allow xdm_t sysctl_vm_t:file { getattr open read }; | |
| allow xdm_t v4l_device_t:chr_file map; | |
| EOF | |
| ) | |
| echo "$MODULE" > howdy.te | |
| checkmodule -M -m -o howdy.mod howdy.te | |
| semodule_package -o howdy.pp -m howdy.mod | |
| semodule -i howdy.pp | |
| rm howdy.te howdy.mod howdy.pp | |
| # Done! | |
| echo Done. Please restart terminal to check sudo result. |
Could you update the script to include the mkdir to work around this issue? Fedora seems to have this problem. boltgolt/howdy#801
There is one SELinux rule missing for Fedora 39 and Gnome auth. You will get "unknown error -1" message due to fact that SELinux blocks generation of the snapshot dir. Please add to the howdy SELinux module:
allow xdm_t lib_t:dir create;
So it reads like this:
module howdy 1.0;
require {
type lib_t;
type xdm_t;
type v4l_device_t;
type sysctl_vm_t;
class chr_file map;
class dir { create add_name };
class file { create getattr open read write };
class dir add_name;
}
#============= xdm_t ==============
allow xdm_t lib_t:dir create;
allow xdm_t lib_t:dir add_name;
allow xdm_t lib_t:file { create write };
allow xdm_t sysctl_vm_t:file { getattr open read };
allow xdm_t v4l_device_t:chr_file map;
Based on this script, I created one for the new howdy-beta (which provides a self-contained pam_howdy.so)
https://gist.github.com/robertoschwald/d34f78fe1cb66032695ebd747bd189a1
What pam file should I edit to enable this for e.g. 1Password app unlock? It already supports unlocking with my Fedora user password.
Is there a pam module provided by 1Pw?
@robertoschwald I couldn't find one, it must be using an existing one. I'll try to add it everywhere 😅
Could you update the script to include the mkdir to work around this issue? Fedora seems to have this problem.
boltgolt/howdy#801