Created
November 9, 2022 14:23
-
-
Save swinzy/35e79b20553c8863e0c642f8d801da7f to your computer and use it in GitHub Desktop.
Config Howdy for Fedora 36 using GNOME
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # !/bin/bash | |
| # Reference: https://copr.fedorainfracloud.org/coprs/principis/howdy/ | |
| # sudo required | |
| if ! [ $(id -u) = 0 ]; then | |
| echo "Root privilege is needed. Please rerun the script as root." >&2 | |
| exit 1 | |
| fi | |
| SUDO_CFG="/etc/pam.d/sudo" | |
| GDM_CFG="/etc/pam.d/gdm-password" | |
| SUDO_PATTERN='1i\' # Append to the first line | |
| GDM_PATTERN='/auth.*substack.*password-auth/i\' # Append before password-auth line | |
| HOWDY_PAM="auth sufficient pam_python.so /lib64/security/howdy/pam.py" | |
| HOWDY_DLIB="/lib64/security/howdy/dlib-data" | |
| # Configure sudo | |
| sed -i "$SUDO_PATTERN$HOWDY_PAM" $SUDO_CFG | |
| # Configure GDM | |
| sed -i "$GDM_PATTERN$HOWDY_PAM" $GDM_CFG | |
| # Configure Permission | |
| chmod o+x $HOWDY_DLIB | |
| # Configure SELinux | |
| MODULE=$(cat << EOF | |
| module howdy 1.0; | |
| require { | |
| type lib_t; | |
| type xdm_t; | |
| type v4l_device_t; | |
| type sysctl_vm_t; | |
| class chr_file map; | |
| class file { create getattr open read write }; | |
| class dir add_name; | |
| } | |
| #============= xdm_t ============== | |
| allow xdm_t lib_t:dir add_name; | |
| allow xdm_t lib_t:file { create write }; | |
| allow xdm_t sysctl_vm_t:file { getattr open read }; | |
| allow xdm_t v4l_device_t:chr_file map; | |
| EOF | |
| ) | |
| echo "$MODULE" > howdy.te | |
| checkmodule -M -m -o howdy.mod howdy.te | |
| semodule_package -o howdy.pp -m howdy.mod | |
| semodule -i howdy.pp | |
| rm howdy.te howdy.mod howdy.pp | |
| # Done! | |
| echo Done. Please restart terminal to check sudo result. |
Based on this script, I created one for the new howdy-beta (which provides a self-contained pam_howdy.so)
https://gist.github.com/robertoschwald/d34f78fe1cb66032695ebd747bd189a1
What pam file should I edit to enable this for e.g. 1Password app unlock? It already supports unlocking with my Fedora user password.
Is there a pam module provided by 1Pw?
@robertoschwald I couldn't find one, it must be using an existing one. I'll try to add it everywhere 😅
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There is one SELinux rule missing for Fedora 39 and Gnome auth. You will get "unknown error -1" message due to fact that SELinux blocks generation of the snapshot dir. Please add to the howdy SELinux module:
allow xdm_t lib_t:dir create;
So it reads like this: