-
-
Save m1nicrusher/35e79b20553c8863e0c642f8d801da7f to your computer and use it in GitHub Desktop.
| # !/bin/bash | |
| # Reference: https://copr.fedorainfracloud.org/coprs/principis/howdy/ | |
| # sudo required | |
| if ! [ $(id -u) = 0 ]; then | |
| echo "Root privilege is needed. Please rerun the script as root." >&2 | |
| exit 1 | |
| fi | |
| SUDO_CFG="/etc/pam.d/sudo" | |
| GDM_CFG="/etc/pam.d/gdm-password" | |
| SUDO_PATTERN='1i\' # Append to the first line | |
| GDM_PATTERN='/auth.*substack.*password-auth/i\' # Append before password-auth line | |
| HOWDY_PAM="auth sufficient pam_python.so /lib64/security/howdy/pam.py" | |
| HOWDY_DLIB="/lib64/security/howdy/dlib-data" | |
| # Configure sudo | |
| sed -i "$SUDO_PATTERN$HOWDY_PAM" $SUDO_CFG | |
| # Configure GDM | |
| sed -i "$GDM_PATTERN$HOWDY_PAM" $GDM_CFG | |
| # Configure Permission | |
| chmod o+x $HOWDY_DLIB | |
| # Configure SELinux | |
| MODULE=$(cat << EOF | |
| module howdy 1.0; | |
| require { | |
| type lib_t; | |
| type xdm_t; | |
| type v4l_device_t; | |
| type sysctl_vm_t; | |
| class chr_file map; | |
| class file { create getattr open read write }; | |
| class dir add_name; | |
| } | |
| #============= xdm_t ============== | |
| allow xdm_t lib_t:dir add_name; | |
| allow xdm_t lib_t:file { create write }; | |
| allow xdm_t sysctl_vm_t:file { getattr open read }; | |
| allow xdm_t v4l_device_t:chr_file map; | |
| EOF | |
| ) | |
| echo "$MODULE" > howdy.te | |
| checkmodule -M -m -o howdy.mod howdy.te | |
| semodule_package -o howdy.pp -m howdy.mod | |
| semodule -i howdy.pp | |
| rm howdy.te howdy.mod howdy.pp | |
| # Done! | |
| echo Done. Please restart terminal to check sudo result. |
Could you update the script to include the mkdir to work around this issue? Fedora seems to have this problem.
boltgolt/howdy#801
Could you update the script to include the mkdir to work around this issue? Fedora seems to have this problem. boltgolt/howdy#801
There is one SELinux rule missing for Fedora 39 and Gnome auth. You will get "unknown error -1" message due to fact that SELinux blocks generation of the snapshot dir. Please add to the howdy SELinux module:
allow xdm_t lib_t:dir create;
So it reads like this:
module howdy 1.0;
require {
type lib_t;
type xdm_t;
type v4l_device_t;
type sysctl_vm_t;
class chr_file map;
class dir { create add_name };
class file { create getattr open read write };
class dir add_name;
}
#============= xdm_t ==============
allow xdm_t lib_t:dir create;
allow xdm_t lib_t:dir add_name;
allow xdm_t lib_t:file { create write };
allow xdm_t sysctl_vm_t:file { getattr open read };
allow xdm_t v4l_device_t:chr_file map;
Based on this script, I created one for the new howdy-beta (which provides a self-contained pam_howdy.so)
https://gist.github.com/robertoschwald/d34f78fe1cb66032695ebd747bd189a1
What pam file should I edit to enable this for e.g. 1Password app unlock? It already supports unlocking with my Fedora user password.
Is there a pam module provided by 1Pw?
@robertoschwald I couldn't find one, it must be using an existing one. I'll try to add it everywhere 😅
Note this script only configures Howdy with the system. It only solves the issue when Howdy is not complaining about an error, but simply doesn't show up when needed for authentication. It does not configure Howdy itself. You'll probably still need to select a working IR camera in Howdy config yourself.