Skip to content

Instantly share code, notes, and snippets.

@m1nicrusher
Created November 9, 2022 14:23
Show Gist options
  • Save m1nicrusher/35e79b20553c8863e0c642f8d801da7f to your computer and use it in GitHub Desktop.
Save m1nicrusher/35e79b20553c8863e0c642f8d801da7f to your computer and use it in GitHub Desktop.
Config Howdy for Fedora 36 using GNOME
# !/bin/bash
# Reference: https://copr.fedorainfracloud.org/coprs/principis/howdy/
# sudo required
if ! [ $(id -u) = 0 ]; then
echo "Root privilege is needed. Please rerun the script as root." >&2
exit 1
fi
SUDO_CFG="/etc/pam.d/sudo"
GDM_CFG="/etc/pam.d/gdm-password"
SUDO_PATTERN='1i\' # Append to the first line
GDM_PATTERN='/auth.*substack.*password-auth/i\' # Append before password-auth line
HOWDY_PAM="auth sufficient pam_python.so /lib64/security/howdy/pam.py"
HOWDY_DLIB="/lib64/security/howdy/dlib-data"
# Configure sudo
sed -i "$SUDO_PATTERN$HOWDY_PAM" $SUDO_CFG
# Configure GDM
sed -i "$GDM_PATTERN$HOWDY_PAM" $GDM_CFG
# Configure Permission
chmod o+x $HOWDY_DLIB
# Configure SELinux
MODULE=$(cat << EOF
module howdy 1.0;
require {
type lib_t;
type xdm_t;
type v4l_device_t;
type sysctl_vm_t;
class chr_file map;
class file { create getattr open read write };
class dir add_name;
}
#============= xdm_t ==============
allow xdm_t lib_t:dir add_name;
allow xdm_t lib_t:file { create write };
allow xdm_t sysctl_vm_t:file { getattr open read };
allow xdm_t v4l_device_t:chr_file map;
EOF
)
echo "$MODULE" > howdy.te
checkmodule -M -m -o howdy.mod howdy.te
semodule_package -o howdy.pp -m howdy.mod
semodule -i howdy.pp
rm howdy.te howdy.mod howdy.pp
# Done!
echo Done. Please restart terminal to check sudo result.
@robertoschwald
Copy link

robertoschwald commented Apr 18, 2024

Could you update the script to include the mkdir to work around this issue? Fedora seems to have this problem. boltgolt/howdy#801

There is one SELinux rule missing for Fedora 39 and Gnome auth. You will get "unknown error -1" message due to fact that SELinux blocks generation of the snapshot dir. Please add to the howdy SELinux module:

allow xdm_t lib_t:dir create;

So it reads like this:

module howdy 1.0;

require {
    type lib_t;
    type xdm_t;
    type v4l_device_t;
    type sysctl_vm_t;
    class chr_file map;
    class dir { create add_name };
    class file { create getattr open read write };
    class dir add_name;
}

#============= xdm_t ==============
allow xdm_t lib_t:dir create;
allow xdm_t lib_t:dir add_name;
allow xdm_t lib_t:file { create write };
allow xdm_t sysctl_vm_t:file { getattr open read };
allow xdm_t v4l_device_t:chr_file map;

@robertoschwald
Copy link

Based on this script, I created one for the new howdy-beta (which provides a self-contained pam_howdy.so)

https://gist.github.com/robertoschwald/d34f78fe1cb66032695ebd747bd189a1

@forabi
Copy link

forabi commented May 2, 2024

What pam file should I edit to enable this for e.g. 1Password app unlock? It already supports unlocking with my Fedora user password.

@robertoschwald
Copy link

Is there a pam module provided by 1Pw?

@forabi
Copy link

forabi commented May 2, 2024

@robertoschwald I couldn't find one, it must be using an existing one. I'll try to add it everywhere 😅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment