robertoschwald/ConfigHowdyBeta.sh

## ConfigHowdyBeta.sh
#!/usr/bin/env bash
set -e

# Configure Fedora PAM to use Howdy for facial recognition
# Configured sudo and GDM login.
# SELinux is also configured to allow Howdy to access necessary resources.
# Notes:
# - This script is tested on Fedora 39.
# - This script is for howdy-beta version, which provides pam_howdy.so
# Reference: https://copr.fedorainfracloud.org/coprs/principis/howdy-beta/

# Based on https://gist.github.com/m1nicrusher/35e79b20553c8863e0c642f8d801da7f

# sudo required
if ! [ "$(id -u)" = 0 ]; then
   echo "Root privilege is needed. Please rerun the script as root." >&2
   exit 1
fi

SUDO_CFG="/etc/pam.d/sudo"
GDM_CFG="/etc/pam.d/gdm-password"
SUDO_PATTERN='1i\' # Append to the first line
GDM_PATTERN='/auth.*substack.*password-auth/i\' # Append before password-auth line

HOWDY_PAM="auth        sufficient    pam_howdy.so"

if ! grep -q "$HOWDY_PAM" "$SUDO_CFG"; then
  echo "Configuring sudo PAM"
  sed -i "$SUDO_PATTERN$HOWDY_PAM" $SUDO_CFG
else
  echo "sudo PAM already configured"
fi

# Configure GDM
if ! grep -q "$HOWDY_PAM" $GDM_CFG; then
  echo "Configuring GDM PAM"
  sed -i "$GDM_PATTERN$HOWDY_PAM" $GDM_CFG
else
  echo "GDM PAM already configured"
fi

echo "Configuring SELinux (this takes a moment)"
MODULE=$(cat << EOF
module howdy 1.0;
require {
    type lib_t;
    type xdm_t;
    type v4l_device_t;
    type sysctl_vm_t;
    class chr_file map;
    class dir { create add_name };
    class file { create getattr open read write };
}
#============= xdm_t ==============
allow xdm_t lib_t:dir create;
allow xdm_t lib_t:dir add_name;
allow xdm_t lib_t:file { create write };
allow xdm_t sysctl_vm_t:file { getattr open read };
allow xdm_t v4l_device_t:chr_file map;
EOF
)

echo "$MODULE" > howdy.te
checkmodule -M -m -o howdy.mod howdy.te
semodule_package -o howdy.pp -m howdy.mod
semodule -i howdy.pp
rm howdy.te howdy.mod howdy.pp

# Done!
echo "Done. Please restart terminal to check sudo result."
	#!/usr/bin/env bash
	set -e

	# Configure Fedora PAM to use Howdy for facial recognition
	# Configured sudo and GDM login.
	# SELinux is also configured to allow Howdy to access necessary resources.
	# Notes:
	# - This script is tested on Fedora 39.
	# - This script is for howdy-beta version, which provides pam_howdy.so
	# Reference: https://copr.fedorainfracloud.org/coprs/principis/howdy-beta/

	# Based on https://gist.github.com/m1nicrusher/35e79b20553c8863e0c642f8d801da7f

	# sudo required
	if ! [ "$(id -u)" = 0 ]; then
	echo "Root privilege is needed. Please rerun the script as root." >&2
	exit 1
	fi

	SUDO_CFG="/etc/pam.d/sudo"
	GDM_CFG="/etc/pam.d/gdm-password"
	SUDO_PATTERN='1i\' # Append to the first line
	GDM_PATTERN='/auth.substack.password-auth/i\' # Append before password-auth line

	HOWDY_PAM="auth sufficient pam_howdy.so"

	if ! grep -q "$HOWDY_PAM" "$SUDO_CFG"; then
	echo "Configuring sudo PAM"
	sed -i "$SUDO_PATTERN$HOWDY_PAM" $SUDO_CFG
	else
	echo "sudo PAM already configured"
	fi

	# Configure GDM
	if ! grep -q "$HOWDY_PAM" $GDM_CFG; then
	echo "Configuring GDM PAM"
	sed -i "$GDM_PATTERN$HOWDY_PAM" $GDM_CFG
	else
	echo "GDM PAM already configured"
	fi

	echo "Configuring SELinux (this takes a moment)"
	MODULE=$(cat << EOF
	module howdy 1.0;
	require {
	type lib_t;
	type xdm_t;
	type v4l_device_t;
	type sysctl_vm_t;
	class chr_file map;
	class dir { create add_name };
	class file { create getattr open read write };
	}
	#============= xdm_t ==============
	allow xdm_t lib_t:dir create;
	allow xdm_t lib_t:dir add_name;
	allow xdm_t lib_t:file { create write };
	allow xdm_t sysctl_vm_t:file { getattr open read };
	allow xdm_t v4l_device_t:chr_file map;
	EOF
	)

	echo "$MODULE" > howdy.te
	checkmodule -M -m -o howdy.mod howdy.te
	semodule_package -o howdy.pp -m howdy.mod
	semodule -i howdy.pp
	rm howdy.te howdy.mod howdy.pp

	# Done!
	echo "Done. Please restart terminal to check sudo result."