Howdy/SELinux

From LinuxReviews
Jump to navigationJump to search

The Howdy facial recognition authentication program requires a SELinux module to work on Fedora. This is of course not included with in the Howdy package.

A module can be created by disabling SELinux (setenforce 0), starting a program that uses Howdy so what it does is logged, re-enabling SELinux (setenforce 1) and then running

ausearch -c python3 | audit2allow -m howdy >howdy.te

which produces the following proposed policy module:

File: howdy.te
module howdy 1.0;

require {
	type xdm_t;
	type sysctl_vm_t;
	type lib_t;
	type v4l_device_t;
	class dir { add_name create remove_name write };
	class file { create getattr open read rename write };
	class chr_file map;
}

#============= xdm_t ==============
allow xdm_t lib_t:dir { add_name create remove_name write };
allow xdm_t lib_t:file { create rename write };
allow xdm_t sysctl_vm_t:file { getattr open read };
allow xdm_t v4l_device_t:chr_file map;

You can simply copy and paste this fine proposed module if you like it and compile it and insert it with:

checkmodule -M -m -o howdy.mod howdy.te
semodule_package -o howdy.pp -m howdy.mod
semodule -i howdy.pp

This module was tested on Howdy version 2.6.1. It works for LightDM, ssdm, etc.

Back to Howdy

Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.