robertoschwald · September 1, 2024 20:05 · jusdMustafa · Jul 18, 2024
diff --git a/ConfigHowdyBeta.sh b/ConfigHowdyBeta.sh
 #!/usr/bin/env bash
 set -e

 # Configure Fedora PAM to use Howdy for facial recognition
 # Configured sudo and GDM login.
 # SELinux is also configured to allow Howdy to access necessary resources.
 # Notes:
 # - This script is tested on Fedora 39.
 # - This script is for howdy-beta version, which provides pam_howdy.so
 # Reference: https://copr.fedorainfracloud.org/coprs/principis/howdy-beta/

 # Based on https://gist.github.com/m1nicrusher/35e79b20553c8863e0c642f8d801da7f

 # sudo required
 if ! [ "$(id -u)" = 0 ]; then
   echo "Root privilege is needed. Please rerun the script as root." >&2
   exit 1
 fi

 SUDO_CFG="/etc/pam.d/sudo"
 GDM_CFG="/etc/pam.d/gdm-password"
 SUDO_PATTERN='1i\' # Append to the first line
 GDM_PATTERN='/auth.*substack.*password-auth/i\' # Append before password-auth line

 HOWDY_PAM="auth        sufficient    pam_howdy.so"

 if ! grep -q "$HOWDY_PAM" "$SUDO_CFG"; then
  echo "Configuring sudo PAM"
  sed -i "$SUDO_PATTERN$HOWDY_PAM" $SUDO_CFG
 else
  echo "sudo PAM already configured"
 fi

 # Configure GDM
 if ! grep -q "$HOWDY_PAM" $GDM_CFG; then
  echo "Configuring GDM PAM"
  sed -i "$GDM_PATTERN$HOWDY_PAM" $GDM_CFG
 else
  echo "GDM PAM already configured"
 fi

 echo "Configuring SELinux (this takes a moment)"
 MODULE=$(cat << EOF
 module howdy 1.0;
 require {
    type lib_t;
    type xdm_t;
    type v4l_device_t;
    type sysctl_vm_t;
    class chr_file map;
    class dir { create add_name };
    class file { create getattr open read write };
 }
 #============= xdm_t ==============
 allow xdm_t lib_t:dir create;
 allow xdm_t lib_t:dir add_name;
 allow xdm_t lib_t:file { create write };
 allow xdm_t sysctl_vm_t:file { getattr open read };
 allow xdm_t v4l_device_t:chr_file map;
 EOF
 )

 echo "$MODULE" > howdy.te
 checkmodule -M -m -o howdy.mod howdy.te
 semodule_package -o howdy.pp -m howdy.mod
 semodule -i howdy.pp
 rm howdy.te howdy.mod howdy.pp

 # Done!
 echo "Done. Please restart terminal to check sudo result."
	#!/usr/bin/env bash
	set -e

	# Configure Fedora PAM to use Howdy for facial recognition
	# Configured sudo and GDM login.
	# SELinux is also configured to allow Howdy to access necessary resources.
	# Notes:
	# - This script is tested on Fedora 39.
	# - This script is for howdy-beta version, which provides pam_howdy.so
	# Reference: https://copr.fedorainfracloud.org/coprs/principis/howdy-beta/

	# Based on https://gist.github.com/m1nicrusher/35e79b20553c8863e0c642f8d801da7f

	# sudo required
	if ! [ "$(id -u)" = 0 ]; then
	echo "Root privilege is needed. Please rerun the script as root." >&2
	exit 1
	fi

	SUDO_CFG="/etc/pam.d/sudo"
	GDM_CFG="/etc/pam.d/gdm-password"
	SUDO_PATTERN='1i\' # Append to the first line
	GDM_PATTERN='/auth.substack.password-auth/i\' # Append before password-auth line

	HOWDY_PAM="auth sufficient pam_howdy.so"

	if ! grep -q "$HOWDY_PAM" "$SUDO_CFG"; then
	echo "Configuring sudo PAM"
	sed -i "$SUDO_PATTERN$HOWDY_PAM" $SUDO_CFG
	else
	echo "sudo PAM already configured"
	fi

	# Configure GDM
	if ! grep -q "$HOWDY_PAM" $GDM_CFG; then
	echo "Configuring GDM PAM"
	sed -i "$GDM_PATTERN$HOWDY_PAM" $GDM_CFG
	else
	echo "GDM PAM already configured"
	fi

	echo "Configuring SELinux (this takes a moment)"
	MODULE=$(cat << EOF
	module howdy 1.0;
	require {
	type lib_t;
	type xdm_t;
	type v4l_device_t;
	type sysctl_vm_t;
	class chr_file map;
	class dir { create add_name };
	class file { create getattr open read write };
	}
	#============= xdm_t ==============
	allow xdm_t lib_t:dir create;
	allow xdm_t lib_t:dir add_name;
	allow xdm_t lib_t:file { create write };
	allow xdm_t sysctl_vm_t:file { getattr open read };
	allow xdm_t v4l_device_t:chr_file map;
	EOF
	)

	echo "$MODULE" > howdy.te
	checkmodule -M -m -o howdy.mod howdy.te
	semodule_package -o howdy.pp -m howdy.mod
	semodule -i howdy.pp
	rm howdy.te howdy.mod howdy.pp

	# Done!
	echo "Done. Please restart terminal to check sudo result."