Skip to content

add selinux policy to howdy-beta#1

Open
troyready wants to merge 1 commit into
principis:mainfrom
troyready:howdy-beta-selinux
Open

add selinux policy to howdy-beta#1
troyready wants to merge 1 commit into
principis:mainfrom
troyready:howdy-beta-selinux

Conversation

@troyready

Copy link
Copy Markdown

Trying to use howdy-beta on my Fedora 41 system results in SELinux /var/log/audit/audit.log errors like:

type=AVC msg=audit(1731249683.384:270): avc:  denied  { map } for  pid=2191 comm="python3" path="/dev/video2" dev="devtmpfs" ino=975 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0

I used audit2allow to create a working policy and have included it in the package here.

Trying to use howdy-beta on my Fedora 41 system results in SELinux
/var/log/audit/audit.log errors like:

```
type=AVC msg=audit(1731249683.384:270): avc:  denied  { map } for  pid=2191 comm="python3" path="/dev/video2" dev="devtmpfs" ino=975 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:v4l_device_t:s0 tclass=chr_file permissive=0
```

I used `audit2allow` to create a working policy and have included it in
the package here.
@principis

Copy link
Copy Markdown
Owner

I'm a bit hesitant to include this in the package. Wouldn't this allow many processes and not just howdy to access v4l_device_t? Is there a better way to solve this?

@troyready

Copy link
Copy Markdown
Author

I think it's more limited than it seems. If I look at running processes on my system now via ps auxZ|grep -i 'xdm_[t]', the only two results are:

system_u:system_r:xdm_t:s0-s0:c0.c1023 root 1759  0.0  0.0 534120  8676 ?        Ssl  Nov21   0:00 /usr/sbin/gdm
system_u:system_r:xdm_t:s0-s0:c0.c1023 root 2571  0.0  0.0 615336 11828 ?        Sl   Nov21   0:00 gdm-session-worker [pam/gdm-password]

(notably, not other invocations of /usr/bin/python made by my user).

RonnyPfannschmidt added a commit to RonnyPfannschmidt/copr-specs-howdy that referenced this pull request Dec 6, 2025
- Merge upstream PR principis#1 for SELinux policy
- Add udev rules for video device permissions (video group)
- Add gdm user to video group in %post for GDM login support
- Reload udev rules after installation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants