Enable systemd-homed
authorMartin Pitt <martin@piware.de>
Sat, 26 Sep 2020 15:25:01 +0000 (17:25 +0200)
committerMartin Pitt <martin@piware.de>
Sun, 8 Aug 2021 05:54:53 +0000 (07:54 +0200)
This requires some PAM config updates and disabling SELinux.

pitti-post.sh

index 54913242b2026d51659d2002d992755d8a3e8f1b..a5441e5bddb5975a3e94009c5bb6427796a09803 100755 (executable)
@@ -18,10 +18,69 @@ EOF
 ln -sfn ../iwd.service /usr/lib/systemd/system/multi-user.target.wants/iwd.service
 ln -sfn /run/NetworkManager/resolv.conf /etc/resolv.conf
 
+# set up PAM for systemd-homed (https://bugzilla.redhat.com/show_bug.cgi?id=1806949)
+patch /etc/pam.d/system-auth <<EOF
+--- /usr/etc/pam.d/system-auth 1970-01-01 01:00:00.000000000 +0100
++++ /etc/pam.d/system-auth     2020-04-13 14:31:16.866558333 +0200
+@@ -3,16 +3,20 @@
+ # User changes will be destroyed the next time authselect is run.
+ auth        required      pam_env.so
+ auth        sufficient    pam_unix.so try_first_pass nullok
++-auth     sufficient pam_systemd_home.so                                  # added
+ auth        required      pam_deny.so
+
+-account     required      pam_unix.so
++account     sufficient    pam_unix.so
++-account  sufficient pam_systemd_home.so                                  # added
+
+ password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+ password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
++-password sufficient pam_systemd_home.so                                  # added
+ password    required      pam_deny.so
+
+ session     optional      pam_keyinit.so revoke
+ session     required      pam_limits.so
++-session  optional   pam_systemd_home.so                                  # added
+ -session     optional      pam_systemd.so
+ session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+ session     required      pam_unix.so
+EOF
+patch /etc/pam.d/password-auth <<EOF
+--- password-auth
++++ password-auth
+@@ -3,16 +3,20 @@
+ # User changes will be destroyed the next time authselect is run.
+ auth        required      pam_env.so
+ auth        sufficient    pam_unix.so try_first_pass nullok
++-auth       sufficient    pam_systemd_home.so            # added
+ auth        required      pam_deny.so
+
+-account     required      pam_unix.so
++account     sufficient    pam_unix.so
++-account  sufficient pam_systemd_home.so                 # added
+
+ password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+ password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
++-password   sufficient    pam_systemd_home.so            # added
+ password    required      pam_deny.so
+
+ session     optional      pam_keyinit.so revoke
+ session     required      pam_limits.so
++-session    optional      pam_systemd_home.so            # added
+ -session     optional      pam_systemd.so
+ session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+ session     required      pam_unix.so
+EOF
+
+# homed is missing a lot of SELinux policy (https://bugzilla.redhat.com/show_bug.cgi?id=1809878)
+# "disabled" breaks rpm-ostree (https://bugzilla.redhat.com/show_bug.cgi?id=1882933), so just use permissive
+sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
+
 # enable other units
 mkdir -p /usr/lib/systemd/system/getty.target.wants
 ln -s ../getty@.service /usr/lib/systemd/system/getty.target.wants/getty@tty1.service
 ln -s ../systemd-timesyncd.service /usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service
+ln -s ../systemd-homed.service /usr/lib/systemd/system/multi-user.target.wants/systemd-homed.service
 ln -s ../cockpit.socket /usr/lib/systemd/system/sockets.target.wants/cockpit.socket
 ln -s ../sshd.socket /usr/lib/systemd/system/sockets.target.wants/sshd.socket