vladan/workstation-ostree-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Enable systemd-homed

Browse source 
This requires some PAM config updates and disabling SELinux.
This commit is contained in:
Martin Pitt 2020-09-26 17:25:01 +02:00 committed by Vladan Popovic
parent 99bfa2406a
commit aa2b9cc1ea
1 changed files with 59 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

59
pitti-post.sh
View file

@ -18,10 +18,69 @@ EOF
ln -sfn ../iwd.service /usr/lib/systemd/system/multi-user.target.wants/iwd.service ln -sfn ../iwd.service /usr/lib/systemd/system/multi-user.target.wants/iwd.service
ln -sfn /run/NetworkManager/resolv.conf /etc/resolv.conf ln -sfn /run/NetworkManager/resolv.conf /etc/resolv.conf
# set up PAM for systemd-homed (https://bugzilla.redhat.com/show_bug.cgi?id=1806949)
patch /etc/pam.d/system-auth <<EOF
--- /usr/etc/pam.d/system-auth 1970-01-01 01:00:00.000000000 +0100
+++ /etc/pam.d/system-auth 2020-04-13 14:31:16.866558333 +0200
@@ -3,16 +3,20 @@
# User changes will be destroyed the next time authselect is run.
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
+-auth sufficient pam_systemd_home.so # added
auth required pam_deny.so
-account required pam_unix.so
+account sufficient pam_unix.so
+-account sufficient pam_systemd_home.so # added
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+-password sufficient pam_systemd_home.so # added
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
+-session optional pam_systemd_home.so # added
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
EOF
patch /etc/pam.d/password-auth <<EOF
--- password-auth
+++ password-auth
@@ -3,16 +3,20 @@
# User changes will be destroyed the next time authselect is run.
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
+-auth sufficient pam_systemd_home.so # added
auth required pam_deny.so
-account required pam_unix.so
+account sufficient pam_unix.so
+-account sufficient pam_systemd_home.so # added
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+-password sufficient pam_systemd_home.so # added
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
+-session optional pam_systemd_home.so # added
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
EOF
# homed is missing a lot of SELinux policy (https://bugzilla.redhat.com/show_bug.cgi?id=1809878)
# "disabled" breaks rpm-ostree (https://bugzilla.redhat.com/show_bug.cgi?id=1882933), so just use permissive
sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
# enable other units # enable other units
mkdir -p /usr/lib/systemd/system/getty.target.wants mkdir -p /usr/lib/systemd/system/getty.target.wants
ln -s ../getty@.service /usr/lib/systemd/system/getty.target.wants/getty@tty1.service ln -s ../getty@.service /usr/lib/systemd/system/getty.target.wants/getty@tty1.service
ln -s ../systemd-timesyncd.service /usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service ln -s ../systemd-timesyncd.service /usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service
ln -s ../systemd-homed.service /usr/lib/systemd/system/multi-user.target.wants/systemd-homed.service
ln -s ../cockpit.socket /usr/lib/systemd/system/sockets.target.wants/cockpit.socket ln -s ../cockpit.socket /usr/lib/systemd/system/sockets.target.wants/cockpit.socket
ln -s ../sshd.socket /usr/lib/systemd/system/sockets.target.wants/sshd.socket ln -s ../sshd.socket /usr/lib/systemd/system/sockets.target.wants/sshd.socket