From 4ca91cd9f77ea53f2247314dc097dbaf43934e60 Mon Sep 17 00:00:00 2001 From: purian23 Date: Fri, 17 Oct 2025 01:28:59 -0400 Subject: [PATCH] SELinux & Path DIR updates --- Modules/Greetd/README.md | 165 +++++++++++++++++++++++++++++++-------- dms-greeter.spec | 130 ++++++++++++++++++++++++------ 2 files changed, 238 insertions(+), 57 deletions(-) diff --git a/Modules/Greetd/README.md b/Modules/Greetd/README.md index 97cd6ecb..3550db3b 100644 --- a/Modules/Greetd/README.md +++ b/Modules/Greetd/README.md @@ -22,36 +22,100 @@ paru -S greetd-dms-greeter-git yay -S greetd-dms-greeter-git ``` -Then in your `/etc/greetd/config.toml` enable dms-greeter by replacing the greeter command with dms-greeter. - -```bash -# hyprland and sway are also supported as compositors -command = "/usr/bin/dms-greeter --command niri" -``` - -See `dms-greeter --help` for full options including custom compositor configurations. - -Once installed, you should disable any existing greeter (such as gdm, sddm, lightdm), and you can configure the greeter to run at boot with: +Once installed, disable any existing display manager and enable greetd: ```bash +sudo systemctl disable gdm sddm lightdm sudo systemctl enable greetd ``` -#### Syncing themes -To sync wallpapers, colors, and other settings from the logged in user, you can add your user to the `greeter` group and symlink the shell configurations. +#### Syncing themes (Optional) + +To sync your wallpaper and theme with the greeter login screen: ```bash -sudo usermod -aG greeter -# LOGOUT and LOGIN after adding user to group - - -ln -sf ~/.config/DankMaterialShell/settings.json /var/cache/dms-greeter/settings.json - -ln -sf ~/.local/state/DankMaterialShell/session.json /var/cache/dms-greeter/session.json - -ln -sf ~/.cache/quickshell/dankshell/dms-colors.json /var/cache/dms-greeter/colors.json +dms-greeter-sync ``` +Then logout/login for changes to take effect. Your wallpaper and theme will appear on the greeter! + +
+What does dms-greeter-sync do? + +The `dms-greeter-sync` helper automatically: +- Adds you to the greeter group +- Sets minimal ACL permissions on parent directories (traverse only) +- Sets group ownership on your DMS config directories +- Creates symlinks to share your theme files with the greeter + +This uses standard Linux ACLs (Access Control Lists) - the same security model used by GNOME, KDE, and systemd. The greeter user only gets traverse permission through your directories and can only read the specific theme files you share. + +
+ +
+Manual theme syncing (advanced) + +If you prefer to set up theme syncing manually: + +```bash +# Add yourself to greeter group +sudo usermod -aG greeter + +# Set ACLs to allow greeter to traverse your directories +setfacl -m u:greeter:x ~ ~/.config ~/.local ~/.cache ~/.local/state + +# Set group ownership on config directories +sudo chgrp -R greeter ~/.config/DankMaterialShell +sudo chgrp -R greeter ~/.local/state/DankMaterialShell +sudo chgrp -R greeter ~/.cache/quickshell +sudo chmod -R g+rX ~/.config/DankMaterialShell ~/.local/state/DankMaterialShell ~/.cache/quickshell + +# Create symlinks +sudo ln -sf ~/.config/DankMaterialShell/settings.json /var/cache/dms-greeter/settings.json +sudo ln -sf ~/.local/state/DankMaterialShell/session.json /var/cache/dms-greeter/session.json +sudo ln -sf ~/.cache/quickshell/dankshell/dms-colors.json /var/cache/dms-greeter/colors.json + +# Logout and login for group membership to take effect +``` + +
+ +### Fedora / RHEL / Rocky / Alma + +Install from COPR or build the RPM: + +```bash +# From COPR (when available) +sudo dnf copr enable avenge/dms +sudo dnf install dms-greeter + +# Or build locally +cd /path/to/DankMaterialShell +rpkg local +sudo rpm -ivh x86_64/dms-greeter-*.rpm +``` + +The package automatically: +- Creates the greeter user +- Sets up directories and permissions +- Configures greetd with auto-detected compositor +- Applies SELinux contexts + +Then disable existing display manager and enable greetd: + +```bash +sudo systemctl disable gdm sddm lightdm +sudo systemctl enable greetd +``` + +**Optional:** Sync your theme with the greeter: + +```bash +dms-greeter-sync +``` + +Then logout/login to see your wallpaper on the greeter! + ### Automatic The easiest thing is to run `dms greeter install` or `dms` for interactive installation. @@ -59,21 +123,33 @@ The easiest thing is to run `dms greeter install` or `dms` for interactive insta ### Manual 1. Install `greetd` (in most distro's standard repositories) and `quickshell` -2. Clone the dms project to `/etc/xdg/quickshell/dms-greeter` + +2. Create the greeter user (if not already created by greetd): +```bash +sudo groupadd -r greeter +sudo useradd -r -g greeter -d /var/lib/greeter -s /bin/bash -c "System Greeter" greeter +sudo mkdir -p /var/lib/greeter +sudo chown greeter:greeter /var/lib/greeter +``` + +3. Clone the dms project to `/etc/xdg/quickshell/dms-greeter`: ```bash sudo git clone https://github.com/AvengeMedia/DankMaterialShell.git /etc/xdg/quickshell/dms-greeter ``` -3. Copy `assets/dms-greeter` to `/usr/local/bin/dms-greeter`: + +4. Copy `Modules/Greetd/assets/dms-greeter` to `/usr/local/bin/dms-greeter`: ```bash -sudo cp assets/dms-greeter /usr/local/bin/dms-greeter +sudo cp /etc/xdg/quickshell/dms-greeter/Modules/Greetd/assets/dms-greeter /usr/local/bin/dms-greeter sudo chmod +x /usr/local/bin/dms-greeter ``` -4. Create greeter cache directory with proper permissions: + +5. Create greeter cache directory with proper permissions: ```bash sudo mkdir -p /var/cache/dms-greeter sudo chown greeter:greeter /var/cache/dms-greeter sudo chmod 750 /var/cache/dms-greeter ``` + 6. Edit or create `/etc/greetd/config.toml`: ```toml [terminal] @@ -85,7 +161,18 @@ user = "greeter" command = "/usr/local/bin/dms-greeter --command niri" ``` -Enable the greeter with `sudo systemctl enable greetd` +7. Disable existing display manager and enable greetd: +```bash +sudo systemctl disable gdm sddm lightdm +sudo systemctl enable greetd +``` + +8. (Optional) Install the `dms-greeter-sync` helper for easy theme syncing: +```bash +# Download or copy the dms-greeter-sync script from the spec file +sudo cp /path/to/dms-greeter-sync /usr/local/bin/dms-greeter-sync +sudo chmod +x /usr/local/bin/dms-greeter-sync +``` #### Legacy installation (deprecated) @@ -154,21 +241,31 @@ Simply edit `/etc/greetd/dms-niri.kdl` or `/etc/greetd/dms-hypr.conf` to change #### Personalization -Wallpapers and themes and weather and clock formats and things are a TODO on the documentation, but it's configured exactly the same as dms. +The greeter can be personalized with wallpapers, themes, weather, clock formats, and more - configured exactly the same as dms. -You can synchronize those configurations with a specific user if you want greeter settings to always mirror the shell. +**Easiest method:** Run `dms-greeter-sync` to automatically sync your DMS theme with the greeter. -The greeter uses the `dms-greeter` group for file access permissions, so ensure your user and the greeter user are both members of this group. +**Manual method:** You can manually synchronize configurations if you want greeter settings to always mirror your shell: ```bash -# For core settings (theme, clock formats, etc) +# Add yourself to the greeter group +sudo usermod -aG greeter $USER + +# Set ACLs to allow greeter user to traverse your home directory +setfacl -m u:greeter:x ~ ~/.config ~/.local ~/.cache ~/.local/state + +# Set group permissions on DMS directories +sudo chgrp -R greeter ~/.config/DankMaterialShell ~/.local/state/DankMaterialShell ~/.cache/quickshell +sudo chmod -R g+rX ~/.config/DankMaterialShell ~/.local/state/DankMaterialShell ~/.cache/quickshell + +# Create symlinks for theme files sudo ln -sf ~/.config/DankMaterialShell/settings.json /var/cache/dms-greeter/settings.json -# For state (mainly you would configure wallpaper in this file) sudo ln -sf ~/.local/state/DankMaterialShell/session.json /var/cache/dms-greeter/session.json -# For wallpaper based theming -sudo ln -sf ~/.cache/quickshell/dankshell/dms-colors.json /var/cache/dms-greeter/dms-colors.json +sudo ln -sf ~/.cache/quickshell/dankshell/dms-colors.json /var/cache/dms-greeter/colors.json + +# Logout and login for group membership to take effect ``` -You can override the configuration path with the `DMS_GREET_CFG_DIR` environment variable or the `--cache-dir` flag when using `dms-greeter`. The default is `/var/cache/dms-greeter`. +**Advanced:** You can override the configuration path with the `DMS_GREET_CFG_DIR` environment variable or the `--cache-dir` flag when using `dms-greeter`. The default is `/var/cache/dms-greeter`. The cache directory should be owned by `greeter:greeter` with `770` permissions. \ No newline at end of file diff --git a/dms-greeter.spec b/dms-greeter.spec index 48952ec6..841e833a 100644 --- a/dms-greeter.spec +++ b/dms-greeter.spec @@ -53,6 +53,100 @@ cp -r * %{buildroot}%{_sysconfdir}/xdg/quickshell/dms-greeter/ # Install launcher script install -Dm755 Modules/Greetd/assets/dms-greeter %{buildroot}%{_bindir}/dms-greeter +# Install theme sync helper script +cat > %{buildroot}%{_bindir}/dms-greeter-sync << 'SYNC_EOF' +#!/bin/bash +set -e + +if [ "$EUID" -eq 0 ]; then + echo "Error: Do not run this script as root. Run as your regular user:" + echo " dms-greeter-sync" + exit 1 +fi + +CURRENT_USER=$(whoami) +CACHE_DIR="/var/cache/dms-greeter" + +echo "=== DMS Greeter Theme Sync Setup ===" +echo +echo "This will sync your DMS theme with the greeter login screen." +echo "User: $CURRENT_USER" +echo + +# Add user to greeter group +if ! groups "$CURRENT_USER" | grep -q greeter; then + echo "Adding $CURRENT_USER to greeter group..." + sudo usermod -aG greeter "$CURRENT_USER" + echo "✓ Added to greeter group (logout/login required for group membership)" +else + echo "✓ Already in greeter group" +fi + +# Set group permissions on config directories +echo +echo "Setting group permissions on config directories..." + +# First, ensure parent directories are traversable by greeter user (using ACLs) +echo "Making parent directories traversable by greeter..." +if command -v setfacl >/dev/null 2>&1; then + # Set ACL on home directory + setfacl -m u:greeter:x ~ 2>/dev/null && echo "✓ Home directory" || echo "⚠ Home directory (may need sudo)" + + # Set ACLs on parent config directories + setfacl -m u:greeter:x ~/.config 2>/dev/null && echo "✓ .config directory" || true + setfacl -m u:greeter:x ~/.local 2>/dev/null && echo "✓ .local directory" || true + setfacl -m u:greeter:x ~/.cache 2>/dev/null && echo "✓ .cache directory" || true + setfacl -m u:greeter:x ~/.local/state 2>/dev/null && echo "✓ .local/state directory" || true +else + echo "⚠ setfacl not found, you need to run:" + echo " setfacl -m u:greeter:x ~ ~/.config ~/.local ~/.cache ~/.local/state" +fi + +# Then set permissions on target directories +for dir in ~/.config/DankMaterialShell ~/.local/state/DankMaterialShell ~/.cache/quickshell; do + if [ -d "$dir" ]; then + sudo chgrp -R greeter "$dir" + sudo chmod -R g+rX "$dir" + echo "✓ $(basename $dir)" + else + echo "⚠ $dir not found (will be created when you run DMS)" + fi +done + +# Set group read on parent state directory +sudo chmod g+x ~/.local/state 2>/dev/null || true + +# Create symlinks +echo +echo "Creating symlinks to sync theme..." + +declare -A links=( + ["$HOME/.config/DankMaterialShell/settings.json"]="$CACHE_DIR/settings.json" + ["$HOME/.local/state/DankMaterialShell/session.json"]="$CACHE_DIR/session.json" + ["$HOME/.cache/quickshell/dankshell/dms-colors.json"]="$CACHE_DIR/colors.json" +) + +for source in "${!links[@]}"; do + target="${links[$source]}" + target_name=$(basename "$source") + + if [ -f "$source" ]; then + sudo ln -sf "$source" "$target" + echo "✓ Synced $target_name" + else + echo "⚠ $target_name not found yet (run DMS to generate it)" + fi +done + +echo +echo "=== Setup Complete! ===" +echo +echo "IMPORTANT: You must LOGOUT and LOGIN for group membership to take effect." +echo "After logging back in, your theme will be synced with the greeter." +SYNC_EOF + +chmod 755 %{buildroot}%{_bindir}/dms-greeter-sync + # Install documentation install -Dm644 Modules/Greetd/README.md %{buildroot}%{_docdir}/dms-greeter/README.md @@ -77,6 +171,7 @@ rm -f %{buildroot}%{_sysconfdir}/xdg/quickshell/dms-greeter/dms-greeter.spec %license LICENSE %doc %{_docdir}/dms-greeter/README.md %{_bindir}/dms-greeter +%{_bindir}/dms-greeter-sync %{_sysconfdir}/xdg/quickshell/dms-greeter/ %dir %attr(0750,greeter,greeter) %{_localstatedir}/cache/dms-greeter %dir %attr(0755,greeter,greeter) %{_sharedstatedir}/greeter @@ -209,37 +304,26 @@ cat << EOF DMS Greeter Installation Complete! =============================================================================== -Configuration status: - - Greeter cache directory: /var/cache/dms-greeter (created with proper permissions) - - SELinux contexts: Applied (if semanage available) +Status: + - Greeter user: Created ✓ + - Greeter directories: /var/cache/dms-greeter, /var/lib/greeter ✓ + - SELinux contexts: Applied ✓ - Greetd config: $CONFIG_STATUS -Next steps to enable the greeter: +Next steps: -1. IMPORTANT: Disable any existing display managers: +1. Disable any existing display managers (IMPORTANT): sudo systemctl disable gdm sddm lightdm - (Only greetd should run as the display manager) -2. Verify greetd configuration: - Check /etc/greetd/config.toml contains: - - [default_session] - user = "greeter" - command = "/usr/bin/dms-greeter --command niri" - - (Also supported: hyprland, sway) - Note: Existing config backed up to config.toml.backup-* if modified - -3. Enable greetd service: +2. Enable greetd service: sudo systemctl enable greetd -4. (Optional) Sync your user's theme with the greeter: - sudo usermod -aG greeter YOUR_USERNAME - # Then LOGOUT and LOGIN to apply group membership - ln -sf ~/.config/DankMaterialShell/settings.json /var/cache/dms-greeter/settings.json - ln -sf ~/.local/state/DankMaterialShell/session.json /var/cache/dms-greeter/session.json - ln -sf ~/.cache/quickshell/dankshell/dms-colors.json /var/cache/dms-greeter/colors.json +3. (Optional) Sync your theme with the greeter: + dms-greeter-sync + + Then logout/login to see your wallpaper on the greeter! +Ready to test? Reboot or run: sudo systemctl start greetd Documentation: /usr/share/doc/dms-greeter/README.md ===============================================================================