Fix SELinux permissions for ptmx

Author: binarypie

build_files/base/01-base-system.sh

@@ -97,7 +97,22 @@ if ! id -u greeter &>/dev/null; then
     useradd -r -M -s /usr/bin/nologin greeter
 fi
 
+### SELinux Policy: Allow greeter to allocate PTYs and use io_uring
+# Install policy development tools (will be removed by cleanup)
+dnf5 -y install selinux-policy-devel
+
+# Compile and install the greeter policy module
+SELINUX_DIR="/usr/share/hypercube/selinux"
+pushd "$SELINUX_DIR"
+make -f /usr/share/selinux/devel/Makefile hypercube-greeter.pp
+semodule -i hypercube-greeter.pp
+popd
+
+# Clean up build artifacts (keep .te for reference)
+rm -f "$SELINUX_DIR"/*.pp "$SELINUX_DIR"/*.if "$SELINUX_DIR"/*.fc
+
 ### Enable services
+systemctl enable devpts-ptmxmode.service
 systemctl enable greetd.service
 systemctl enable NetworkManager.service
 systemctl enable bluetooth.service

system_files/shared/usr/lib/systemd/system/dev-pts.mount.d/ptmxmode.conf

@@ -0,0 +1,13 @@
+[Unit]
+Description=Fix devpts mount options for PTY allocation
+DefaultDependencies=no
+After=systemd-remount-fs.service
+Before=greetd.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/mount -o remount,mode=620,gid=5,ptmxmode=0666 devpts /dev/pts
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target

system_files/shared/usr/lib/systemd/system/devpts-ptmxmode.service

@@ -0,0 +1,15 @@
+policy_module(hypercube-greeter, 1.0)
+
+require {
+    type xdm_t;
+    type ptmx_t;
+    type io_uring_t;
+    class chr_file { read write open getattr ioctl };
+    class anon_inode { create };
+}
+
+# Allow display manager (greetd/greeter) to allocate PTYs
+allow xdm_t ptmx_t:chr_file { read write open getattr ioctl };
+
+# Allow display manager to use io_uring (used by ghostty)
+allow xdm_t io_uring_t:anon_inode { create };