ipa/0002-selinux-usb-access.patch

34 lines
1.0 KiB
Diff
Raw Normal View History

From 5fe447532f573fc3f73511073070f5dfe6b6535a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 15 Sep 2023 10:12:16 +0300
Subject: [PATCH] Allow ipa-otpd to access USB devices for passkeys
Main SELinux policy will allow transition of passkey_child (SSSD) to
ipa_otpd_t context to perform FIDO2 operations with USB devices.
This means ipa-otpd will need to be able to read data from sysfs and
connect to USB devices.
Add required permissions to IPA subpolicy as well. See rhbz#2238224 for
discussion.
Related: https://pagure.io/freeipa/issue/9434
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
selinux/ipa.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index 92e6b295b19..c8a44b64e82 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -106,6 +106,8 @@ corenet_tcp_connect_radius_port(ipa_otpd_t)
dev_read_urand(ipa_otpd_t)
dev_read_rand(ipa_otpd_t)
+dev_read_sysfs(ipa_otpd_t)
+dev_rw_generic_usb_dev(ipa_otpd_t)
sysnet_dns_name_resolve(ipa_otpd_t)