34 lines
1.0 KiB
Diff
34 lines
1.0 KiB
Diff
|
From 5fe447532f573fc3f73511073070f5dfe6b6535a Mon Sep 17 00:00:00 2001
|
||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||
|
Date: Fri, 15 Sep 2023 10:12:16 +0300
|
||
|
Subject: [PATCH] Allow ipa-otpd to access USB devices for passkeys
|
||
|
|
||
|
Main SELinux policy will allow transition of passkey_child (SSSD) to
|
||
|
ipa_otpd_t context to perform FIDO2 operations with USB devices.
|
||
|
This means ipa-otpd will need to be able to read data from sysfs and
|
||
|
connect to USB devices.
|
||
|
|
||
|
Add required permissions to IPA subpolicy as well. See rhbz#2238224 for
|
||
|
discussion.
|
||
|
|
||
|
Related: https://pagure.io/freeipa/issue/9434
|
||
|
|
||
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||
|
---
|
||
|
selinux/ipa.te | 2 ++
|
||
|
1 file changed, 2 insertions(+)
|
||
|
|
||
|
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||
|
index 92e6b295b19..c8a44b64e82 100644
|
||
|
--- a/selinux/ipa.te
|
||
|
+++ b/selinux/ipa.te
|
||
|
@@ -106,6 +106,8 @@ corenet_tcp_connect_radius_port(ipa_otpd_t)
|
||
|
|
||
|
dev_read_urand(ipa_otpd_t)
|
||
|
dev_read_rand(ipa_otpd_t)
|
||
|
+dev_read_sysfs(ipa_otpd_t)
|
||
|
+dev_rw_generic_usb_dev(ipa_otpd_t)
|
||
|
|
||
|
sysnet_dns_name_resolve(ipa_otpd_t)
|
||
|
|