diff --git a/0002-selinux-usb-access.patch b/0002-selinux-usb-access.patch
new file mode 100644
index 0000000..4846361
--- /dev/null
+++ b/0002-selinux-usb-access.patch
@@ -0,0 +1,33 @@
+From 5fe447532f573fc3f73511073070f5dfe6b6535a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 15 Sep 2023 10:12:16 +0300
+Subject: [PATCH] Allow ipa-otpd to access USB devices for passkeys
+
+Main SELinux policy will allow transition of passkey_child (SSSD) to
+ipa_otpd_t context to perform FIDO2 operations with USB devices.
+This means ipa-otpd will need to be able to read data from sysfs and
+connect to USB devices.
+
+Add required permissions to IPA subpolicy as well. See rhbz#2238224 for
+discussion.
+
+Related: https://pagure.io/freeipa/issue/9434
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ selinux/ipa.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index 92e6b295b19..c8a44b64e82 100644
+--- a/selinux/ipa.te
++++ b/selinux/ipa.te
+@@ -106,6 +106,8 @@ corenet_tcp_connect_radius_port(ipa_otpd_t)
+ 
+ dev_read_urand(ipa_otpd_t)
+ dev_read_rand(ipa_otpd_t)
++dev_read_sysfs(ipa_otpd_t)
++dev_rw_generic_usb_dev(ipa_otpd_t)
+ 
+ sysnet_dns_name_resolve(ipa_otpd_t)
+ 
diff --git a/freeipa.spec b/freeipa.spec
index db7ccf7..a368d54 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -105,7 +105,7 @@
 %if 0%{?fedora} < 36
 %global selinux_policy_version 3.14.5-45
 %else
-%global selinux_policy_version 36.16-1
+%global selinux_policy_version 38.28-1
 %endif
 %global slapi_nis_version 0.56.5
 
@@ -223,7 +223,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        3%{?rc_version:.%rc_version}%{?dist}
+Release:        4%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPL-3.0-or-later
@@ -249,6 +249,7 @@ Source2:        gpgkey-0E63D716D76AC080A4A33513F40800B6298EB963.asc
 # RHEL spec file only: END: Change branding to IPA and Identity Management
 Patch0001:      0001-ipa-client-install-enable-SELinux-for-SSSD.patch
 Patch0002:      0001-Restore-selinux-states-if-they-exist-at-uninstall-ti.patch
+Patch0003:      0002-selinux-usb-access.patch
 
 # RHEL spec file only: START
 %if %{NON_DEVELOPER_BUILD}
@@ -1763,6 +1764,11 @@ fi
 %endif
 
 %changelog
+* Mon Sep 18 2023 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.0-4.beta1
+- Depend on selinux-policy-38.28-1.fc39
+- Add SELinux policy for passkey_child to be used without ipa-otpd
+- Related: rhbz#2238474
+
 * Tue Sep 12 2023 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.0-3.beta1
 - Restore properly SELinux context during IPA client uninstallation
 - Related: rhbz#2238474