diff --git a/0002-selinux-usb-access.patch b/0002-selinux-usb-access.patch new file mode 100644 index 0000000..4846361 --- /dev/null +++ b/0002-selinux-usb-access.patch @@ -0,0 +1,33 @@ +From 5fe447532f573fc3f73511073070f5dfe6b6535a Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 15 Sep 2023 10:12:16 +0300 +Subject: [PATCH] Allow ipa-otpd to access USB devices for passkeys + +Main SELinux policy will allow transition of passkey_child (SSSD) to +ipa_otpd_t context to perform FIDO2 operations with USB devices. +This means ipa-otpd will need to be able to read data from sysfs and +connect to USB devices. + +Add required permissions to IPA subpolicy as well. See rhbz#2238224 for +discussion. + +Related: https://pagure.io/freeipa/issue/9434 + +Signed-off-by: Alexander Bokovoy +--- + selinux/ipa.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/selinux/ipa.te b/selinux/ipa.te +index 92e6b295b19..c8a44b64e82 100644 +--- a/selinux/ipa.te ++++ b/selinux/ipa.te +@@ -106,6 +106,8 @@ corenet_tcp_connect_radius_port(ipa_otpd_t) + + dev_read_urand(ipa_otpd_t) + dev_read_rand(ipa_otpd_t) ++dev_read_sysfs(ipa_otpd_t) ++dev_rw_generic_usb_dev(ipa_otpd_t) + + sysnet_dns_name_resolve(ipa_otpd_t) + diff --git a/freeipa.spec b/freeipa.spec index db7ccf7..a368d54 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -105,7 +105,7 @@ %if 0%{?fedora} < 36 %global selinux_policy_version 3.14.5-45 %else -%global selinux_policy_version 36.16-1 +%global selinux_policy_version 38.28-1 %endif %global slapi_nis_version 0.56.5 @@ -223,7 +223,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 3%{?rc_version:.%rc_version}%{?dist} +Release: 4%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -249,6 +249,7 @@ Source2: gpgkey-0E63D716D76AC080A4A33513F40800B6298EB963.asc # RHEL spec file only: END: Change branding to IPA and Identity Management Patch0001: 0001-ipa-client-install-enable-SELinux-for-SSSD.patch Patch0002: 0001-Restore-selinux-states-if-they-exist-at-uninstall-ti.patch +Patch0003: 0002-selinux-usb-access.patch # RHEL spec file only: START %if %{NON_DEVELOPER_BUILD} @@ -1763,6 +1764,11 @@ fi %endif %changelog +* Mon Sep 18 2023 Alexander Bokovoy - 4.11.0-4.beta1 +- Depend on selinux-policy-38.28-1.fc39 +- Add SELinux policy for passkey_child to be used without ipa-otpd +- Related: rhbz#2238474 + * Tue Sep 12 2023 Alexander Bokovoy - 4.11.0-3.beta1 - Restore properly SELinux context during IPA client uninstallation - Related: rhbz#2238474