rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Depend on selinux-policy-38.28-1

Browse Source 
- Depend on selinux-policy-38.28-1.fc39
- Add SELinux policy for passkey_child to be used without ipa-otpd
- Related: rhbz#2238474

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Alexander Bokovoy 2023-09-18 15:31:55 +03:00
parent 2aa5a94633
commit f3e42960a7
2 changed files with 41 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
0002-selinux-usb-access.patch Normal file
View File

@ -0,0 +1,33 @@
From 5fe447532f573fc3f73511073070f5dfe6b6535a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 15 Sep 2023 10:12:16 +0300
Subject: [PATCH] Allow ipa-otpd to access USB devices for passkeys
Main SELinux policy will allow transition of passkey_child (SSSD) to
ipa_otpd_t context to perform FIDO2 operations with USB devices.
This means ipa-otpd will need to be able to read data from sysfs and
connect to USB devices.
Add required permissions to IPA subpolicy as well. See rhbz#2238224 for
discussion.
Related: https://pagure.io/freeipa/issue/9434
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
selinux/ipa.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index 92e6b295b19..c8a44b64e82 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -106,6 +106,8 @@ corenet_tcp_connect_radius_port(ipa_otpd_t)
dev_read_urand(ipa_otpd_t)
dev_read_rand(ipa_otpd_t)
+dev_read_sysfs(ipa_otpd_t)
+dev_rw_generic_usb_dev(ipa_otpd_t)
sysnet_dns_name_resolve(ipa_otpd_t)

10
freeipa.spec
View File

@ -105,7 +105,7 @@
%if 0%{?fedora} < 36 %if 0%{?fedora} < 36
%global selinux_policy_version 3.14.5-45 %global selinux_policy_version 3.14.5-45
%else %else
%global selinux_policy_version 36.16-1 %global selinux_policy_version 38.28-1
%endif %endif
%global slapi_nis_version 0.56.5 %global slapi_nis_version 0.56.5
@ -223,7 +223,7 @@
Name: %{package_name} Name: %{package_name}
Version: %{IPA_VERSION} Version: %{IPA_VERSION}
Release: 3%{?rc_version:.%rc_version}%{?dist} Release: 4%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later License: GPL-3.0-or-later
@ -249,6 +249,7 @@ Source2: gpgkey-0E63D716D76AC080A4A33513F40800B6298EB963.asc
# RHEL spec file only: END: Change branding to IPA and Identity Management # RHEL spec file only: END: Change branding to IPA and Identity Management
Patch0001: 0001-ipa-client-install-enable-SELinux-for-SSSD.patch Patch0001: 0001-ipa-client-install-enable-SELinux-for-SSSD.patch
Patch0002: 0001-Restore-selinux-states-if-they-exist-at-uninstall-ti.patch Patch0002: 0001-Restore-selinux-states-if-they-exist-at-uninstall-ti.patch
Patch0003: 0002-selinux-usb-access.patch
# RHEL spec file only: START # RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD} %if %{NON_DEVELOPER_BUILD}
@ -1763,6 +1764,11 @@ fi
%endif %endif
%changelog %changelog
* Mon Sep 18 2023 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.0-4.beta1
- Depend on selinux-policy-38.28-1.fc39
- Add SELinux policy for passkey_child to be used without ipa-otpd
- Related: rhbz#2238474
* Tue Sep 12 2023 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.0-3.beta1 * Tue Sep 12 2023 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.0-3.beta1
- Restore properly SELinux context during IPA client uninstallation - Restore properly SELinux context during IPA client uninstallation
- Related: rhbz#2238474 - Related: rhbz#2238474