diff --git a/0001-ipa-client-install-enable-SELinux-for-SSSD.patch b/0001-ipa-client-install-enable-SELinux-for-SSSD.patch new file mode 100644 index 0000000..723f0d7 --- /dev/null +++ b/0001-ipa-client-install-enable-SELinux-for-SSSD.patch @@ -0,0 +1,140 @@ +From d355761f23fae412bb01a1d737cee342c7bd04f9 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 29 Aug 2023 12:37:57 +0300 +Subject: [PATCH] ipa-client-install: enable SELinux for SSSD + +For passkeys (FIDO2) support, SSSD uses libfido2 library which needs +access to USB devices. Add SELinux booleans handling to ipa-client-install +so that correct SELinux booleans can be enabled and disabled during +install and uninstall. Ignore and record a warning when SELinux policy +does not support the boolean. + +Fixes: https://pagure.io/freeipa/issue/9434 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Francisco Trivino +Reviewed-By: Rob Crittenden +--- + ipaclient/install/client.py | 35 ++++++++++++++++++++++++++++++++++- + ipaplatform/base/constants.py | 3 +++ + 2 files changed, 37 insertions(+), 1 deletion(-) + +diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py +index 07d62a748..1aaa4ed60 100644 +--- a/ipaclient/install/client.py ++++ b/ipaclient/install/client.py +@@ -67,6 +67,7 @@ from ipapython.ipautil import ( + ) + from ipapython.ssh import SSHPublicKey + from ipapython import version ++from ipapython.errors import SetseboolError + + from . import automount, timeconf, sssd + from ipaclient import discovery +@@ -98,6 +99,7 @@ cli_realm = None + cli_kdc = None + client_domain = None + cli_basedn = None ++selinux_works = None + # end of global variables + + +@@ -2153,6 +2155,7 @@ def install_check(options): + global cli_kdc + global client_domain + global cli_basedn ++ global selinux_works + + print("This program will set up IPA client.") + print("Version {}".format(version.VERSION)) +@@ -2166,7 +2169,7 @@ def install_check(options): + "You must be root to run ipa-client-install.", + rval=CLIENT_INSTALL_ERROR) + +- tasks.check_selinux_status() ++ selinux_works = tasks.check_selinux_status() + + if is_ipa_client_configured(on_master=options.on_master): + logger.error("IPA client is already configured on this system.") +@@ -2674,6 +2677,20 @@ def restore_time_sync(statestore, fstore): + logger.error('Failed to restore time synchronization service: %s', e) + + ++def configure_selinux_for_client(statestore): ++ def backup_state(key, value): ++ statestore.backup_state('selinux', key, value) ++ ++ try: ++ tasks.set_selinux_booleans(constants.SELINUX_BOOLEAN_SSSD, ++ backup_state) ++ except SetseboolError as e: ++ for c in constants.SELINUX_BOOLEAN_SSSD: ++ if c in e.failed: ++ logger.warning( ++ "SELinux does not support SSSD boolean %s, ignoring", c) ++ ++ + def install(options): + try: + _install(options, dict()) +@@ -3198,6 +3215,9 @@ def _install(options, tdict): + logger.info("%s enabled", "SSSD" if options.sssd else "LDAP") + + if options.sssd: ++ if selinux_works: ++ configure_selinux_for_client(statestore) ++ + sssd = services.service('sssd', api) + try: + sssd.restart() +@@ -3322,6 +3342,8 @@ def _install(options, tdict): + + + def uninstall_check(options): ++ global selinux_works ++ + if not is_ipa_client_configured(): + if options.on_master: + rval = SUCCESS +@@ -3337,6 +3359,8 @@ def uninstall_check(options): + logger.info("Refer to ipa-server-install for uninstallation.") + raise ScriptError(rval=CLIENT_NOT_CONFIGURED) + ++ selinux_works = tasks.check_selinux_status() ++ + + def uninstall(options): + env = {'PATH': SECURE_PATH} +@@ -3600,6 +3624,15 @@ def uninstall(options): + "Failed to disable automatic startup of the SSSD daemon: %s", + e) + ++ if was_sssd_installed and selinux_works: ++ # Restore SELinux boolean states ++ boolean_states = {name: statestore.restore_state('selinux', name) ++ for name in constants.SELINUX_BOOLEAN_SSSD} ++ try: ++ tasks.set_selinux_booleans(boolean_states) ++ except SetseboolError as e: ++ logger.warning("Unable to reset SELinux variable: %s", str(e)) ++ + tasks.restore_hostname(fstore, statestore) + + if fstore.has_files(): +diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py +index 61b864376..1689efe52 100644 +--- a/ipaplatform/base/constants.py ++++ b/ipaplatform/base/constants.py +@@ -151,6 +151,9 @@ class BaseConstantsNamespace: + 'samba_share_nfs': 'on', + }, + } ++ SELINUX_BOOLEAN_SSSD = { ++ 'sssd_use_usb': 'on', ++ } + SELINUX_MCS_MAX = 1023 + SELINUX_MCS_REGEX = r"^c(\d+)([.,-]c(\d+))*$" + SELINUX_MLS_MAX = 15 +-- +2.41.0 + diff --git a/freeipa.spec b/freeipa.spec index fbe6ae3..6363417 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -223,7 +223,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 1%{?rc_version:.%rc_version}%{?dist} +Release: 2%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -247,6 +247,7 @@ Source2: gpgkey-0E63D716D76AC080A4A33513F40800B6298EB963.asc # header-logo.png, login-screen-background.jpg, login-screen-logo.png, # product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management +Patch0001: 0001-ipa-client-install-enable-SELinux-for-SSSD.patch # RHEL spec file only: START %if %{NON_DEVELOPER_BUILD} @@ -1761,6 +1762,10 @@ fi %endif %changelog +* Tue Sep 12 2023 Alexander Bokovoy - 4.11.0-2.beta1 +- Set 'sssd_use_usb' SELinux boolean when enrolling IPA client +- Resolves: rhbz#2238474 + * Mon Aug 21 2023 Alexander Bokovoy - 4.11.0-1.beta1 - FreeIPA 4.11.0 beta 1 - Release notes: https://www.freeipa.org/release-notes/4-11-0-beta.html