Configure SSSD to access USB devices when enrolling IPA client

Resolves: rhbz#2238474

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>

0001-ipa-client-install-enable-SELinux-for-SSSD.patch

@@ -0,0 +1,140 @@
+From d355761f23fae412bb01a1d737cee342c7bd04f9 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 29 Aug 2023 12:37:57 +0300
+Subject: [PATCH] ipa-client-install: enable SELinux for SSSD
+
+For passkeys (FIDO2) support, SSSD uses libfido2 library which needs
+access to USB devices. Add SELinux booleans handling to ipa-client-install
+so that correct SELinux booleans can be enabled and disabled during
+install and uninstall. Ignore and record a warning when SELinux policy
+does not support the boolean.
+
+Fixes: https://pagure.io/freeipa/issue/9434
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaclient/install/client.py   | 35 ++++++++++++++++++++++++++++++++++-
+ ipaplatform/base/constants.py |  3 +++
+ 2 files changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
+index 07d62a748..1aaa4ed60 100644
+--- a/ipaclient/install/client.py
++++ b/ipaclient/install/client.py
+@@ -67,6 +67,7 @@ from ipapython.ipautil import (
+ )
+ from ipapython.ssh import SSHPublicKey
+ from ipapython import version
++from ipapython.errors import SetseboolError
+ 
+ from . import automount, timeconf, sssd
+ from ipaclient import discovery
+@@ -98,6 +99,7 @@ cli_realm = None
+ cli_kdc = None
+ client_domain = None
+ cli_basedn = None
++selinux_works = None
+ # end of global variables
+ 
+ 
+@@ -2153,6 +2155,7 @@ def install_check(options):
+     global cli_kdc
+     global client_domain
+     global cli_basedn
++    global selinux_works
+ 
+     print("This program will set up IPA client.")
+     print("Version {}".format(version.VERSION))
+@@ -2166,7 +2169,7 @@ def install_check(options):
+             "You must be root to run ipa-client-install.",
+             rval=CLIENT_INSTALL_ERROR)
+ 
+-    tasks.check_selinux_status()
++    selinux_works = tasks.check_selinux_status()
+ 
+     if is_ipa_client_configured(on_master=options.on_master):
+         logger.error("IPA client is already configured on this system.")
+@@ -2674,6 +2677,20 @@ def restore_time_sync(statestore, fstore):
+         logger.error('Failed to restore time synchronization service: %s', e)
+ 
+ 
++def configure_selinux_for_client(statestore):
++    def backup_state(key, value):
++        statestore.backup_state('selinux', key, value)
++
++    try:
++        tasks.set_selinux_booleans(constants.SELINUX_BOOLEAN_SSSD,
++                                   backup_state)
++    except SetseboolError as e:
++        for c in constants.SELINUX_BOOLEAN_SSSD:
++            if c in e.failed:
++                logger.warning(
++                    "SELinux does not support SSSD boolean %s, ignoring", c)
++
++
+ def install(options):
+     try:
+         _install(options, dict())
+@@ -3198,6 +3215,9 @@ def _install(options, tdict):
+         logger.info("%s enabled", "SSSD" if options.sssd else "LDAP")
+ 
+         if options.sssd:
++            if selinux_works:
++                configure_selinux_for_client(statestore)
++
+             sssd = services.service('sssd', api)
+             try:
+                 sssd.restart()
+@@ -3322,6 +3342,8 @@ def _install(options, tdict):
+ 
+ 
+ def uninstall_check(options):
++    global selinux_works
++
+     if not is_ipa_client_configured():
+         if options.on_master:
+             rval = SUCCESS
+@@ -3337,6 +3359,8 @@ def uninstall_check(options):
+         logger.info("Refer to ipa-server-install for uninstallation.")
+         raise ScriptError(rval=CLIENT_NOT_CONFIGURED)
+ 
++    selinux_works = tasks.check_selinux_status()
++
+ 
+ def uninstall(options):
+     env = {'PATH': SECURE_PATH}
+@@ -3600,6 +3624,15 @@ def uninstall(options):
+                 "Failed to disable automatic startup of the SSSD daemon: %s",
+                 e)
+ 
++    if was_sssd_installed and selinux_works:
++        # Restore SELinux boolean states
++        boolean_states = {name: statestore.restore_state('selinux', name)
++                          for name in constants.SELINUX_BOOLEAN_SSSD}
++        try:
++            tasks.set_selinux_booleans(boolean_states)
++        except SetseboolError as e:
++            logger.warning("Unable to reset SELinux variable: %s", str(e))
++
+     tasks.restore_hostname(fstore, statestore)
+ 
+     if fstore.has_files():
+diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
+index 61b864376..1689efe52 100644
+--- a/ipaplatform/base/constants.py
++++ b/ipaplatform/base/constants.py
+@@ -151,6 +151,9 @@ class BaseConstantsNamespace:
+             'samba_share_nfs': 'on',
+         },
+     }
++    SELINUX_BOOLEAN_SSSD = {
++        'sssd_use_usb': 'on',
++    }
+     SELINUX_MCS_MAX = 1023
+     SELINUX_MCS_REGEX = r"^c(\d+)([.,-]c(\d+))*$"
+     SELINUX_MLS_MAX = 15
+-- 
+2.41.0
+

freeipa.spec

@@ -223,7 +223,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        1%{?rc_version:.%rc_version}%{?dist}
+Release:        2%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPL-3.0-or-later
@@ -247,6 +247,7 @@ Source2:        gpgkey-0E63D716D76AC080A4A33513F40800B6298EB963.asc
 # header-logo.png, login-screen-background.jpg, login-screen-logo.png,
 # product-name.png
 # RHEL spec file only: END: Change branding to IPA and Identity Management
+Patch0001:      0001-ipa-client-install-enable-SELinux-for-SSSD.patch
 
 # RHEL spec file only: START
 %if %{NON_DEVELOPER_BUILD}
@@ -1761,6 +1762,10 @@ fi
 %endif
 
 %changelog
+* Tue Sep 12 2023 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.0-2.beta1
+- Set 'sssd_use_usb' SELinux boolean when enrolling IPA client
+- Resolves: rhbz#2238474
+
 * Mon Aug 21 2023 Alexander Bokovoy <abokovoy@redhat.com> - 4.11.0-1.beta1
 - FreeIPA 4.11.0 beta 1
 - Release notes: https://www.freeipa.org/release-notes/4-11-0-beta.html