IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Allow ipa-otpd to access USB devices for passkeys

Browse Source 
Main SELinux policy will allow transition of passkey_child (SSSD) to
ipa_otpd_t context to perform FIDO2 operations with USB devices.
This means ipa-otpd will need to be able to read data from sysfs and
connect to USB devices.

Add required permissions to IPA subpolicy as well. See rhbz#2238224 for
discussion.

Related: https://pagure.io/freeipa/issue/9434

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Alexander Bokovoy 2023-09-15 10:12:16 +03:00 committed by Florence Blanc-Renaud
parent f248b22ef4
commit 32721c4132
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
selinux/ipa.te
View File

@ -106,6 +106,8 @@ corenet_tcp_connect_radius_port(ipa_otpd_t)
dev_read_urand(ipa_otpd_t) dev_read_urand(ipa_otpd_t)
dev_read_rand(ipa_otpd_t) dev_read_rand(ipa_otpd_t)
dev_read_sysfs(ipa_otpd_t)
dev_rw_generic_usb_dev(ipa_otpd_t)
sysnet_dns_name_resolve(ipa_otpd_t) sysnet_dns_name_resolve(ipa_otpd_t)