mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00

Files

Alexander Bokovoy 32721c4132 Allow ipa-otpd to access USB devices for passkeys

Main SELinux policy will allow transition of passkey_child (SSSD) to
ipa_otpd_t context to perform FIDO2 operations with USB devices.
This means ipa-otpd will need to be able to read data from sysfs and
connect to USB devices.

Add required permissions to IPA subpolicy as well. See rhbz#2238224 for
discussion.

Related: https://pagure.io/freeipa/issue/9434

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

2023-09-18 17:36:40 +02:00

ipa.fc

passkey: adjust selinux security context for passkey_child

2023-06-01 08:20:37 +02:00

ipa.if

Add ipa_pki_retrieve_key_exec() interface

2020-09-23 15:23:28 +02:00

ipa.te

Allow ipa-otpd to access USB devices for passkeys

2023-09-18 17:36:40 +02:00

Makefile.am

Integrate SELinux policy into build system

2020-03-05 09:57:00 +01:00

README.md

Move freeipa-selinux dependency to freeipa-common

2020-03-20 15:18:30 +01:00

README.md

IPA SELinux policy

The ipa SELinux policy is used by IPA client and server. The policy was forked off from Fedora upstream policy at commit b1751347f4af99de8c88630e2f8d0a352d7f5937.

Some file locations are owned by other policies:

/var/lib/ipa/pki-ca/publish(/.*)? is owned by Dogtag PKI policy
/usr/lib/ipa/certmonger(/.*)? is owned by certmonger policy
/var/lib/ipa-client(/.*)? is owned by realmd policy