Skip to content

Commit

Permalink
Allow ipa-otpd to access USB devices for passkeys
Browse files Browse the repository at this point in the history 
Main SELinux policy will allow transition of passkey_child (SSSD) to
ipa_otpd_t context to perform FIDO2 operations with USB devices.
This means ipa-otpd will need to be able to read data from sysfs and
connect to USB devices.

Add required permissions to IPA subpolicy as well. See rhbz#2238224 for
discussion.

Related: https://pagure.io/freeipa/issue/9434

Signed-off-by: Alexander Bokovoy <[email protected]>
Reviewed-By: Zdenek Pytela <[email protected]>
Reviewed-By: Florence Blanc-Renaud <[email protected]>
  • Loading branch information
@abbra @flo-renaud
abbra authored and flo-renaud committed Sep 18, 2023
1 parent f248b22 commit 32721c4
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions selinux/ipa.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,8 @@ corenet_tcp_connect_radius_port(ipa_otpd_t)

dev_read_urand(ipa_otpd_t)
dev_read_rand(ipa_otpd_t)
dev_read_sysfs(ipa_otpd_t)
dev_rw_generic_usb_dev(ipa_otpd_t)

sysnet_dns_name_resolve(ipa_otpd_t)

Expand Down

0 comments on commit 32721c4

Please sign in to comment.