Bug 1076440

Summary:	Access control in PCSC
Product:	[Fedora] Fedora	Reporter:	Jaroslav Reznik <jreznik>
Component:	Changes Tracking	Assignee:	Jaroslav Reznik <jreznik>
Status:	CLOSED CURRENTRELEASE	QA Contact:
Severity:	unspecified	Docs Contact:	Pete Travis <me>
Priority:	unspecified
Version:	rawhide	CC:	jreznik, me, nmavrogi
Target Milestone:	---	Flags:	nmavrogi: fedora_requires_release_note+
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	ChangeAcceptedF21
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-12-08 15:22:17 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jaroslav Reznik 2014-03-14 11:08:48 UTC

This is a tracking bug for Change: Access control in PCSC
For more details, see: http://fedoraproject.org//wiki/Changes/PcscAccessControl

Add access control to PC/SC smart cards available in the system.
Adding access control would (a) prevent unauthorized processes/users from reading data on a smart card,
(b) prevent unauthorized processes/users from erasing a smart card, (c) prevent unauthorized processes/users from talking to the smart card firmware

Comment 1 Nikos Mavrogiannopoulos 2014-06-03 11:34:03 UTC

Proposed text for the release notes:

The PCSC daemon in Fedora 21 allows for fine grained access control to smart cards that is tied to the system processes rather than solely depending on
the smart card controls. That is the polkit framework is being used to decide access on the smart card. 

In addition a default policy file is shipped with Fedora that restricts access to smart cards in a system to the console users and the administrator only.
The shipped policy can be modified by editing the file at /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy.

Additional documentation on the PCSC policies is provided in /usr/share/doc/pcsc-lite/README.polkit

Comment 2 Jaroslav Reznik 2014-07-04 10:29:58 UTC

Nikos, 
thank you for providing release notes text. Documentation team will collect it - this time we don't have dedicated release notes bug because of the overhead with 3 changes tracking bugs.

Comment 3 Jaroslav Reznik 2014-07-04 10:43:36 UTC

This message is a reminder that Fedora 21 Accepted Changes Freeze Deadline is on 2014-07-08 [1].

At this point, all accepted Changes should be substantially complete, and testable. Additionally, if a change is to be enabled by default, it must be so enabled at Change Freeze.

This bug should be set to the MODIFIED state to indicate that it achieved completeness. Status will be provided to FESCo right after the deadline. If, for any reasons, your Change is not in required state, let me know and we will try to find solution. For Changes you decide to cancel/move to the next release, please use the NEW status and set needinfo on me and it will be acted upon. 

In case of any questions, don't hesitate to ask Wrangler (jreznik). Thank you.

[1] https://fedoraproject.org/wiki/Releases/21/Schedule

Comment 4 Pete Travis 2014-07-09 02:25:48 UTC

Nikos, for this of course we'll cover your Change in the release notes, but setting the flag to + is much like a package review submitter setting the review+ flag on their own submission rather than the reviewer; Docs will set  fedora_requires_release_note+ to communicate to you that yes, we see your flag and yes, we agree that this should get documented in the release notes.

Anyway, I'll be reading up on this and may have some follow-up questions.

Comment 5 Pete Travis 2014-09-23 05:06:56 UTC

I posted your copy to https://fedoraproject.org/wiki/Documentation_Security_Beat#More_secure_Smart_Card_support - thanks again, Nikos.

Comment 6 Nikos Mavrogiannopoulos 2014-10-01 13:37:21 UTC

The project is substantially testable as of Fedora 21 Alpha TC4.