Bug 2169438

Summary: Add entry into SELinux database for SSSD Passkey child
Product: [Fedora] Fedora Reporter: jstephen
Component: freeipaAssignee: Florence Blanc-Renaud <frenaud>
Status: POST --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 39CC: abokovoy, dwalsh, frenaud, ftrivino, ipa-maint, jhrozek, lvrabec, mhjacks, mmalik, omosnacek, pkoncity, pvoborni, rcritten, ssorce, twoerner, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description jstephen 2023-02-13 15:32:28 UTC
Soon, in fedora SSSD will be installing a binary /usr/libexec/sssd/passkey_child. This needs to have the same SELinux context type as /usr/libexec/sssd/oidc_child, specifically it needs the 'ipa_otpd_exec_t' type.

Currently this is in active development but we are targeting Fedora 39 for the introduction of the sssd-passkey package.

ls -Z /usr/libexec/sssd/passkey_child
system_u:object_r:bin_t:s0 /usr/libexec/sssd/passkey_child

ls -Z /usr/libexec/sssd/oidc_child 
system_u:object_r:ipa_otpd_exec_t:s0 /usr/libexec/sssd/oidc_child

Comment 1 Zdenek Pytela 2023-02-13 15:38:29 UTC
You've requested a change for rules which are in the freeipa-selinux package, so changing the component.

Comment 2 Florence Blanc-Renaud 2023-02-22 16:39:59 UTC
Upstream PR: https://github.com/flo-renaud/freeipa/pull/37

The code for passkey support is stored in the passkey branch of the above github repo for now.

Comment 3 Florence Blanc-Renaud 2023-02-23 20:21:55 UTC
A build is available for testing in the copr repo from https://copr.fedorainfracloud.org/coprs/ipedrosa/passkey-auth/

Comment 4 Florence Blanc-Renaud 2023-06-01 06:24:19 UTC
Fixed upstream
master:
https://pagure.io/freeipa/c/574517cb165eb3d89dc3492895cf830a9bde67b2
https://pagure.io/freeipa/c/af569508c1cefbbbfde2fe52b02fe4545818b04a
https://pagure.io/freeipa/c/4bd1be9e90ea7369edb4ae15ff8c51232d5ab850
https://pagure.io/freeipa/c/a21214cb9e96ff7fdb4f55b5a4817b1ce60632c0
https://pagure.io/freeipa/c/ae3c281a64c994cae10709a2e284f3830de64781
https://pagure.io/freeipa/c/7911b2466d892386721952991d5150412530fb6e
https://pagure.io/freeipa/c/a7d90c1ef5e70a532f4515c18bf3e073c11ab87c
https://pagure.io/freeipa/c/f8580cae4b01568a6ab98b405435e83231994896
https://pagure.io/freeipa/c/d207f6bf328a9f2a3e07094aeab111aebca932de
https://pagure.io/freeipa/c/56e179748ba4844ce0c5e505803170b901e2a3c4
https://pagure.io/freeipa/c/6f0da62f5afa65941c280e16bd12215a57e4d6b0
https://pagure.io/freeipa/c/c58e483095d21aaa98f546425a99dc22d31dfb4a
https://pagure.io/freeipa/c/510f806a9f4f82d39772f22e3262ca6c17c918be
https://pagure.io/freeipa/c/c016e271b2bddde5c26822fee78e7f07b95dddc3
https://pagure.io/freeipa/c/b650783a180e6c81a6ccec3fd18ee9ed13edaf12
https://pagure.io/freeipa/c/9963dcdd5b261011793072d92168c5961ece35ad
https://pagure.io/freeipa/c/0075c8b8f66a28f80029fb3184e1eeb6b0f99f79
https://pagure.io/freeipa/c/c0f71b052560e5ac9782c582f151ca0bc7312d62
https://pagure.io/freeipa/c/14526c50bbabb8df43fa6420b678fcfc3ecd6436
https://pagure.io/freeipa/c/31b70ee32470b6999306bdc38035266d6a496c9e
https://pagure.io/freeipa/c/9caea3205cbd99649bd9b9eca4e9322f058d4a98
https://pagure.io/freeipa/c/e7a69b3d9f6768afd524bf36dc9b208d9f7730f1
https://pagure.io/freeipa/c/62e28e424769b35a19d424de45eade38c26082f3
https://pagure.io/freeipa/c/a02fd5305ee42307a159db7ece40ffc305bc7e59
https://pagure.io/freeipa/c/b252988da63c1b14da241438c744b882f416f189
https://pagure.io/freeipa/c/8d12d497f68961a5c2b614572f016980a9acca55
https://pagure.io/freeipa/c/e5c292cdada69a93a03de0fa6e48aa713b432ba1
https://pagure.io/freeipa/c/665227e43755c0869f25e986265c0533af1cc7f7
https://pagure.io/freeipa/c/e0acc51ff579251aeadf2a624ffd2bb91c2a4ef0
https://pagure.io/freeipa/c/957d67aca50958ad03a7e4d9831ef722b592fa69
https://pagure.io/freeipa/c/105b03370cd5725a9ae57701da09efd0cdeed1f6

Comment 5 Fedora Release Engineering 2023-08-16 08:14:45 UTC
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.