Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.3
Affects Version/s: rhel-10.2
Component/s: ipa
Labels:
None

Regression:
None
Severity:
Moderate

AssignedTeam:
rhel-idm-ipa

Story Points:
None
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Git Pull Request:
https://github.com/freeipa/freeipa/pull/8096
Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
Unspecified Release Note Type - Unknown
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Cloned from: https://pagure.io/freeipa/issue/9948

Right now SELinux policy provided by FreeIPA only allows to run SSSD helpers `oidc_child` and `passkey_child` within `ipa_otpd_t` context. This assumes that they are launched by `ipa-otpd` daemon as part of the Kerberos TGT processing on IPA domain controller.

SSSD allows to authenticate with `oidc_child` and `passkey_child` on standalone deployments as well. We need to extend the SELinux policy to permit these usages.

Additionally, MIT Kerberos 1.22 in Fedora provides automated FAST channel acquisition on IPA enrolled clients. This requires any application using libkrb5 to get access to publicly available certificate data stored by IPA client. Extend SELinux policy to allow this access.

links to

freeipa pagure 9948

Assignee:: Florence Renaud

Reporter:: Florence Renaud

Developer:: Florence Renaud

QA Contact:: Sudhir Menon

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2026/02/24 2:56 PM

Updated:: 2026/02/24 2:59 PM

Stale Date:: 2027/02/23

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates