Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-34856

[RFE] [RHEL9] Backport --disable-polkit option from 2.0.2 upstream version

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • pcsc-lite-1.9.4-2.el9
    • None
    • Critical
    • Rebase
    • 1
    • rhel-security-crypto
    • ssg_security
    • 13
    • 20
    • 1
    • QE ack, Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • Crypto24Q4
    • Hide

      AC1) pcscd has --disable-polkit option and it is executed with it

      AC2) pcscd does not dump any error when using --disable-polkit option

      AC3 (stretch goal)) Verify pcscd is indeed not using the Policy Kit when using --disable-polkit, and PKCS#11 device can be accessed correctly even though Policy Kit is not available.

      Show
      AC1) pcscd has --disable-polkit option and it is executed with it AC2) pcscd does not dump any error when using --disable-polkit option AC3 (stretch goal)) Verify pcscd is indeed not using the Policy Kit when using --disable-polkit, and PKCS#11 device can be accessed correctly even though Policy Kit is not available.
    • Pass
    • Not Needed
    • Automated
    • Enhancement
    • Hide
      .`pcsd` now provides the `--disable-polkit` option

      With this update, you can turn off loading the PolicyKit authorization framework by starting the `pcsd` service with the `--disable-polkit` option. Running `pcsd` without `polkit` enables accessing PKCS #11 devices in limited environments such as the initial RAM disk. As a result, the Clevis decryption client can use a PKCS #11 device for automated unlocking LUKS-encrypted volumes at boot time.
      Show
      .`pcsd` now provides the `--disable-polkit` option With this update, you can turn off loading the PolicyKit authorization framework by starting the `pcsd` service with the `--disable-polkit` option. Running `pcsd` without `polkit` enables accessing PKCS #11 devices in limited environments such as the initial RAM disk. As a result, the Clevis decryption client can use a PKCS #11 device for automated unlocking LUKS-encrypted volumes at boot time.
    • Done
    • None

      In order to provide a new feature for PKCS#11 unlocking in Clevis, we need to start pcscd without policy-kit at boot time. At this moment, RHEL9 version of pcsc-lite does not include this option.
      We need `--disable-polkit` option to have access to PKCS#11 device at boot time.

      The following needs to be verified in order for this epic to be considered complete:

      1 - Execute pcscd with --disable-polkit option
      2 - pcscd does not dump any error when using --disable-polkit option
      3 - Verify pcscd is indeed not using the Policy Kit when using --disable-polkit, and PKCS#11 device can be accessed correctly even though Policy Kit is not available.

              jjelen@redhat.com Jakub Jelen
              sarroutb@redhat.com Sergio Arroutbi
              Jakub Jelen Jakub Jelen
              George Pantelakis George Pantelakis
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: