Chapter 5. Controlling access to smart cards by using polkit
To cover possible threats that cannot be prevented by mechanisms built into smart cards, such as PINs, PIN pads, and biometrics, and for more fine-grained control, RHEL uses the polkit
framework for controlling access control to smart cards.
System administrators can configure polkit
to fit specific scenarios, such as smart-card access for non-privileged or non-local users or services.
5.1. Smart-card access control through polkit
The Personal Computer/Smart Card (PC/SC) protocol specifies a standard for integrating smart cards and their readers into computing systems. In RHEL, the pcsc-lite
package provides middleware to access smart cards that use the PC/SC API. A part of this package, the pcscd
(PC/SC Smart Card) daemon, ensures that the system can access a smart card using the PC/SC protocol.
Because access-control mechanisms built into smart cards, such as PINs, PIN pads, and biometrics, do not cover all possible threats, RHEL uses the polkit
framework for more robust access control. The polkit
authorization manager can grant access to privileged operations. In addition to granting access to disks, you can use polkit
also to specify policies for securing smart cards. For example, you can define which users can perform which operations with a smart card.
After installing the pcsc-lite
package and starting the pcscd
daemon, the system enforces policies defined in the /usr/share/polkit-1/actions/
directory. The default system-wide policy is in the /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy
file. Polkit policy files use the XML format and the syntax is described in the polkit(8)
man page on your system.
The polkitd
service monitors the /etc/polkit-1/rules.d/
and /usr/share/polkit-1/rules.d/
directories for any changes in rule files stored in these directories. The files contain authorization rules in JavaScript format. System administrators can add custom rule files in both directories, and polkitd
reads them in lexical order based on their file name. If two files have the same names, then the file in /etc/polkit-1/rules.d/
is read first.
If you need to enable smart-card support when the system security services daemon (SSSD) does not run as root
, you must install the sssd-polkit-rules
package. The package provides polkit
integration with SSSD.
Additional resources
-
polkit(8)
,polkitd(8)
, andpcscd(8)
man pages on your system
5.3. Displaying more detailed information about polkit authorization to PC/SC
In the default configuration, the polkit
authorization framework sends only limited information to the Journal log. You can extend polkit
log entries related to the PC/SC protocol by adding new rules.
Prerequisites
-
You have installed the
pcsc-lite
package on your system. -
The
pcscd
daemon is running.
Procedure
Create a new file in the
/etc/polkit-1/rules.d/
directory:# touch /etc/polkit-1/rules.d/00-test.rules
Edit the file in an editor of your choice, for example:
# vi /etc/polkit-1/rules.d/00-test.rules
Insert the following lines:
polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") { polkit.log("action=" + action); polkit.log("subject=" + subject); } });
Save the file, and exit the editor.
Restart the
pcscd
andpolkit
services:# systemctl restart pcscd.service pcscd.socket polkit.service
Verification
-
Make an authorization request for
pcscd
. For example, open the Firefox web browser or use thepkcs11-tool -L
command provided by theopensc
package. Display the extended log entries, for example:
# journalctl -u polkit --since "1 hour ago" polkitd[1224]: <no filename>:4: action=[Action id='org.debian.pcsc-lite.access_pcsc'] polkitd[1224]: <no filename>:5: subject=[Subject pid=2020481 user=user' groups=user,wheel,mock,wireshark seat=null session=null local=true active=true]
Additional resources
-
polkit(8)
andpolkitd(8)
man pages.
5.4. Additional resources
- Controlling access to smart cards Red Hat Blog article.