Cannot add new hosts with fapolicyd service enabled - Cannot execute ferny-askpass

[cakersq]

Explain what happens

1. Install and enable fapolicyd (dnf install fapolicyd; systemctl enable --now fapolicyd.service) (or enabled as part of SCAP Security Guide profiles).
2. Login to Cockpit web interface as non-root user (with wheel group sudo privileges)
3. Attempt to add New Host
4. Error occurs, cannot execute KnownHostsCommand ferny-askpass

Version of Cockpit

311.2

Where is the problem in Cockpit?

Navigation & Shell

Server operating system

other

Server operating system version

Rocky Linux 9.4

What browsers are you using?

Firefox

System log

Cockpit Error in Web: KnownHostsCommand-ORDER execv "/run/user/1000/ferny/tmpf6x02hnk/ferny-askpass ORDER other.home.net NONE NONE NONE": Operation not permitted KnownHostsCommand-ORDER /run/user/1000/ferny/tmpf6x02hnk/ferny-askpass ORDER other.home.net NONE NONE NONE failed, status 127 KnownHostsCommand failed

fapolicyd with debug reports: rule=11 dec=deny_audit perm=execute auid=1000 pid=3631 exe=/usr/bin/ssh : path=/run/user/1000/ferny/tmp9twfh2fb/ferny-askpass ftype=text/x-python trust=0

fapolicyd rule is: deny_audit perm=any all : ftype=text/x-python

fapolicyd effectively doesn't trust executing Python scripts that are not installed by an DNF/RPM package.

Potential Solutions: Move the ferny-askpass to be in a common directory, and include in the Cockpit RPM.