Bug 2223989

Summary: SSSD needs USB device access to handle FIDO2 tokens
Product: [Fedora] Fedora Reporter: Alexander Bokovoy <abokovoy>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: ASSIGNED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 39CC: atikhono, dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexander Bokovoy 2023-07-19 13:34:50 UTC 
For upcoming passkeys integration (FIDO2 tokens), SSSD needs access to USB devices. This is currently blocked by the SELinux policy.

Additionally, for GDM-based login with the FIDO2 tokens, SSSD `sss_cache` command needs to communicate to accounts daemon.

--------------------
# cat local.te 

module local 1.0;

require {
	type sssd_t;
	type accountsd_t;
	type usb_device_t;
	class fifo_file read;
	class chr_file { getattr ioctl lock open read write };
}

#============= sssd_t ==============

allow sssd_t accountsd_t:fifo_file read;

allow sssd_t usb_device_t:chr_file { read write };
allow sssd_t usb_device_t:chr_file { getattr ioctl lock open };
--------------------

Reproducible: Always
Comment 1 Alexander Bokovoy 2023-07-19 13:35:54 UTC 
An example of raw AVCs:

type=AVC msg=audit(1688994740.266:172): avc:  denied  { read } for  pid=2327 comm="sss_cache" path="pipe:[39470]" dev="pipefs" ino=39470 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0
type=AVC msg=audit(1688994740.276:173): avc:  denied  { read } for  pid=2329 comm="sss_cache" path="pipe:[39470]" dev="pipefs" ino=39470 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0
type=AVC msg=audit(1688990400.922:161): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990400.922:162): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990400.922:163): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990401.924:164): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990401.924:165): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990401.925:166): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990402.927:167): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990402.927:168): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990402.927:169): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990403.930:170): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990403.930:171): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990403.930:172): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990404.933:173): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990404.933:174): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990404.933:175): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990405.936:176): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990405.936:177): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990405.936:178): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990406.939:179): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990406.940:180): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990406.940:181): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990407.942:182): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990407.942:183): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990407.942:184): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990408.944:187): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990408.944:188): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990408.944:189): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990409.947:190): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990409.947:191): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990409.947:192): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990410.951:193): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990410.951:194): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990410.951:195): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990411.954:196): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990411.954:197): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990411.955:198): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990412.956:199): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990413.958:200): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990414.959:201): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990424.791:203): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990424.791:204): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990424.791:205): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990425.794:206): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990425.794:207): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990425.794:208): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990426.797:209): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990426.798:210): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990426.798:211): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990427.800:212): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990427.800:213): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990427.800:214): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990428.803:215): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990428.803:216): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990428.803:217): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990429.805:218): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990429.806:219): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990429.806:220): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990430.808:221): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990430.808:222): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990430.808:223): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
Comment 2 Zdenek Pytela 2023-07-19 15:42:23 UTC 
The first permission already is in the policy:
f38# sesearch -A -s sssd_t -t accountsd_t -c fifo_file -p read
rpm -q selinux-allow sssd_t accountsd_t:fifo_file { getattr ioctl lock open read };
f38# rpm -q selinux-policy
selinux-policy-38.20-1.fc38.noarch

The other one needs to be added, but only if a newly introduced boolean is turned on if this works for you.
Comment 3 Alexander Bokovoy 2023-07-19 15:47:41 UTC 
This local policy works for me in my setup.

What boolean are you going to add? Can you please give more details? I will need to add its support to FreeIPA.
Comment 4 Fedora Release Engineering 2023-08-16 08:13:12 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.