Bug 2223989

Summary: SSSD needs USB device access to handle FIDO2 tokens
Product: [Fedora] Fedora Reporter: Alexander Bokovoy <abokovoy>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 39CC: atikhono, dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.27-1.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-07 22:59:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2233246    

Description Alexander Bokovoy 2023-07-19 13:34:50 UTC 
For upcoming passkeys integration (FIDO2 tokens), SSSD needs access to USB devices. This is currently blocked by the SELinux policy.

Additionally, for GDM-based login with the FIDO2 tokens, SSSD `sss_cache` command needs to communicate to accounts daemon.

--------------------
# cat local.te 

module local 1.0;

require {
	type sssd_t;
	type accountsd_t;
	type usb_device_t;
	class fifo_file read;
	class chr_file { getattr ioctl lock open read write };
}

#============= sssd_t ==============

allow sssd_t accountsd_t:fifo_file read;

allow sssd_t usb_device_t:chr_file { read write };
allow sssd_t usb_device_t:chr_file { getattr ioctl lock open };
--------------------

Reproducible: Always
Comment 1 Alexander Bokovoy 2023-07-19 13:35:54 UTC 
An example of raw AVCs:

type=AVC msg=audit(1688994740.266:172): avc:  denied  { read } for  pid=2327 comm="sss_cache" path="pipe:[39470]" dev="pipefs" ino=39470 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0
type=AVC msg=audit(1688994740.276:173): avc:  denied  { read } for  pid=2329 comm="sss_cache" path="pipe:[39470]" dev="pipefs" ino=39470 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0
type=AVC msg=audit(1688990400.922:161): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990400.922:162): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990400.922:163): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990401.924:164): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990401.924:165): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990401.925:166): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990402.927:167): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990402.927:168): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990402.927:169): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990403.930:170): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990403.930:171): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990403.930:172): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990404.933:173): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990404.933:174): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990404.933:175): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990405.936:176): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990405.936:177): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990405.936:178): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990406.939:179): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990406.940:180): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990406.940:181): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990407.942:182): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990407.942:183): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990407.942:184): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990408.944:187): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990408.944:188): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990408.944:189): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990409.947:190): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990409.947:191): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990409.947:192): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990410.951:193): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990410.951:194): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990410.951:195): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990411.954:196): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990411.954:197): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990411.955:198): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990412.956:199): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990413.958:200): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990414.959:201): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990424.791:203): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990424.791:204): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990424.791:205): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990425.794:206): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990425.794:207): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990425.794:208): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990426.797:209): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990426.798:210): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990426.798:211): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990427.800:212): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990427.800:213): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990427.800:214): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990428.803:215): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990428.803:216): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990428.803:217): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990429.805:218): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990429.806:219): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990429.806:220): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990430.808:221): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990430.808:222): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990430.808:223): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
Comment 2 Zdenek Pytela 2023-07-19 15:42:23 UTC 
The first permission already is in the policy:
f38# sesearch -A -s sssd_t -t accountsd_t -c fifo_file -p read
rpm -q selinux-allow sssd_t accountsd_t:fifo_file { getattr ioctl lock open read };
f38# rpm -q selinux-policy
selinux-policy-38.20-1.fc38.noarch

The other one needs to be added, but only if a newly introduced boolean is turned on if this works for you.
Comment 3 Alexander Bokovoy 2023-07-19 15:47:41 UTC 
This local policy works for me in my setup.

What boolean are you going to add? Can you please give more details? I will need to add its support to FreeIPA.
Comment 4 Fedora Release Engineering 2023-08-16 08:13:12 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.
Comment 5 Alexander Bokovoy 2023-08-22 11:51:20 UTC 
Zdenek,

any progress with this fix?
Comment 6 Zdenek Pytela 2023-08-28 09:31:32 UTC 
I am sorry for the delay, I'll take a look this week.
Comment 7 Zdenek Pytela 2023-08-29 09:10:14 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1859

The boolean name is
sssd_use_usb
Comment 8 Alexander Bokovoy 2023-08-29 10:18:49 UTC 
Thank you. I submitted FreeIPA PR to get support for it: https://github.com/freeipa/freeipa/pull/6978
Comment 9 Zdenek Pytela 2023-08-29 12:01:38 UTC 
(In reply to Alexander Bokovoy from comment #8)
> Thank you. I submitted FreeIPA PR to get support for it:
> https://github.com/freeipa/freeipa/pull/6978

This PR looks good as far as I am able to assess.
Comment 10 Fedora Update System 2023-09-01 10:52:49 UTC 
FEDORA-2023-b5926774b7 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-b5926774b7
Comment 11 Fedora Update System 2023-09-02 02:11:14 UTC 
FEDORA-2023-b5926774b7 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-b5926774b7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-b5926774b7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 12 Fedora Update System 2023-09-07 22:59:33 UTC 
FEDORA-2023-b5926774b7 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.