Bug 2240193

Summary: selinux policy -- sssd_t context should be able to send sigkill across to ipa_otpd_t-labeled process
Product: [Fedora] Fedora Reporter: Sudhir Menon <sumenon>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 39CC: dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.29-1.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-03 18:26:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2233246    

Description Sudhir Menon 2023-09-22 11:25:48 UTC 
selinux policy -- sssd_t context should be able to send sigkill across to ipa_otpd_t-labeled process

Reproducible: Always

Steps to Reproduce:
1. Install FreeIPA/Client with SElinux permissive mode
2. Setup auth type as Passkey for the ipauser
3. Set the PIN and passkey for the user.
4. Try to login to using the PIN and passkey with GNOME
Actual Results:  
Seeing coredump for sssd_pam in dmesg and selinux AVC's
time->Thu Sep 21 18:06:52 2023
type=AVC msg=audit(1695299812.149:579): avc:  denied  { sigkill } for  pid=940 comm="sssd_pam" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:ipa_otpd_t:s0 tclass=process permissive=1
----
time->Thu Sep 21 18:19:56 2023
type=AVC msg=audit(1695300596.127:633): avc:  denied  { sigkill } for  pid=4998 comm="sssd_pam" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:ipa_otpd_t:s0 tclass=process permissive=1



Expected Results:  
Fix the AVC denials.
Comment 2 Alexander Bokovoy 2023-09-22 11:32:45 UTC 
Zdenek, this is one part we missed in the new policy to allow sssd_t to talk to passkey_child in ipa_otpd_t context.

SSSD uses SIGKILL to communicate between different components, in this case sssd_pam and passkey_child.
Comment 3 Zdenek Pytela 2023-09-29 11:30:07 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1880

Note it allows only SIGKILL as reported in this bz.
Comment 4 Fedora Update System 2023-10-02 11:15:54 UTC 
FEDORA-2023-a2cd3807b5 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a2cd3807b5
Comment 5 Fedora Update System 2023-10-03 03:40:07 UTC 
FEDORA-2023-a2cd3807b5 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a2cd3807b5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a2cd3807b5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2023-11-03 18:26:50 UTC 
FEDORA-2023-a2cd3807b5 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.