2223989 – SSSD needs USB device access to handle FIDO2 tokens

Bug 2223989 - SSSD needs USB device access to handle FIDO2 tokens

Summary: SSSD needs USB device access to handle FIDO2 tokens

Keywords:
Status:	ASSIGNED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	39
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-19 13:34 UTC by Alexander Bokovoy
Modified:	2023-08-16 08:13 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alexander Bokovoy 2023-07-19 13:34:50 UTC

For upcoming passkeys integration (FIDO2 tokens), SSSD needs access to USB devices. This is currently blocked by the SELinux policy.

Additionally, for GDM-based login with the FIDO2 tokens, SSSD `sss_cache` command needs to communicate to accounts daemon.

--------------------
# cat local.te 

module local 1.0;

require {
	type sssd_t;
	type accountsd_t;
	type usb_device_t;
	class fifo_file read;
	class chr_file { getattr ioctl lock open read write };
}

#============= sssd_t ==============

allow sssd_t accountsd_t:fifo_file read;

allow sssd_t usb_device_t:chr_file { read write };
allow sssd_t usb_device_t:chr_file { getattr ioctl lock open };
--------------------

Reproducible: Always

Comment 1 Alexander Bokovoy 2023-07-19 13:35:54 UTC

An example of raw AVCs:

type=AVC msg=audit(1688994740.266:172): avc:  denied  { read } for  pid=2327 comm="sss_cache" path="pipe:[39470]" dev="pipefs" ino=39470 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0
type=AVC msg=audit(1688994740.276:173): avc:  denied  { read } for  pid=2329 comm="sss_cache" path="pipe:[39470]" dev="pipefs" ino=39470 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0
type=AVC msg=audit(1688990400.922:161): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990400.922:162): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990400.922:163): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990401.924:164): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990401.924:165): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990401.925:166): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990402.927:167): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990402.927:168): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990402.927:169): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990403.930:170): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990403.930:171): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990403.930:172): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990404.933:173): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990404.933:174): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990404.933:175): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990405.936:176): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990405.936:177): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990405.936:178): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990406.939:179): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990406.940:180): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990406.940:181): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990407.942:182): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990407.942:183): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990407.942:184): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990408.944:187): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990408.944:188): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990408.944:189): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990409.947:190): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990409.947:191): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990409.947:192): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990410.951:193): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990410.951:194): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990410.951:195): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990411.954:196): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990411.954:197): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990411.955:198): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990412.956:199): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990413.958:200): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990414.959:201): avc:  denied  { read write } for  pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990424.791:203): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990424.791:204): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990424.791:205): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990425.794:206): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990425.794:207): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990425.794:208): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990426.797:209): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990426.798:210): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990426.798:211): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990427.800:212): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990427.800:213): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990427.800:214): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990428.803:215): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990428.803:216): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990428.803:217): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990429.805:218): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990429.806:219): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990429.806:220): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990430.808:221): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990430.808:222): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1688990430.808:223): avc:  denied  { read write } for  pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0

Comment 2 Zdenek Pytela 2023-07-19 15:42:23 UTC

The first permission already is in the policy:
f38# sesearch -A -s sssd_t -t accountsd_t -c fifo_file -p read
rpm -q selinux-allow sssd_t accountsd_t:fifo_file { getattr ioctl lock open read };
f38# rpm -q selinux-policy
selinux-policy-38.20-1.fc38.noarch

The other one needs to be added, but only if a newly introduced boolean is turned on if this works for you.

Comment 3 Alexander Bokovoy 2023-07-19 15:47:41 UTC

This local policy works for me in my setup.

What boolean are you going to add? Can you please give more details? I will need to add its support to FreeIPA.

Comment 4 Fedora Release Engineering 2023-08-16 08:13:12 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.

Note You need to log in before you can comment on or make changes to this bug.