For upcoming passkeys integration (FIDO2 tokens), SSSD needs access to USB devices. This is currently blocked by the SELinux policy. Additionally, for GDM-based login with the FIDO2 tokens, SSSD `sss_cache` command needs to communicate to accounts daemon. -------------------- # cat local.te module local 1.0; require { type sssd_t; type accountsd_t; type usb_device_t; class fifo_file read; class chr_file { getattr ioctl lock open read write }; } #============= sssd_t ============== allow sssd_t accountsd_t:fifo_file read; allow sssd_t usb_device_t:chr_file { read write }; allow sssd_t usb_device_t:chr_file { getattr ioctl lock open }; -------------------- Reproducible: Always
An example of raw AVCs: type=AVC msg=audit(1688994740.266:172): avc: denied { read } for pid=2327 comm="sss_cache" path="pipe:[39470]" dev="pipefs" ino=39470 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0 type=AVC msg=audit(1688994740.276:173): avc: denied { read } for pid=2329 comm="sss_cache" path="pipe:[39470]" dev="pipefs" ino=39470 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:accountsd_t:s0 tclass=fifo_file permissive=0 type=AVC msg=audit(1688990400.922:161): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990400.922:162): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990400.922:163): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990401.924:164): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990401.924:165): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990401.925:166): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990402.927:167): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990402.927:168): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990402.927:169): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990403.930:170): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990403.930:171): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990403.930:172): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990404.933:173): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990404.933:174): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990404.933:175): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990405.936:176): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990405.936:177): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990405.936:178): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990406.939:179): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990406.940:180): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990406.940:181): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990407.942:182): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990407.942:183): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990407.942:184): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990408.944:187): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990408.944:188): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990408.944:189): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990409.947:190): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990409.947:191): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990409.947:192): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990410.951:193): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990410.951:194): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990410.951:195): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990411.954:196): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=994 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990411.954:197): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=997 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990411.955:198): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990412.956:199): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990413.958:200): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990414.959:201): avc: denied { read write } for pid=3108 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990424.791:203): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990424.791:204): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990424.791:205): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990425.794:206): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990425.794:207): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990425.794:208): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990426.797:209): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990426.798:210): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990426.798:211): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990427.800:212): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990427.800:213): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990427.800:214): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990428.803:215): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990428.803:216): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990428.803:217): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990429.805:218): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990429.806:219): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990429.806:220): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990430.808:221): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw1" dev="devtmpfs" ino=1010 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990430.808:222): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw2" dev="devtmpfs" ino=1013 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1688990430.808:223): avc: denied { read write } for pid=3146 comm="passkey_child" name="hidraw0" dev="devtmpfs" ino=491 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
The first permission already is in the policy: f38# sesearch -A -s sssd_t -t accountsd_t -c fifo_file -p read rpm -q selinux-allow sssd_t accountsd_t:fifo_file { getattr ioctl lock open read }; f38# rpm -q selinux-policy selinux-policy-38.20-1.fc38.noarch The other one needs to be added, but only if a newly introduced boolean is turned on if this works for you.
This local policy works for me in my setup. What boolean are you going to add? Can you please give more details? I will need to add its support to FreeIPA.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39.
Zdenek, any progress with this fix?
I am sorry for the delay, I'll take a look this week.
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/1859 The boolean name is sssd_use_usb
Thank you. I submitted FreeIPA PR to get support for it: https://github.com/freeipa/freeipa/pull/6978
(In reply to Alexander Bokovoy from comment #8) > Thank you. I submitted FreeIPA PR to get support for it: > https://github.com/freeipa/freeipa/pull/6978 This PR looks good as far as I am able to assess.
FEDORA-2023-b5926774b7 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-b5926774b7
FEDORA-2023-b5926774b7 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-b5926774b7` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-b5926774b7 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-b5926774b7 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.