Bug 2240193 - selinux policy -- sssd_t context should be able to send sigkill across to ipa_otpd_t-labeled process
Summary: selinux policy -- sssd_t context should be able to send sigkill across to ipa...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 39
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 2233246
TreeView+ depends on / blocked
 
Reported: 2023-09-22 11:25 UTC by Sudhir Menon
Modified: 2023-11-03 18:26 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-38.29-1.fc39
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-11-03 18:26:50 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1880 0 None open Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t 2023-09-29 11:30:06 UTC

Description Sudhir Menon 2023-09-22 11:25:48 UTC 
selinux policy -- sssd_t context should be able to send sigkill across to ipa_otpd_t-labeled process

Reproducible: Always

Steps to Reproduce:
1. Install FreeIPA/Client with SElinux permissive mode
2. Setup auth type as Passkey for the ipauser
3. Set the PIN and passkey for the user.
4. Try to login to using the PIN and passkey with GNOME
Actual Results:  
Seeing coredump for sssd_pam in dmesg and selinux AVC's
time->Thu Sep 21 18:06:52 2023
type=AVC msg=audit(1695299812.149:579): avc:  denied  { sigkill } for  pid=940 comm="sssd_pam" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:ipa_otpd_t:s0 tclass=process permissive=1
----
time->Thu Sep 21 18:19:56 2023
type=AVC msg=audit(1695300596.127:633): avc:  denied  { sigkill } for  pid=4998 comm="sssd_pam" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:ipa_otpd_t:s0 tclass=process permissive=1



Expected Results:  
Fix the AVC denials.
Comment 2 Alexander Bokovoy 2023-09-22 11:32:45 UTC 
Zdenek, this is one part we missed in the new policy to allow sssd_t to talk to passkey_child in ipa_otpd_t context.

SSSD uses SIGKILL to communicate between different components, in this case sssd_pam and passkey_child.
Comment 3 Zdenek Pytela 2023-09-29 11:30:07 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1880

Note it allows only SIGKILL as reported in this bz.
Comment 4 Fedora Update System 2023-10-02 11:15:54 UTC 
FEDORA-2023-a2cd3807b5 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a2cd3807b5
Comment 5 Fedora Update System 2023-10-03 03:40:07 UTC 
FEDORA-2023-a2cd3807b5 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a2cd3807b5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a2cd3807b5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2023-11-03 18:26:50 UTC 
FEDORA-2023-a2cd3807b5 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.