selinux policy -- sssd_t context should be able to send sigkill across to ipa_otpd_t-labeled process Reproducible: Always Steps to Reproduce: 1. Install FreeIPA/Client with SElinux permissive mode 2. Setup auth type as Passkey for the ipauser 3. Set the PIN and passkey for the user. 4. Try to login to using the PIN and passkey with GNOME Actual Results: Seeing coredump for sssd_pam in dmesg and selinux AVC's time->Thu Sep 21 18:06:52 2023 type=AVC msg=audit(1695299812.149:579): avc: denied { sigkill } for pid=940 comm="sssd_pam" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:ipa_otpd_t:s0 tclass=process permissive=1 ---- time->Thu Sep 21 18:19:56 2023 type=AVC msg=audit(1695300596.127:633): avc: denied { sigkill } for pid=4998 comm="sssd_pam" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:ipa_otpd_t:s0 tclass=process permissive=1 Expected Results: Fix the AVC denials.
Zdenek, this is one part we missed in the new policy to allow sssd_t to talk to passkey_child in ipa_otpd_t context. SSSD uses SIGKILL to communicate between different components, in this case sssd_pam and passkey_child.
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/1880 Note it allows only SIGKILL as reported in this bz.
FEDORA-2023-a2cd3807b5 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a2cd3807b5
FEDORA-2023-a2cd3807b5 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a2cd3807b5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a2cd3807b5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-a2cd3807b5 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.