2331486 – Allow setcap() syscall for 'sssd_selinux_manager_t'

Bug 2331486 - Allow setcap() syscall for 'sssd_selinux_manager_t'

Summary: Allow setcap() syscall for 'sssd_selinux_manager_t'

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	41
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-12-10 18:39 UTC by Alexey Tikhonov
Modified:	2024-12-20 13:39 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-41.27-1.fc41
Clone Of:
Environment:
Last Closed:	2024-12-20 13:39:32 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 2469	0	None	open	Allow sssd_selinux_manager_t the setcap process permission	2024-12-10 18:48:58 UTC

Description Alexey Tikhonov 2024-12-10 18:39:48 UTC

This is a clone of upstream request https://github.com/fedora-selinux/selinux-policy/issues/2455

SSSD was reworked to not rely on effective capabilities but to raise a permitted capability when needed, and drop it completely when not needed anymore (specific PR that triggered this ticket - https://github.com/SSSD/sssd/pull/7731)

This approach conflicts with current `sssd_selinux_manager_t` policy:
"""
**type=AVC** msg=audit(1733309927.245:4711): avc:  **denied  { setcap }** for  pid=43967 comm="selinux_child" **scontext=system_u:system_r:sssd_selinux_manager_t:s0** tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=process permissive=1
**type=SYSCALL** msg=audit(1733309927.245:4711): arch=c000003e syscall=126 success=yes exit=0 a0=55795759750c a1=557957597514 a2=557957597514 a3=80 items=0 ppid=41662 pid=43967 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)ARCH=x86_64 SYSCALL=capset AUID="unset" UID="sssd" GID="sssd" EUID="sssd" SUID="sssd" FSUID="sssd" EGID="sssd" SGID="sssd" FSGID="sssd"
**type=CAPSET** msg=audit(1733309927.245:4711): pid=43967 cap_pi=0000000000000080 cap_pp=00000000000000c0 cap_pe=0000000000000080 cap_pa=0
"""

Relevant policy that needs to be fixed:
https://github.com/fedora-selinux/selinux-policy/blob/8dfcddb1f7227bbdf98776f795be53cf50734b04/policy/modules/contrib/sssd.te#L283

This change will land Fedora 41+ (https://bodhi.fedoraproject.org/updates/FEDORA-2024-5afdb12065, https://bodhi.fedoraproject.org/updates/FEDORA-2024-61dea2e6ce) and C10S soon.

Reproducible: Always

Comment 1 Fedora Update System 2024-12-18 08:57:54 UTC

FEDORA-2024-98cb37f64a (selinux-policy-41.27-1.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-98cb37f64a

Comment 2 Fedora Update System 2024-12-19 03:58:07 UTC

FEDORA-2024-98cb37f64a has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-98cb37f64a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-98cb37f64a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 3 Fedora Update System 2024-12-20 13:39:32 UTC

FEDORA-2024-98cb37f64a (selinux-policy-41.27-1.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.