selinux-policy/backport-Allow-sssd_kcm-read-and-write-z90crypt-device.patch

From 80e7516c09c41c989176947265df41e39e94a31a Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 10 Jan 2022 17:15:56 +0100
Subject: [PATCH] Allow sssd_kcm read and write z90crypt device
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/80e7516c09c41c989176947265df41e39e94a31a
Conflict: NA

This permission is required on s390x systems with the Crypto Express
adapter card. The z90crypt device driver acts as the interface to the
PCI cryptography hardware and performs asynchronous encryption
operations (RSA) as used during the SSL handshake.

Addresses the following AVC denial:
PROCTITLE msg=audit(26.11.2021 17:43:18.641:78) : proctitle=/usr/libexec/sssd/sssd_kcm --uid 0 --gid 0 --logger=files
type=AVC msg=audit(26.11.2021 17:43:18.641:78) : avc:  denied  { read write } for  pid=1724 comm=sssd_kcm name=z90crypt dev="devtmpfs" ino=111 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=0
type=SYSCALL msg=audit(26.11.2021 17:43:18.641:78) : arch=s390x syscall=openat success=no exit=EACCES(Operace zamítnuta) a0=0xffffffffffffff9c a1=0x3ffa56906e6 a2=O_RDWR a3=0x0 items=0 ppid=1 pid=1724 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_kcm exe=/usr/libexec/sssd/sssd_kcm subj=system_u:system_r:sssd_t:s0 key=(null)

Resolves: rhbz#2026974
Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/contrib/sssd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index b510dca..e5c8673 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -106,6 +106,7 @@ corecmd_exec_bin(sssd_t)
 
 dev_read_urand(sssd_t)
 dev_read_sysfs(sssd_t)
+dev_rw_crypto(sssd_t)
 
 domain_read_all_domains_state(sssd_t)
 domain_obj_id_change_exemption(sssd_t)
-- 
1.8.3.1
update upstream patches 2022-09-13 19:52:03 +08:00			`From 80e7516c09c41c989176947265df41e39e94a31a Mon Sep 17 00:00:00 2001`
			`From: Zdenek Pytela <zpytela@redhat.com>`
			`Date: Mon, 10 Jan 2022 17:15:56 +0100`
			`Subject: [PATCH] Allow sssd_kcm read and write z90crypt device`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/80e7516c09c41c989176947265df41e39e94a31a`
			`Conflict: NA`

			`This permission is required on s390x systems with the Crypto Express`
			`adapter card. The z90crypt device driver acts as the interface to the`
			`PCI cryptography hardware and performs asynchronous encryption`
			`operations (RSA) as used during the SSL handshake.`

			`Addresses the following AVC denial:`
			`PROCTITLE msg=audit(26.11.2021 17:43:18.641:78) : proctitle=/usr/libexec/sssd/sssd_kcm --uid 0 --gid 0 --logger=files`
			`type=AVC msg=audit(26.11.2021 17:43:18.641:78) : avc: denied { read write } for pid=1724 comm=sssd_kcm name=z90crypt dev="devtmpfs" ino=111 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=0`
			`type=SYSCALL msg=audit(26.11.2021 17:43:18.641:78) : arch=s390x syscall=openat success=no exit=EACCES(Operace zamítnuta) a0=0xffffffffffffff9c a1=0x3ffa56906e6 a2=O_RDWR a3=0x0 items=0 ppid=1 pid=1724 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_kcm exe=/usr/libexec/sssd/sssd_kcm subj=system_u:system_r:sssd_t:s0 key=(null)`

			`Resolves: rhbz#2026974`
			`Signed-off-by: lujie54 <lujie54@huawei.com>`
			`---`
			`policy/modules/contrib/sssd.te \| 1 +`
			`1 file changed, 1 insertion(+)`

			`diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te`
			`index b510dca..e5c8673 100644`
			`--- a/policy/modules/contrib/sssd.te`
			`+++ b/policy/modules/contrib/sssd.te`
			`@@ -106,6 +106,7 @@ corecmd_exec_bin(sssd_t)`

			`dev_read_urand(sssd_t)`
			`dev_read_sysfs(sssd_t)`
			`+dev_rw_crypto(sssd_t)`

			`domain_read_all_domains_state(sssd_t)`
			`domain_obj_id_change_exemption(sssd_t)`
			`--`
			`1.8.3.1`