From 80e7516c09c41c989176947265df41e39e94a31a Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Mon, 10 Jan 2022 17:15:56 +0100 Subject: [PATCH] Allow sssd_kcm read and write z90crypt device MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/80e7516c09c41c989176947265df41e39e94a31a Conflict: NA This permission is required on s390x systems with the Crypto Express adapter card. The z90crypt device driver acts as the interface to the PCI cryptography hardware and performs asynchronous encryption operations (RSA) as used during the SSL handshake. Addresses the following AVC denial: PROCTITLE msg=audit(26.11.2021 17:43:18.641:78) : proctitle=/usr/libexec/sssd/sssd_kcm --uid 0 --gid 0 --logger=files type=AVC msg=audit(26.11.2021 17:43:18.641:78) : avc: denied { read write } for pid=1724 comm=sssd_kcm name=z90crypt dev="devtmpfs" ino=111 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=0 type=SYSCALL msg=audit(26.11.2021 17:43:18.641:78) : arch=s390x syscall=openat success=no exit=EACCES(Operace zamítnuta) a0=0xffffffffffffff9c a1=0x3ffa56906e6 a2=O_RDWR a3=0x0 items=0 ppid=1 pid=1724 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_kcm exe=/usr/libexec/sssd/sssd_kcm subj=system_u:system_r:sssd_t:s0 key=(null) Resolves: rhbz#2026974 Signed-off-by: lujie54 --- policy/modules/contrib/sssd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te index b510dca..e5c8673 100644 --- a/policy/modules/contrib/sssd.te +++ b/policy/modules/contrib/sssd.te @@ -106,6 +106,7 @@ corecmd_exec_bin(sssd_t) dev_read_urand(sssd_t) dev_read_sysfs(sssd_t) +dev_rw_crypto(sssd_t) domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) -- 1.8.3.1