Allow sssd io_uring sqpoll permission

In the d2c31f429b libuv commit ("linux: introduce io_uring support", libuv/libuv@d2c31f429b) support for io_uring was added which requires the sqpoll SELinux permissions for services linked with libuv or executing a non-confined command (e. g. /usr/bin/nsupdate) which is linked with libuv. The commit addresses the following AVC denial: type=AVC msg=audit(1689629587.147:175): avc: denied { sqpoll } for pid=3950 comm="nsupdate" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=io_uring permissive=0 Resolves: rhbz#2241105
fedora-selinux · Sep 29, 2023 · 0647928 · 0647928
1 parent 0b67d4d
commit 0647928
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
@@ -61,6 +61,7 @@ role system_r types sssd_selinux_manager_t;
 allow sssd_t self:capability { dac_override ipc_lock chown dac_read_search  kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource };
 allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit setpgid setcap};
 allow sssd_t self:fifo_file rw_fifo_file_perms;
+allow sssd_t self:io_uring sqpoll;
 allow sssd_t self:key manage_key_perms;
 allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };