Allow sssd send SIGKILL to passkey_child running in ipa_otpd_t

The sssd service uses SIGKILL to communicate between different components, in this case sssd_pam, running in the sssd_t domain, and passkey_child, running in the ipa_otpd_t domain. This commit addresses the following AVC denial: type=AVC msg=audit(1695299812.149:579): avc: denied { sigkill } for pid=940 comm="sssd_pam" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:ipa_otpd_t:s0 tclass=process permissive=1 Resolves: rhbz#2240193
zpytela · Sep 29, 2023 · 563a86a · 563a86a
1 parent c0ce82d
commit 563a86a
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/policy/modules/contrib/ipa.if b/policy/modules/contrib/ipa.if
@@ -40,6 +40,27 @@ ifndef(`ipa_stream_connect_otpd',`
 	')
 ')
 
+########################################
+## <summary>
+##	Send sigkill to ipa-otpd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+ifndef(`ipa_sigkill_otpd',`
+	interface(`ipa_sigkill_otpd',`
+		gen_require(`
+			type ipa_otpd_t;
+		')
+
+		allow $1 ipa_otpd_t:process sigkill;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Connect to ipa-ods-exporter over a unix stream socket.

diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
@@ -241,6 +241,10 @@ optional_policy(`
 	ica_rw_map_tmpfs_files(sssd_t)
 ')
 
+optional_policy(`
+	ipa_sigkill_otpd(sssd_t)
+')
+
 optional_policy(`
 	ldap_stream_connect(sssd_t)
 	ldap_read_certs(sssd_t)