From 563a86a2874ac9dbe2762788c01d72d1030df5c7 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 29 Sep 2023 13:26:05 +0200
Subject: [PATCH] Allow sssd send SIGKILL to passkey_child running in
 ipa_otpd_t

The sssd service uses SIGKILL to communicate between different
components, in this case sssd_pam, running in the sssd_t domain,
and passkey_child, running in the ipa_otpd_t domain.

This commit addresses the following AVC denial:
type=AVC msg=audit(1695299812.149:579): avc:  denied  { sigkill } for  pid=940 comm="sssd_pam" scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:ipa_otpd_t:s0 tclass=process permissive=1

Resolves: rhbz#2240193
---
 policy/modules/contrib/ipa.if  | 21 +++++++++++++++++++++
 policy/modules/contrib/sssd.te |  4 ++++
 2 files changed, 25 insertions(+)

diff --git a/policy/modules/contrib/ipa.if b/policy/modules/contrib/ipa.if
index 4c3a1fc02f..125062ede8 100644
--- a/policy/modules/contrib/ipa.if
+++ b/policy/modules/contrib/ipa.if
@@ -40,6 +40,27 @@ ifndef(`ipa_stream_connect_otpd',`
 	')
 ')
 
+########################################
+## <summary>
+##	Send sigkill to ipa-otpd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+ifndef(`ipa_sigkill_otpd',`
+	interface(`ipa_sigkill_otpd',`
+		gen_require(`
+			type ipa_otpd_t;
+		')
+
+		allow $1 ipa_otpd_t:process sigkill;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Connect to ipa-ods-exporter over a unix stream socket.
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index 53d08a80fa..0592316b37 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -241,6 +241,10 @@ optional_policy(`
 	ica_rw_map_tmpfs_files(sssd_t)
 ')
 
+optional_policy(`
+	ipa_sigkill_otpd(sssd_t)
+')
+
 optional_policy(`
 	ldap_stream_connect(sssd_t)
 	ldap_read_certs(sssd_t)