From d0fcb462896c8fb00eaa8f8b3580fffcbefcdf8b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 10 Jan 2022 17:18:30 +0100
Subject: [PATCH] Allow gssproxy read and write z90crypt device
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d0fcb462896c8fb00eaa8f8b3580fffcbefcdf8b
Conflict: NA

This permission is required on s390x systems with the Crypto Express
adapter card. The z90crypt device driver acts as the interface to the
PCI cryptography hardware and performs asynchronous encryption
operations (RSA) as used during the SSL handshake.

Addresses the following AVC denial:
type=PROCTITLE msg=audit(26.11.2021 17:43:04.211:26) : proctitle=/usr/sbin/gssproxy -D
type=AVC msg=audit(26.11.2021 17:43:04.211:26) : avc:  denied  { read write } for  pid=859 comm=gssproxy name=icastats_0 dev="tmpfs" ino=2 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:ica_tmpfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(26.11.2021 17:43:04.211:26) : arch=s390x syscall=openat success=no exit=EACCES(Operace zamítnuta) a0=0xffffffffffffff9c a1=0x3ffdec7c2fb a2=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC a3=0x180 items=0 ppid=1 pid=859 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gssproxy exe=/usr/sbin/gssproxy subj=system_u:system_r:gssproxy_t:s0 key=(null)

Resolves: rhbz#2026974
Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/contrib/gssproxy.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
index 18d08d1..872079f 100644
--- a/policy/modules/contrib/gssproxy.te
+++ b/policy/modules/contrib/gssproxy.te
@@ -52,6 +52,7 @@ fs_getattr_all_fs(gssproxy_t)
 auth_use_nsswitch(gssproxy_t)
 
 dev_read_urand(gssproxy_t)
+dev_rw_crypto(gssproxy_t)
 
 logging_send_syslog_msg(gssproxy_t)
 
-- 
1.8.3.1