Allow sssd_selinux_manager_t the setcap process permission

[zpytela]

SSSD is being reworked [1] to not rely on effective capabilities but to raise a permitted capability when needed, and drop it completely when not needed anymore.
[1] SSSD/sssd#7731

The commit addresses the following AVC denial:
type=AVC msg=audit(1733309927.245:4711): avc: denied { setcap } for pid=43967 comm="selinux_child" scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=process permissive=1 type=SYSCALL msg=audit(1733309927.245:4711): arch=c000003e syscall=126 success=yes exit=0 a0=55795759750c a1=557957597514 a2=557957597514 a3=80 items=0 ppid=41662 pid=43967 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)ARCH=x86_64 SYSCALL=capset AUID="unset" UID="sssd" GID="sssd" EUID="sssd" SUID="sssd" FSUID="sssd" EGID="sssd" SGID="sssd" FSGID="sssd" type=CAPSET msg=audit(1733309927.245:4711): pid=43967 cap_pi=0000000000000080 cap_pp=00000000000000c0 cap_pe=0000000000000080 cap_pa=0

Resolves: #2455
Resolves: rhbz#2331486

[zpytela]

Thanks for spotting this. Just an effect of senseless haste.

[alexey-tikhonov]

@zpytela, fedora-41 build failed with No match for argument: checkpolicy >= 3.8. Is this expected?

I have a f-41 test env at hand, so could give a build a try.

[zpytela]

@alexey-tikhonov F41 and F42 policies are the same, but packages require different settings, github actions need to be fixed

[alexey-tikhonov]

Well, when I run audit2allow I get the same output as in this patch.

[alexey-tikhonov]

Well, when I run audit2allow I get the same output as in this patch.

I tried manually and, of course, this works.

@zpytela, it would be great to get this to F41/Rawhide/C10S :)

[zpytela]

It will be in the next build this week.