Ok,
after all the noise i made on the list, here's my contribution :
i've made two policies to allow kdebluetooth to work with selinux
One is when using the bluez-pin helper for pairing, the other one is
when using kdebluepin pairing program.
You still have to manually create and label the /var/lib/bluetooth
directory in order for this to work
mkdir -p /var/lib/bluetooth/
chcon system_u:object_r:bluetooth_var_lib_t /var/lib/bluetooth
then select the policy you want and run:
checkmodule -M -m -o policyname.mod policyname.te
semodule_package -o policyname.pp -m policyname.mod
semodule -i policyname.pp
Hope this helps !
Charles-Edouard Ruault wrote:
Hi All,
i've compiled and installed kdebluetooth on my Fedora ppc distro, i'm
trying to get the stuff working and i'm getting the following problems
related to SELinux:
When i want to browse a device which is not yet paired with the laptop
i'm getting errors, because hcid is denied a few filesystem operations:
audit(1146044994.917:786): avc: denied { create } for pid=1836
comm="hcid" name="bluetooth" scontext=system_u:system_r:bluetooth_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
I've then straced hcid and found out that it's trying to create a
directory /var/lib/bluetooth and that this operation is being denied (
thus the above log ).
I've manually created the directory:
mkdir -p /var/lib/bluetooth/
and then
chcon system_u:object_r:bluetooth_var_lib_t bluetooth
and now everything's fine.
So i guess two things could be done in order to fix this :
1) allow hcid to create a dir in /var/lib ( i.e add this to the policy
: allow bluetooth_t var_lib_t:dir create; )
2) during installation of the bluetooth packages, create the
/var/lib/bluetooth directory and tag it properly.
--
Charles-Edouard Ruault
GPG key Id E4D2B80C
# Policy file to allow kbluepin to function correcly.
# Addition to fedora selinux-policy-targeted-2.2.29-3.fc5
# Author Charles-Edouard Ruault <ce at ruault.com> 04-26-2006
module kbluepin 1.3;
require {
class dir { getattr read search };
class lnk_file { getattr read };
class capability { dac_override dac_read_search };
class sock_file { read write };
type bluetooth_helper_t;
type ice_tmp_t;
type public_content_t;
type sbin_t;
type user_home_t;
type var_lib_t;
type var_t;
type var_spool_t;
type xserver_log_t;
};
allow bluetooth_helper_t self:capability { dac_override dac_read_search };
allow bluetooth_helper_t ice_tmp_t:dir search;
allow bluetooth_helper_t public_content_t:dir getattr;
allow bluetooth_helper_t public_content_t:dir read;
allow bluetooth_helper_t sbin_t:dir getattr;
allow bluetooth_helper_t sbin_t:dir read;
allow bluetooth_helper_t user_home_t:lnk_file { getattr read };
allow bluetooth_helper_t var_lib_t:dir search;
allow bluetooth_helper_t var_lib_t:dir read;
allow bluetooth_helper_t var_t:dir search;
allow bluetooth_helper_t var_t:dir read;
allow bluetooth_helper_t xserver_log_t:dir getattr;
allow bluetooth_helper_t xserver_log_t:dir read;
allow bluetooth_helper_t ice_tmp_t:sock_file write;
# Policy file to allow bluez-pin to function correcly.
# Addition to fedora selinux-policy-targeted-2.2.29-3.fc5
# Author Charles-Edouard Ruault <ce at ruault.com> 04-26-2006
#
module bluezpin 1.1;
require {
class capability { dac_override dac_read_search };
class dir { read search };
type bluetooth_helper_t;
type bluetooth_t;
type home_root_t;
type httpd_sys_content_t;
type named_zone_t;
type public_content_t;
type sbin_t;
type var_lib_t;
type var_spool_t;
type var_t;
type xserver_log_t;
};
allow bluetooth_helper_t self:capability { dac_override dac_read_search };
allow bluetooth_helper_t public_content_t:dir read;
allow bluetooth_helper_t sbin_t:dir read;
allow bluetooth_helper_t var_lib_t:dir search;
allow bluetooth_helper_t var_t:dir read;
allow bluetooth_helper_t xserver_log_t:dir read;
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
