Hi Naga,
On Wed, May 22, 2024 at 2:46 AM Naga Bhavani Akella
<quic_nakella@xxxxxxxxxxx> wrote:
>
> Required for using acquire-notify, acquire-write options (Gatt Client)
> and Sending notifications (Gatt Server)
>
> Below are the avc denials that are fixed with this patch -
>
> 1. audit: type=1400 audit(1651238006.276:496):
> avc: denied { read write } for pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 2. audit: type=1400 audit(1651238006.276:497):
> avc: denied { getattr } for pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 3. audit: type=1400 audit(1651238006.272:495):
> avc: denied { read write } for pid=689 comm="dbus-daemon"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 4. audit: type=1400 audit(315966559.395:444):
> avc: denied { use } for pid=710 comm="dbus-daemon"
> path="socket:[13196]" dev="sockfs" ino=13196
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=fd permissive=0
> 5. audit: type=1400 audit(315999854.939:523):
> avc: denied { read write } for pid=812 comm="dbus-daemon"
> path="socket:[99469]" dev="sockfs" ino=99469
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=bluetooth_socket permissive=1
>
> Signed-off-by: Naga Bhavani Akella <quic_nakella@xxxxxxxxxxx>
> ---
> policy/modules/apps/pulseaudio.te | 2 +-
> policy/modules/services/bluetooth.if | 23 +++++++++++++++++++++++
> policy/modules/services/dbus.te | 2 +-
> policy/modules/services/obex.te | 2 +-
> 4 files changed, 26 insertions(+), 3 deletions(-)
Where is this coming from? I don't think we even have a policy folder,
and this might be an are where the distros want to have their own
policies so I'm not sure if we shall have this upstream, or perhaps
this is just for reference?
> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> index 65b9a7428..42ed3a1d2 100644
> --- a/policy/modules/apps/pulseaudio.te
> +++ b/policy/modules/apps/pulseaudio.te
> @@ -193,7 +193,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> - bluetooth_stream_connect(pulseaudio_t)
> + bluetooth_use(pulseaudio_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
> index c7e1c3f14..edead1fa1 100644
> --- a/policy/modules/services/bluetooth.if
> +++ b/policy/modules/services/bluetooth.if
> @@ -85,6 +85,29 @@ interface(`bluetooth_stream_connect',`
> stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
> ')
>
> +#####################################
> +## <summary>
> +## Connect to bluetooth over a unix domain
> +## stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`bluetooth_use',`
> + gen_require(`
> + type bluetooth_t, bluetooth_runtime_t;
> + ')
> +
> + files_search_runtime($1)
> + allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
> + allow $1 bluetooth_t:unix_stream_socket { connectto rw_socket_perms };
> + allow $1 bluetooth_t:fd use;
> + bluetooth_stream_connect($1);
> +')
> +
> ########################################
> ## <summary>
> ## Execute bluetooth in the bluetooth domain.
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 2d1d09d71..855ce86bd 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -265,7 +265,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> - bluetooth_stream_connect(system_dbusd_t)
> + bluetooth_use(system_dbusd_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
> index 6686edb37..5e2f20578 100644
> --- a/policy/modules/services/obex.te
> +++ b/policy/modules/services/obex.te
> @@ -31,7 +31,7 @@ miscfiles_read_localization(obex_t)
> userdom_search_user_home_content(obex_t)
>
> optional_policy(`
> - bluetooth_stream_connect(obex_t)
> + bluetooth_use(obex_t)
> ')
>
> optional_policy(`
> --
>
--
Luiz Augusto von Dentz
