Hi Wu, > Recent bluez5 releases started limiting the capabilities of > bluetoothd. When running on a Smack-enabled system, that change has the > effect that bluetoothd can no longer create the input device under > /sys because bluez5 running with label "System" has no write > access to that. > > It works when running as normal root with unrestricted capabilities > because then CAP_MAC_OVERRIDE (a Smack-specific capability) allows > the process to ignore Smack rules. > > We need to ensure that bluetoothd still has that capability. > --- > src/bluetooth.service.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/bluetooth.service.in b/src/bluetooth.service.in > index f799f65..1b0fead 100644 > --- a/src/bluetooth.service.in > +++ b/src/bluetooth.service.in > @@ -10,7 +10,7 @@ ExecStart=@libexecdir@/bluetoothd > NotifyAccess=main > #WatchdogSec=10 > #Restart=on-failure > -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE > +CapabilityBoundingSet=CAP_MAC_OVERRIDE CAP_NET_ADMIN CAP_NET_BIND_SERVICE this looks like the big hammer approach. I think if this is needed, then the Smack policies are just wrong. Why not fix them instead of punching such a big hole into it. Regards Marcel -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
