Required for using acquire-notify, acquire-write options (Gatt Client) and Sending notifications (Gatt Server) Below are the avc denials that are fixed with this patch - 1. audit: type=1400 audit(1651238006.276:496): avc: denied { read write } for pid=2165 comm="bluetoothd" path="socket:[43207]" dev="sockfs" ino=43207 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=1 2. audit: type=1400 audit(1651238006.276:497): avc: denied { getattr } for pid=2165 comm="bluetoothd" path="socket:[43207]" dev="sockfs" ino=43207 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=1 3. audit: type=1400 audit(1651238006.272:495): avc: denied { read write } for pid=689 comm="dbus-daemon" path="socket:[43207]" dev="sockfs" ino=43207 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=1 4. audit: type=1400 audit(315966559.395:444): avc: denied { use } for pid=710 comm="dbus-daemon" path="socket:[13196]" dev="sockfs" ino=13196 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=fd permissive=0 5. audit: type=1400 audit(315999854.939:523): avc: denied { read write } for pid=812 comm="dbus-daemon" path="socket:[99469]" dev="sockfs" ino=99469 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 Signed-off-by: Naga Bhavani Akella <quic_nakella@xxxxxxxxxxx> --- policy/modules/apps/pulseaudio.te | 1 + policy/modules/services/bluetooth.if | 22 ++++++++++++++++++++++ policy/modules/services/dbus.te | 1 + policy/modules/services/obex.te | 1 + 4 files changed, 25 insertions(+) diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te index 65b9a7428..9bf69bedc 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -194,6 +194,7 @@ optional_policy(` optional_policy(` bluetooth_stream_connect(pulseaudio_t) + bluetooth_socket_connect(pulseaudio_t) ') optional_policy(` diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index c7e1c3f14..dd26d95f4 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -85,6 +85,28 @@ interface(`bluetooth_stream_connect',` stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t) ') +##################################### +## <summary> +## Connect to bluetooth over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`bluetooth_socket_connect',` + gen_require(` + type bluetooth_t, bluetooth_runtime_t; + ') + + files_search_runtime($1) + allow $1 bluetooth_t:bluetooth_socket rw_socket_perms; + allow $1 bluetooth_t:unix_stream_socket { accept connectto listen rw_socket_perms }; + allow $1 bluetooth_t:fd use; +') + ######################################## ## <summary> ## Execute bluetooth in the bluetooth domain. diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 2d1d09d71..301c81aa5 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -266,6 +266,7 @@ optional_policy(` optional_policy(` bluetooth_stream_connect(system_dbusd_t) + bluetooth_socket_connect(system_dbusd_t) ') optional_policy(` diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te index 6686edb37..edbdc7ecf 100644 --- a/policy/modules/services/obex.te +++ b/policy/modules/services/obex.te @@ -32,6 +32,7 @@ userdom_search_user_home_content(obex_t) optional_policy(` bluetooth_stream_connect(obex_t) + bluetooth_socket_connect(obex_t) ') optional_policy(` --