Re: [PATCH v2] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.

[Naga Bhavani Akella <quic_nakella@xxxxxxxxxxx>]

hi Chris PeBenito,

>> In that case, then a new interface with a more abstract name would be warranted.
>As per your suggestion on patch v1 added new interface bluetooth_socket_connect,
Could you please let us know alternate name if this is not appropriate.

>> Yes, the point is that we probably need a bluetoothctl_t domain so the configuration can be done only via the bluetoothctl process, not just any initrc_t process.  The existing bluetooth_helper_t domain may possibly be renamed/retrofitted for this purpose.
>We tried adding bluetooth_helper_t domain for bluetoothctl using
"/usr/bin/bluetoothctl	--	gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)"
but it was running in initrc_t context as shown when"ps -eZ | grep bluetoothctl" is run.
Trying to check internally the cause of this issue, hence removed that change in the current patch.
Could you help us with this issue if it is already known.

On 5/21/2024 2:13 PM, Naga Bhavani Akella wrote:
> Required for using acquire-notify, acquire-write options (Gatt Client)
> and Sending notifications (Gatt Server)
> 
> Below are the avc denials that are fixed with this patch -
> 
> 1. audit: type=1400 audit(1651238006.276:496):
> avc:  denied  { read write } for  pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 2. audit: type=1400 audit(1651238006.276:497):
> avc:  denied  { getattr } for  pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 3. audit: type=1400 audit(1651238006.272:495):
> avc:  denied  { read write } for  pid=689 comm="dbus-daemon"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 4. audit: type=1400 audit(315966559.395:444):
> avc:  denied  { use } for  pid=710 comm="dbus-daemon"
> path="socket:[13196]" dev="sockfs" ino=13196
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=fd permissive=0
> 5. audit: type=1400 audit(315999854.939:523):
> avc:  denied  { read write } for  pid=812 comm="dbus-daemon"
> path="socket:[99469]" dev="sockfs" ino=99469
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=bluetooth_socket permissive=1
> 
> Signed-off-by: Naga Bhavani Akella <quic_nakella@xxxxxxxxxxx>
> ---
>  policy/modules/apps/pulseaudio.te    |  1 +
>  policy/modules/services/bluetooth.if | 22 ++++++++++++++++++++++
>  policy/modules/services/dbus.te      |  1 +
>  policy/modules/services/obex.te      |  1 +
>  4 files changed, 25 insertions(+)
> 
> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> index 65b9a7428..9bf69bedc 100644
> --- a/policy/modules/apps/pulseaudio.te
> +++ b/policy/modules/apps/pulseaudio.te
> @@ -194,6 +194,7 @@ optional_policy(`
>  
>  optional_policy(`
>  	bluetooth_stream_connect(pulseaudio_t)
> +	bluetooth_socket_connect(pulseaudio_t)
>  ')
>  
>  optional_policy(`
> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
> index c7e1c3f14..dd26d95f4 100644
> --- a/policy/modules/services/bluetooth.if
> +++ b/policy/modules/services/bluetooth.if
> @@ -85,6 +85,28 @@ interface(`bluetooth_stream_connect',`
>  	stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
>  ')
>  
> +#####################################
> +## <summary>
> +##	Connect to bluetooth over a unix domain
> +##	stream socket.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`bluetooth_socket_connect',`
> +	gen_require(`
> +		type bluetooth_t, bluetooth_runtime_t;
> +	')
> +
> +	files_search_runtime($1)
> +	allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
> +	allow $1 bluetooth_t:unix_stream_socket { accept connectto listen rw_socket_perms };
> +	allow $1 bluetooth_t:fd use;
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Execute bluetooth in the bluetooth domain.
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 2d1d09d71..301c81aa5 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -266,6 +266,7 @@ optional_policy(`
>  
>  optional_policy(`
>  	bluetooth_stream_connect(system_dbusd_t)
> +	bluetooth_socket_connect(system_dbusd_t)
>  ')
>  
>  optional_policy(`
> diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
> index 6686edb37..edbdc7ecf 100644
> --- a/policy/modules/services/obex.te
> +++ b/policy/modules/services/obex.te
> @@ -32,6 +32,7 @@ userdom_search_user_home_content(obex_t)
>  
>  optional_policy(`
>  	bluetooth_stream_connect(obex_t)
> +	bluetooth_socket_connect(obex_t)
>  ')
>  
>  optional_policy(`