On 6/5/2024 7:23 AM, Amisha Jain wrote:
Resolve selinux premission for HID
Below avc denials that are fixed with this patch -
avc: denied { read write } for pid=656 comm="bluetoothd" name="uhid" dev="devtmpfs" ino=841 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:object_r:uhid_device_t:s0 tclass=chr_file permissive=0
Signed-off-by: Amisha Jain <quic_amisjain@xxxxxxxxxxx>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/services/bluetooth.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index d8a5c97df..6e0a9499e 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5858,3 +5858,21 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
+
+#####################
+## <summary>
+## Allow open/read/write uhid device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed rw to uhid device
+## to communicate with uhid input node
+## </summary>
+## </param>
+#
+interface(`dev_rw_uhid',`
+ gen_require(`
+ type uhid_device_t;
+ ')
+ allow $1 uhid_device_t:chr_file rw_chr_file_perms ;
+')
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index f23a979de..0cbff0714 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -104,6 +104,7 @@ dev_rw_generic_usb_dev(bluetooth_t)
dev_read_urand(bluetooth_t)
dev_rw_input_dev(bluetooth_t)
dev_rw_wireless(bluetooth_t)
+dev_rw_uhid(bluetooth_t)
domain_use_interactive_fds(bluetooth_t)
domain_dontaudit_search_all_domains_state(bluetooth_t)
Merged.
--
Chris PeBenito
