On 6/21/2024 11:34 PM, Chris PeBenito wrote:
> On 6/20/2024 10:47 AM, Naga Bhavani Akella wrote:
>> Required for fixing the below avc denials -
>>
>> 1. audit: type=1400 audit(1651238006.276:496):
>> avc: denied { read write } for pid=2165 comm="bluetoothd"
>> path="socket:[43207]" dev="sockfs" ino=43207
>> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
>> tclass=unix_stream_socket permissive=1
>> 2. audit: type=1400 audit(1651238006.276:497):
>> avc: denied { getattr } for pid=2165 comm="bluetoothd"
>> path="socket:[43207]" dev="sockfs" ino=43207
>> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
>> tclass=unix_stream_socket permissive=1
>> 3. audit: type=1400 audit(1651238006.272:495):
>> avc: denied { read write } for pid=689 comm="dbus-daemon"
>> path="socket:[43207]" dev="sockfs" ino=43207
>> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
>> tclass=unix_stream_socket permissive=1
>> 4. audit[1894]: AVC avc: denied { read write } for pid=1894
>> comm="bluetoothctl" path="/dev/pts/0" dev="devpts" ino=3
>> scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
>> tcontext=system_u:object_r:initrc_devpts_t:s0
>> tclass=chr_file permissive=0
>
> This denial is a bit surprising. The common case for initrc_devpts_t is for a service being started interactively using run_init. Is this a sysvinit (or some init other than systemd)?
bluetoothctl is an interactive command line application used for bluetooth functionality. We are starting bluetoothctl manually, it's not being started by systemd, sysvinit or any other init routine.
>
>
>> 5. audit[2022]: AVC avc: denied { use } for pid=2022
>> comm="bluetoothctl" path="socket:[25769]" dev="sockfs" ino=25769
>> scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
>> tclass=fd permissive=0
>> 6. audit[2006]: AVC avc: denied { read write } for pid=2006
>> comm="bluetoothctl" path="socket:[21106]" dev="sockfs" ino=21106
>> scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
>> tclass=unix_stream_socket permissive=0
>>
>> Signed-off-by: Naga Bhavani Akella <quic_nakella@xxxxxxxxxxx>
>> ---
>> policy/modules/services/bluetooth.fc | 1 +
>> policy/modules/services/bluetooth.te | 4 ++++
>> 2 files changed, 5 insertions(+)
>>
>> diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc
>> index e167e93f7..6067df4b8 100644
>> --- a/policy/modules/services/bluetooth.fc
>> +++ b/policy/modules/services/bluetooth.fc
>> @@ -7,6 +7,7 @@
>> /usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
>> /usr/bin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
>> +/usr/bin/bluetoothctl -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
>> /usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
>> /usr/bin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
>> /usr/bin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
>> diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
>> index 0cbff0714..4bd2179a9 100644
>> --- a/policy/modules/services/bluetooth.te
>> +++ b/policy/modules/services/bluetooth.te
>> @@ -19,6 +19,8 @@ files_type(bluetooth_conf_rw_t)
>> type bluetooth_helper_t;
>> type bluetooth_helper_exec_t;
>> +init_system_domain(bluetooth_helper_t, bluetooth_helper_exec_t)
>> +init_use_script_ptys(bluetooth_helper_t)
>
> This pty line should go down in the local policy section. The system domain line placement is correct.
Done
>
>> userdom_user_application_domain(bluetooth_helper_t, bluetooth_helper_exec_t)
>> role bluetooth_helper_roles types bluetooth_helper_t;
>> @@ -176,6 +178,8 @@ allow bluetooth_helper_t self:shm create_shm_perms;
>> allow bluetooth_helper_t self:unix_stream_socket { accept connectto listen };
>> allow bluetooth_helper_t bluetooth_t:socket { read write };
>> +allow bluetooth_helper_t bluetooth_t:fd use;
>> +allow bluetooth_helper_t bluetooth_t:unix_stream_socket rw_socket_perms;
>> manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
>> manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
>
