Re: [PATCH v2] Setting bluetooth helper domain for bluetoothctl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/24/2024 7:09 AM, Naga Bhavani Akella wrote:
     Required for fixing the below avc denials -

     1. audit: type=1400 audit(1651238006.276:496):
     avc:  denied  { read write } for  pid=2165 comm="bluetoothd"
     path="socket:[43207]" dev="sockfs" ino=43207
     scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
     tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
     tclass=unix_stream_socket permissive=1
     2. audit: type=1400 audit(1651238006.276:497):
     avc:  denied  { getattr } for  pid=2165 comm="bluetoothd"
     path="socket:[43207]" dev="sockfs" ino=43207
     scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
     tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
     tclass=unix_stream_socket permissive=1
     3. audit: type=1400 audit(1651238006.272:495):
     avc:  denied  { read write } for  pid=689 comm="dbus-daemon"
     path="socket:[43207]" dev="sockfs" ino=43207
     scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
     tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
     tclass=unix_stream_socket permissive=1
     4. audit[1894]: AVC avc:  denied  { read write } for  pid=1894
     comm="bluetoothctl" path="/dev/pts/0" dev="devpts" ino=3
     scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
     tcontext=system_u:object_r:initrc_devpts_t:s0
     tclass=chr_file permissive=0
     5. audit[2022]: AVC avc:  denied  { use } for  pid=2022
     comm="bluetoothctl" path="socket:[25769]" dev="sockfs" ino=25769
     scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
     tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
     tclass=fd permissive=0
     6. audit[2006]: AVC avc:  denied  { read write } for  pid=2006
     comm="bluetoothctl" path="socket:[21106]" dev="sockfs" ino=21106
     scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
     tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
     tclass=unix_stream_socket permissive=0

     Signed-off-by: Naga Bhavani Akella <quic_nakella@xxxxxxxxxxx>
---
  policy/modules/services/bluetooth.fc | 1 +
  policy/modules/services/bluetooth.te | 4 ++++
  2 files changed, 5 insertions(+)

diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc
index e167e93f7..6067df4b8 100644
--- a/policy/modules/services/bluetooth.fc
+++ b/policy/modules/services/bluetooth.fc
@@ -7,6 +7,7 @@
/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
  /usr/bin/bluetoothd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
+/usr/bin/bluetoothctl	--	gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
  /usr/bin/dund	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
  /usr/bin/hciattach	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
  /usr/bin/hcid	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 0cbff0714..2d59ed603 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -19,6 +19,7 @@ files_type(bluetooth_conf_rw_t)
type bluetooth_helper_t;
  type bluetooth_helper_exec_t;
+init_system_domain(bluetooth_helper_t, bluetooth_helper_exec_t)
  userdom_user_application_domain(bluetooth_helper_t, bluetooth_helper_exec_t)
  role bluetooth_helper_roles types bluetooth_helper_t;
@@ -51,6 +52,7 @@ files_type(bluetooth_var_lib_t)
  # Local policy
  #
+init_use_script_ptys(bluetooth_helper_t)

This should be further down, after auth_use_nsswitch().

Please see https://github.com/SELinuxProject/refpolicy/wiki/StyleGuide


  allow bluetooth_t self:capability { dac_override ipc_lock net_admin net_bind_service net_raw setpcap sys_admin sys_tty_config };
  dontaudit bluetooth_t self:capability sys_tty_config;
  allow bluetooth_t self:process { getcap setcap getsched signal_perms };
@@ -176,6 +178,8 @@ allow bluetooth_helper_t self:shm create_shm_perms;
  allow bluetooth_helper_t self:unix_stream_socket { accept connectto listen };
allow bluetooth_helper_t bluetooth_t:socket { read write };
+allow bluetooth_helper_t bluetooth_t:fd use;
+allow bluetooth_helper_t bluetooth_t:unix_stream_socket rw_socket_perms;
manage_dirs_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
  manage_files_pattern(bluetooth_helper_t, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)

--
Chris PeBenito





[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux