Hi team,
Could you please help us review the following changes.
On 8/6/2024 3:36 PM, Naga Bhavani Akella wrote:
> Below are the avc denials that are resolved -
>
> 1. AVC avc: denied { use } for pid=916 comm="dbus-daemon"
> path="socket:[71126]" dev="sockfs" ino=71126
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
> tclass=fd permissive=0
>
> 2. AVC avc: denied { read write } for pid=913 comm="dbus-daemon"
> path="socket:[25037]" dev="sockfs" ino=25037
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=0
>
> 3. AVC avc: denied { use } for pid=910 comm="bluetoothd"
> path="socket:[23966]" dev="sockfs" ino=23966
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
> tclass=fd permissive=0
>
> 4. AVC avc: denied { read write } for pid=2229 comm="bluetoothd"
> path="socket:[27264]" dev="sockfs" ino=27264
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=0
>
> Signed-off-by: Naga Bhavani Akella <quic_nakella@xxxxxxxxxxx>
> ---
> policy/modules/services/bluetooth.if | 23 +++++++++++++++++++++++
> policy/modules/services/bluetooth.te | 4 ++++
> policy/modules/services/dbus.te | 1 +
> 3 files changed, 28 insertions(+)
>
> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
> index bd3dff2ff..1c1526ad1 100644
> --- a/policy/modules/services/bluetooth.if
> +++ b/policy/modules/services/bluetooth.if
> @@ -187,6 +187,29 @@ interface(`bluetooth_dontaudit_read_helper_state',`
> dontaudit $1 bluetooth_helper_t:file read_file_perms;
> ')
>
> +#####################################
> +## <summary>
> +## Connect to bluetooth over a unix domain
> +## stream socket. The socket can be used
> +## for read and write. This is required for
> +# bluetooth helper context.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`bluetooth_helper_use',`
> + gen_require(`
> + type bluetooth_helper_t;
> + ')
> +
> + files_search_runtime($1)
> + allow $1 bluetooth_helper_t:unix_stream_socket rw_socket_perms;
> + allow $1 bluetooth_helper_t:fd use;
> +')
> +
> ########################################
> ## <summary>
> ## All of the rules required to
> diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
> index 534f1b36d..d008252d1 100644
> --- a/policy/modules/services/bluetooth.te
> +++ b/policy/modules/services/bluetooth.te
> @@ -76,6 +76,10 @@ filetrans_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t, { dir file
> allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
> files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
>
> +optional_policy(`
> + bluetooth_helper_use(bluetooth_t)
> +')
> +
> manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
> manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
> files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 672aeddf4..86b88a1d8 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -266,6 +266,7 @@ optional_policy(`
>
> optional_policy(`
> bluetooth_use(system_dbusd_t)
> + bluetooth_helper_use(system_dbusd_t)
> ')
>
> optional_policy(`
- Bhavani
