Resolve selinux premission for HID
Below avc denials that are fixed with this patch -
avc: denied { read write } for pid=656 comm="bluetoothd" name="uhid" dev="devtmpfs" ino=841 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:object_r:uhid_device_t:s0 tclass=chr_file permissive=0
Signed-off-by: Amisha Jain <[email protected]>
---
policy/modules/services/bluetooth.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index f23a979de..b2d6a9685 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -104,6 +104,7 @@ dev_rw_generic_usb_dev(bluetooth_t)
dev_read_urand(bluetooth_t)
dev_rw_input_dev(bluetooth_t)
dev_rw_wireless(bluetooth_t)
+uhid_device_rw(bluetooth_t)
domain_use_interactive_fds(bluetooth_t)
domain_dontaudit_search_all_domains_state(bluetooth_t)
--
2.17.1
On 5/29/2024 9:08 AM, Amisha Jain wrote:
> Resolve selinux premission for HID
>
> Below avc denials that are fixed with this patch -
>
> avc: denied { read write } for pid=656 comm="bluetoothd" name="uhid" dev="devtmpfs" ino=841 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:object_r:uhid_device_t:s0 tclass=chr_file permissive=0
>
> Signed-off-by: Amisha Jain <[email protected]>
> ---
> policy/modules/services/bluetooth.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
> index f23a979de..b2d6a9685 100644
> --- a/policy/modules/services/bluetooth.te
> +++ b/policy/modules/services/bluetooth.te
> @@ -104,6 +104,7 @@ dev_rw_generic_usb_dev(bluetooth_t)
> dev_read_urand(bluetooth_t)
> dev_rw_input_dev(bluetooth_t)
> dev_rw_wireless(bluetooth_t)
> +uhid_device_rw(bluetooth_t)
This interface doesn't exist in refpolicy. It would need to be in the
devces module, probably named "device_rw_uhid".
--
Chris PeBenito