Required for using acquire-notify, acquire-write options (Gatt Client)
and Sending notifications (Gatt Server)
Below are the avc denials that are fixed with this patch -
1. audit: type=1400 audit(1651238006.276:496):
avc: denied { read write } for pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
2. audit: type=1400 audit(1651238006.276:497):
avc: denied { getattr } for pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
3. audit: type=1400 audit(1651238006.272:495):
avc: denied { read write } for pid=689 comm="dbus-daemon"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
4. audit: type=1400 audit(315966559.395:444):
avc: denied { use } for pid=710 comm="dbus-daemon"
path="socket:[13196]" dev="sockfs" ino=13196
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=fd permissive=0
5. audit: type=1400 audit(315999854.939:523):
avc: denied { read write } for pid=812 comm="dbus-daemon"
path="socket:[99469]" dev="sockfs" ino=99469
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=bluetooth_socket permissive=1
Signed-off-by: Naga Bhavani Akella <[email protected]>
---
policy/modules/apps/pulseaudio.te | 1 +
policy/modules/services/bluetooth.if | 22 ++++++++++++++++++++++
policy/modules/services/dbus.te | 1 +
policy/modules/services/obex.te | 1 +
4 files changed, 25 insertions(+)
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 65b9a7428..9bf69bedc 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -194,6 +194,7 @@ optional_policy(`
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
+ bluetooth_socket_connect(pulseaudio_t)
')
optional_policy(`
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index c7e1c3f14..dd26d95f4 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -85,6 +85,28 @@ interface(`bluetooth_stream_connect',`
stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
')
+#####################################
+## <summary>
+## Connect to bluetooth over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bluetooth_socket_connect',`
+ gen_require(`
+ type bluetooth_t, bluetooth_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
+ allow $1 bluetooth_t:unix_stream_socket { accept connectto listen rw_socket_perms };
+ allow $1 bluetooth_t:fd use;
+')
+
########################################
## <summary>
## Execute bluetooth in the bluetooth domain.
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 2d1d09d71..301c81aa5 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -266,6 +266,7 @@ optional_policy(`
optional_policy(`
bluetooth_stream_connect(system_dbusd_t)
+ bluetooth_socket_connect(system_dbusd_t)
')
optional_policy(`
diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
index 6686edb37..edbdc7ecf 100644
--- a/policy/modules/services/obex.te
+++ b/policy/modules/services/obex.te
@@ -32,6 +32,7 @@ userdom_search_user_home_content(obex_t)
optional_policy(`
bluetooth_stream_connect(obex_t)
+ bluetooth_socket_connect(obex_t)
')
optional_policy(`
--
hi Chris PeBenito,
>> In that case, then a new interface with a more abstract name would be warranted.
>As per your suggestion on patch v1 added new interface bluetooth_socket_connect,
Could you please let us know alternate name if this is not appropriate.
>> Yes, the point is that we probably need a bluetoothctl_t domain so the configuration can be done only via the bluetoothctl process, not just any initrc_t process. The existing bluetooth_helper_t domain may possibly be renamed/retrofitted for this purpose.
>We tried adding bluetooth_helper_t domain for bluetoothctl using
"/usr/bin/bluetoothctl -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)"
but it was running in initrc_t context as shown when"ps -eZ | grep bluetoothctl" is run.
Trying to check internally the cause of this issue, hence removed that change in the current patch.
Could you help us with this issue if it is already known.
On 5/21/2024 2:13 PM, Naga Bhavani Akella wrote:
> Required for using acquire-notify, acquire-write options (Gatt Client)
> and Sending notifications (Gatt Server)
>
> Below are the avc denials that are fixed with this patch -
>
> 1. audit: type=1400 audit(1651238006.276:496):
> avc: denied { read write } for pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 2. audit: type=1400 audit(1651238006.276:497):
> avc: denied { getattr } for pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 3. audit: type=1400 audit(1651238006.272:495):
> avc: denied { read write } for pid=689 comm="dbus-daemon"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 4. audit: type=1400 audit(315966559.395:444):
> avc: denied { use } for pid=710 comm="dbus-daemon"
> path="socket:[13196]" dev="sockfs" ino=13196
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=fd permissive=0
> 5. audit: type=1400 audit(315999854.939:523):
> avc: denied { read write } for pid=812 comm="dbus-daemon"
> path="socket:[99469]" dev="sockfs" ino=99469
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=bluetooth_socket permissive=1
>
> Signed-off-by: Naga Bhavani Akella <[email protected]>
> ---
> policy/modules/apps/pulseaudio.te | 1 +
> policy/modules/services/bluetooth.if | 22 ++++++++++++++++++++++
> policy/modules/services/dbus.te | 1 +
> policy/modules/services/obex.te | 1 +
> 4 files changed, 25 insertions(+)
>
> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> index 65b9a7428..9bf69bedc 100644
> --- a/policy/modules/apps/pulseaudio.te
> +++ b/policy/modules/apps/pulseaudio.te
> @@ -194,6 +194,7 @@ optional_policy(`
>
> optional_policy(`
> bluetooth_stream_connect(pulseaudio_t)
> + bluetooth_socket_connect(pulseaudio_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
> index c7e1c3f14..dd26d95f4 100644
> --- a/policy/modules/services/bluetooth.if
> +++ b/policy/modules/services/bluetooth.if
> @@ -85,6 +85,28 @@ interface(`bluetooth_stream_connect',`
> stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
> ')
>
> +#####################################
> +## <summary>
> +## Connect to bluetooth over a unix domain
> +## stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`bluetooth_socket_connect',`
> + gen_require(`
> + type bluetooth_t, bluetooth_runtime_t;
> + ')
> +
> + files_search_runtime($1)
> + allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
> + allow $1 bluetooth_t:unix_stream_socket { accept connectto listen rw_socket_perms };
> + allow $1 bluetooth_t:fd use;
> +')
> +
> ########################################
> ## <summary>
> ## Execute bluetooth in the bluetooth domain.
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 2d1d09d71..301c81aa5 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -266,6 +266,7 @@ optional_policy(`
>
> optional_policy(`
> bluetooth_stream_connect(system_dbusd_t)
> + bluetooth_socket_connect(system_dbusd_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
> index 6686edb37..edbdc7ecf 100644
> --- a/policy/modules/services/obex.te
> +++ b/policy/modules/services/obex.te
> @@ -32,6 +32,7 @@ userdom_search_user_home_content(obex_t)
>
> optional_policy(`
> bluetooth_stream_connect(obex_t)
> + bluetooth_socket_connect(obex_t)
> ')
>
> optional_policy(`
On 5/21/2024 4:43 AM, Naga Bhavani Akella wrote:
> Required for using acquire-notify, acquire-write options (Gatt Client)
> and Sending notifications (Gatt Server)
>
> Below are the avc denials that are fixed with this patch -
>
> 1. audit: type=1400 audit(1651238006.276:496):
> avc: denied { read write } for pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 2. audit: type=1400 audit(1651238006.276:497):
> avc: denied { getattr } for pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 3. audit: type=1400 audit(1651238006.272:495):
> avc: denied { read write } for pid=689 comm="dbus-daemon"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 4. audit: type=1400 audit(315966559.395:444):
> avc: denied { use } for pid=710 comm="dbus-daemon"
> path="socket:[13196]" dev="sockfs" ino=13196
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=fd permissive=0
> 5. audit: type=1400 audit(315999854.939:523):
> avc: denied { read write } for pid=812 comm="dbus-daemon"
> path="socket:[99469]" dev="sockfs" ino=99469
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=bluetooth_socket permissive=1
>
> Signed-off-by: Naga Bhavani Akella <[email protected]>
> ---
> policy/modules/apps/pulseaudio.te | 1 +
> policy/modules/services/bluetooth.if | 22 ++++++++++++++++++++++
> policy/modules/services/dbus.te | 1 +
> policy/modules/services/obex.te | 1 +
> 4 files changed, 25 insertions(+)
>
> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> index 65b9a7428..9bf69bedc 100644
> --- a/policy/modules/apps/pulseaudio.te
> +++ b/policy/modules/apps/pulseaudio.te
> @@ -194,6 +194,7 @@ optional_policy(`
>
> optional_policy(`
> bluetooth_stream_connect(pulseaudio_t)
> + bluetooth_socket_connect(pulseaudio_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
> index c7e1c3f14..dd26d95f4 100644
> --- a/policy/modules/services/bluetooth.if
> +++ b/policy/modules/services/bluetooth.if
> @@ -85,6 +85,28 @@ interface(`bluetooth_stream_connect',`
> stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
> ')
>
> +#####################################
> +## <summary>
> +## Connect to bluetooth over a unix domain
> +## stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`bluetooth_socket_connect',`
This should be named "bluetooth_use".
> + gen_require(`
> + type bluetooth_t, bluetooth_runtime_t;
> + ')
> +
> + files_search_runtime($1)
> + allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
> + allow $1 bluetooth_t:unix_stream_socket { accept connectto listen rw_socket_perms };
Do you have example denials for the accept and listen permissions? I
wouldn't expect to see accept and listen on a client connection.
> + allow $1 bluetooth_t:fd use;
> +')
> +
> ########################################
> ## <summary>
> ## Execute bluetooth in the bluetooth domain.
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 2d1d09d71..301c81aa5 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -266,6 +266,7 @@ optional_policy(`
>
> optional_policy(`
> bluetooth_stream_connect(system_dbusd_t)
> + bluetooth_socket_connect(system_dbusd_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
> index 6686edb37..edbdc7ecf 100644
> --- a/policy/modules/services/obex.te
> +++ b/policy/modules/services/obex.te
> @@ -32,6 +32,7 @@ userdom_search_user_home_content(obex_t)
>
> optional_policy(`
> bluetooth_stream_connect(obex_t)
> + bluetooth_socket_connect(obex_t)
> ')
Since each of the callers already have bluetooth_stream_connect(), I
think the new bluetooth_use() interface should call
bluetooth_stream_connect(), then the callers can be simplified to only a
bluetooth_use() call.
--
Chris PeBenito