Resolve selinux premission for HID
Below avc denials that are fixed with this patch -
avc: denied { read write } for pid=656 comm="bluetoothd" name="uhid" dev="devtmpfs" ino=841 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:object_r:uhid_device_t:s0 tclass=chr_file permissive=0
Signed-off-by: Amisha Jain <[email protected]>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/services/bluetooth.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index d8a5c97df..6e0a9499e 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5858,3 +5858,21 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
+
+#####################
+## <summary>
+## Allow open/read/write uhid device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed rw to uhid device
+## to communicate with uhid input node
+## </summary>
+## </param>
+#
+interface(`dev_rw_uhid',`
+ gen_require(`
+ type uhid_device_t;
+ ')
+ allow $1 uhid_device_t:chr_file rw_chr_file_perms ;
+')
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index f23a979de..0cbff0714 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -104,6 +104,7 @@ dev_rw_generic_usb_dev(bluetooth_t)
dev_read_urand(bluetooth_t)
dev_rw_input_dev(bluetooth_t)
dev_rw_wireless(bluetooth_t)
+dev_rw_uhid(bluetooth_t)
domain_use_interactive_fds(bluetooth_t)
domain_dontaudit_search_all_domains_state(bluetooth_t)
--
2.17.1
On 6/5/2024 7:23 AM, Amisha Jain wrote:
> Resolve selinux premission for HID
>
> Below avc denials that are fixed with this patch -
>
> avc: denied { read write } for pid=656 comm="bluetoothd" name="uhid" dev="devtmpfs" ino=841 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:object_r:uhid_device_t:s0 tclass=chr_file permissive=0
>
> Signed-off-by: Amisha Jain <[email protected]>
> ---
> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
> policy/modules/services/bluetooth.te | 1 +
> 2 files changed, 19 insertions(+)
>
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index d8a5c97df..6e0a9499e 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -5858,3 +5858,21 @@ interface(`dev_unconfined',`
>
> typeattribute $1 devices_unconfined_type;
> ')
> +
> +#####################
> +## <summary>
> +## Allow open/read/write uhid device
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed rw to uhid device
> +## to communicate with uhid input node
> +## </summary>
> +## </param>
> +#
> +interface(`dev_rw_uhid',`
> + gen_require(`
> + type uhid_device_t;
> + ')
> + allow $1 uhid_device_t:chr_file rw_chr_file_perms ;
> +')
> diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
> index f23a979de..0cbff0714 100644
> --- a/policy/modules/services/bluetooth.te
> +++ b/policy/modules/services/bluetooth.te
> @@ -104,6 +104,7 @@ dev_rw_generic_usb_dev(bluetooth_t)
> dev_read_urand(bluetooth_t)
> dev_rw_input_dev(bluetooth_t)
> dev_rw_wireless(bluetooth_t)
> +dev_rw_uhid(bluetooth_t)
>
> domain_use_interactive_fds(bluetooth_t)
> domain_dontaudit_search_all_domains_state(bluetooth_t)
Merged.
--
Chris PeBenito