Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp3059519lqo;
        Tue, 21 May 2024 05:57:01 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWbJeTKbcddvpSRUwXekbh8tw3xYPugmLm5IiKyY7JbXnABpSp/x1+pkFoedeooC433mSURaTsfZFFuRLy3yyR/bYP0xCmHS9Ilf2gtCQ==
X-Google-Smtp-Source: AGHT+IHsLxhxsLUgrrhuGoecFjF+6T00LYuv72ODNm0/CsbzjcZcX3WXJVzYhpghaTbVFntS+csR
X-Received: by 2002:a17:90b:46d8:b0:2bd:7135:21a3 with SMTP id 98e67ed59e1d1-2bd7135251fmr6067416a91.42.1716296221488;
        Tue, 21 May 2024 05:57:01 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1716296221; cv=pass;
        d=google.com; s=arc-20160816;
        b=DlW8X+sqVrxV6lLE0fRw0y5LzySVQ3eTsJU8lj1rwdQpqt5UjWNuxO6jtcDVHU7C5+
         D8pOVGsCrrjW2hSoa5w6InIG3dpAj3kr0mnpdq1lcG7/SIKdg9zw2NQFLaYOrQ3sldUR
         d58W8zy6ZJKXH2RW8vyeK44TKupptLjSxhOQvOSyXvlULELuc0RJKyLWnRwwhv/fxDLv
         4ajMA8LrpMh7lYmhhQzYL4g4AOmkTDD966DEgxpqSIdlwH8NRqbzsPFao2K0yMVDvyr1
         KPRG0EZyvr5RswmL7ef+eWIZjl+r4AbxYtd5esBE2+DxH63KS1wiypMiUrYuqZcmQ6fx
         T3ag==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:message-id:dkim-signature;
        bh=lmkd8RHwKqzU+iR5LKhV1QP2PnJEj7V3iQhIQt0st7Q=;
        fh=37txB8NbSKEv3KP2Cja6rg2pRdznTF40uuc7WSZlDV8=;
        b=efMFVi4VAYuUSCxQp/kZZSQ+zUeQ5fim1Clx7uyZyXL13cDTjUQ8gHUw1g7V48MXl2
         gxsmDc+eUXO5iFXdKiAZheCM9u7UJ0MPycpbklkl5UGX/2g22Fdr2NVXil93TDqJL4d1
         oyIzebaaNkHQkWltNvQ7VeaBqsEfhmRWs3HhNSWlJTHT6KNN5lg3inAX4850RjwsAPYC
         JiOP7EFUTMAY59Q88uRouyb4sg+7qu4m6OadW/5C6dPiQLmT2S1lbxzr+QLmbFY8an/Z
         X6geyaeGi4CRSFbcYo2rwP1bgW304C3aBcrE0w3+ISp+KBVMDZOTGy7OYlY3EYk077/e
         UEzg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=JAySk+oX;
       arc=pass (i=1 spf=pass spfdomain=ieee.org dkim=pass dkdomain=ieee.org dmarc=pass fromdomain=ieee.org);
       spf=pass (google.com: domain of selinux-refpolicy+bounces-19-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-19-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org
Return-Path: <selinux-refpolicy+bounces-19-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id 98e67ed59e1d1-2bd92e7034asi1272375a91.40.2024.05.21.05.57.01
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 21 May 2024 05:57:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of selinux-refpolicy+bounces-19-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=JAySk+oX;
       arc=pass (i=1 spf=pass spfdomain=ieee.org dkim=pass dkdomain=ieee.org dmarc=pass fromdomain=ieee.org);
       spf=pass (google.com: domain of selinux-refpolicy+bounces-19-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-19-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 1E4BC280EBD
	for <linux.lists.archive@gmail.com>; Tue, 21 May 2024 12:57:01 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id A2B48770E2;
	Tue, 21 May 2024 12:56:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="JAySk+oX"
X-Original-To: selinux-refpolicy@vger.kernel.org
Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com [209.85.128.170])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE9C21E48B
	for <selinux-refpolicy@vger.kernel.org>; Tue, 21 May 2024 12:56:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.170
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1716296219; cv=none; b=BuCbab43oqVvoqgI2HmDNXL9a5t/uF5pzPY4pFTHldnORkLt3Ea0G4cBKmtA/+nXqhVMWBUKTtu64pxT2doMQcFpTXuAQbMdraNb+97GdgpJfQPQYYboG78sEZOGy8amHFUhWMoz8j0QVih5el/Il/OICdoQpmsiGDbs7QggSOE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1716296219; c=relaxed/simple;
	bh=FdjiLc6fLOQmtzEZ6IiH/y/NKmyWjHLui/QHSWAk1Uc=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type; b=WiizqKdqsg+v3TnA30Cwuk/INvOXEWjsvPQEFx3ieXHiT7TXZetygvLNWWbcxKO8KYG6hUQQ9+/lSueejG7JmsrdUbF9TULEDr1c2pEruSWZj/knRPxCqbqivqT4rewSH/sgQcgdWHYA0P+VmW6b+ekS5VBcKOfrVOjLfHbKAjk=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ieee.org; spf=pass smtp.mailfrom=ieee.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b=JAySk+oX; arc=none smtp.client-ip=209.85.128.170
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ieee.org
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ieee.org
Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-622ce869e9bso42726277b3.0
        for <selinux-refpolicy@vger.kernel.org>; Tue, 21 May 2024 05:56:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google; t=1716296216; x=1716901016; darn=vger.kernel.org;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:date:message-id
         :from:to:cc:subject:date:message-id:reply-to;
        bh=lmkd8RHwKqzU+iR5LKhV1QP2PnJEj7V3iQhIQt0st7Q=;
        b=JAySk+oX930i+4jxoAxR3FTYFzQqlt0xU6Sx+tO/zd5tCLBjdyJ3kZJL3aRPB6UUaI
         nwcQw7Sf20OEVj5XyVMuIo+BPZLk6J/MQk487dwHLRgN5oc2isJMgl397YbiRq71vFX8
         cKCUHmlGKB+TWT963xayBrgzmLOIs0b32f00Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1716296216; x=1716901016;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:date:message-id
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=lmkd8RHwKqzU+iR5LKhV1QP2PnJEj7V3iQhIQt0st7Q=;
        b=bnHraeCLnvCBTNj0rNumc4Gt4rKGUDifWC2zfXSgYkZbMEH1A989pUdX0jEEDWATNK
         UeDz9Sjxnmgzu/LY4AiS+3F2LU1a/gH8cyONDJPxsZP0neByi7CNMoV7tFUvt6u+yrPy
         1PWVO+x3aJyLGTjDY3JESVM5oEODBjAV6PUNM6qDrPdKu7n5sxI3K9ioDE+4WlrAWfSr
         rntWd/+Veq7m8HMkWnd62VhJ5kevgIkJl9NOVZ6OF6PUPl6Our6lf9XQYzakaLKT2QnS
         lZkY0LqfS1sKURQUK/AtQ0eqL5R2KVhHRhORJon41RHK3Baf8ey7WjcXY2dcR1wN+2vV
         A9tg==
X-Forwarded-Encrypted: i=1; AJvYcCW7zeyykYCrouHScqMN98VNd8oTcT0LNIpD0A0h8g37E8FZEj85DogcSL35hjZn4No/z5zcSnXZMPjMNPOSqhnWYdLFWIokVhpD/r101TV68EQ=
X-Gm-Message-State: AOJu0Yw3hJfGNyBI+YMvTMIodCa9tgWuamfVBD/fN7OxfDUigmryAlGv
	XUb/9nDTXqXBXf5PmcAfk1qV3vMZIp+rZHUnWfExvNjv/9hWtvuMca5wZRVjyg==
X-Received: by 2002:a0d:cb51:0:b0:622:e42f:2f16 with SMTP id 00721157ae682-622e42f301fmr249744147b3.43.1716296215214;
        Tue, 21 May 2024 05:56:55 -0700 (PDT)
Received: from ?IPV6:2601:145:c200:2c70:e1b4:2683:17a6:a92e? ([2601:145:c200:2c70:e1b4:2683:17a6:a92e])
        by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6a15f1d8e7dsm122879296d6.121.2024.05.21.05.56.54
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 21 May 2024 05:56:54 -0700 (PDT)
Message-ID: <bc0b36ba-e976-4bb0-bd21-5d69a10cef09@ieee.org>
Date: Tue, 21 May 2024 08:56:53 -0400
Precedence: bulk
X-Mailing-List: selinux-refpolicy@vger.kernel.org
List-Id: <selinux-refpolicy.vger.kernel.org>
List-Subscribe: <mailto:selinux-refpolicy+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:selinux-refpolicy+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH 2/2] Adding Sepolicy rules to allow bluetoothctl and
 dbus-daemon to access unix stream sockets.
To: Naga Bhavani Akella <quic_nakella@quicinc.com>,
 selinux-refpolicy@vger.kernel.org
Cc: quic_mohamull@quicinc.com, quic_hbandi@quicinc.com,
 quic_anubhavg@quicinc.com
References: <20240521084323.14200-1-quic_nakella@quicinc.com>
Content-Language: en-US
From: Chris PeBenito <pebenito@ieee.org>
In-Reply-To: <20240521084323.14200-1-quic_nakella@quicinc.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

On 5/21/2024 4:43 AM, Naga Bhavani Akella wrote:
> Required for using acquire-notify, acquire-write options (Gatt Client)
> and Sending notifications (Gatt Server)
> 
> Below are the avc denials that are fixed with this patch -
> 
> 1. audit: type=1400 audit(1651238006.276:496):
> avc:  denied  { read write } for  pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 2. audit: type=1400 audit(1651238006.276:497):
> avc:  denied  { getattr } for  pid=2165 comm="bluetoothd"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 3. audit: type=1400 audit(1651238006.272:495):
> avc:  denied  { read write } for  pid=689 comm="dbus-daemon"
> path="socket:[43207]" dev="sockfs" ino=43207
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tclass=unix_stream_socket permissive=1
> 4. audit: type=1400 audit(315966559.395:444):
> avc:  denied  { use } for  pid=710 comm="dbus-daemon"
> path="socket:[13196]" dev="sockfs" ino=13196
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=fd permissive=0
> 5. audit: type=1400 audit(315999854.939:523):
> avc:  denied  { read write } for  pid=812 comm="dbus-daemon"
> path="socket:[99469]" dev="sockfs" ino=99469
> scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
> tclass=bluetooth_socket permissive=1
> 
> Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com>
> ---
>   policy/modules/apps/pulseaudio.te    |  1 +
>   policy/modules/services/bluetooth.if | 22 ++++++++++++++++++++++
>   policy/modules/services/dbus.te      |  1 +
>   policy/modules/services/obex.te      |  1 +
>   4 files changed, 25 insertions(+)
> 
> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> index 65b9a7428..9bf69bedc 100644
> --- a/policy/modules/apps/pulseaudio.te
> +++ b/policy/modules/apps/pulseaudio.te
> @@ -194,6 +194,7 @@ optional_policy(`
>   
>   optional_policy(`
>   	bluetooth_stream_connect(pulseaudio_t)
> +	bluetooth_socket_connect(pulseaudio_t)
>   ')
>   
>   optional_policy(`
> diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
> index c7e1c3f14..dd26d95f4 100644
> --- a/policy/modules/services/bluetooth.if
> +++ b/policy/modules/services/bluetooth.if
> @@ -85,6 +85,28 @@ interface(`bluetooth_stream_connect',`
>   	stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
>   ')
>   
> +#####################################
> +## <summary>
> +##	Connect to bluetooth over a unix domain
> +##	stream socket.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`bluetooth_socket_connect',`

This should be named "bluetooth_use".


> +	gen_require(`
> +		type bluetooth_t, bluetooth_runtime_t;
> +	')
> +
> +	files_search_runtime($1)
> +	allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
> +	allow $1 bluetooth_t:unix_stream_socket { accept connectto listen rw_socket_perms };

Do you have example denials for the accept and listen permissions?  I 
wouldn't expect to see accept and listen on a client connection.


> +	allow $1 bluetooth_t:fd use;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Execute bluetooth in the bluetooth domain.
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 2d1d09d71..301c81aa5 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -266,6 +266,7 @@ optional_policy(`
>   
>   optional_policy(`
>   	bluetooth_stream_connect(system_dbusd_t)
> +	bluetooth_socket_connect(system_dbusd_t)
>   ')
>   
>   optional_policy(`
> diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
> index 6686edb37..edbdc7ecf 100644
> --- a/policy/modules/services/obex.te
> +++ b/policy/modules/services/obex.te
> @@ -32,6 +32,7 @@ userdom_search_user_home_content(obex_t)
>   
>   optional_policy(`
>   	bluetooth_stream_connect(obex_t)
> +	bluetooth_socket_connect(obex_t)
>   ')

Since each of the callers already have bluetooth_stream_connect(), I 
think the new bluetooth_use() interface should call 
bluetooth_stream_connect(), then the callers can be simplified to only a 
bluetooth_use() call.



-- 
Chris PeBenito