Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp3059519lqo; Tue, 21 May 2024 05:57:01 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWbJeTKbcddvpSRUwXekbh8tw3xYPugmLm5IiKyY7JbXnABpSp/x1+pkFoedeooC433mSURaTsfZFFuRLy3yyR/bYP0xCmHS9Ilf2gtCQ== X-Google-Smtp-Source: AGHT+IHsLxhxsLUgrrhuGoecFjF+6T00LYuv72ODNm0/CsbzjcZcX3WXJVzYhpghaTbVFntS+csR X-Received: by 2002:a17:90b:46d8:b0:2bd:7135:21a3 with SMTP id 98e67ed59e1d1-2bd7135251fmr6067416a91.42.1716296221488; Tue, 21 May 2024 05:57:01 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716296221; cv=pass; d=google.com; s=arc-20160816; b=DlW8X+sqVrxV6lLE0fRw0y5LzySVQ3eTsJU8lj1rwdQpqt5UjWNuxO6jtcDVHU7C5+ D8pOVGsCrrjW2hSoa5w6InIG3dpAj3kr0mnpdq1lcG7/SIKdg9zw2NQFLaYOrQ3sldUR d58W8zy6ZJKXH2RW8vyeK44TKupptLjSxhOQvOSyXvlULELuc0RJKyLWnRwwhv/fxDLv 4ajMA8LrpMh7lYmhhQzYL4g4AOmkTDD966DEgxpqSIdlwH8NRqbzsPFao2K0yMVDvyr1 KPRG0EZyvr5RswmL7ef+eWIZjl+r4AbxYtd5esBE2+DxH63KS1wiypMiUrYuqZcmQ6fx T3ag== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=lmkd8RHwKqzU+iR5LKhV1QP2PnJEj7V3iQhIQt0st7Q=; fh=37txB8NbSKEv3KP2Cja6rg2pRdznTF40uuc7WSZlDV8=; b=efMFVi4VAYuUSCxQp/kZZSQ+zUeQ5fim1Clx7uyZyXL13cDTjUQ8gHUw1g7V48MXl2 gxsmDc+eUXO5iFXdKiAZheCM9u7UJ0MPycpbklkl5UGX/2g22Fdr2NVXil93TDqJL4d1 oyIzebaaNkHQkWltNvQ7VeaBqsEfhmRWs3HhNSWlJTHT6KNN5lg3inAX4850RjwsAPYC JiOP7EFUTMAY59Q88uRouyb4sg+7qu4m6OadW/5C6dPiQLmT2S1lbxzr+QLmbFY8an/Z X6geyaeGi4CRSFbcYo2rwP1bgW304C3aBcrE0w3+ISp+KBVMDZOTGy7OYlY3EYk077/e UEzg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=JAySk+oX; arc=pass (i=1 spf=pass spfdomain=ieee.org dkim=pass dkdomain=ieee.org dmarc=pass fromdomain=ieee.org); spf=pass (google.com: domain of selinux-refpolicy+bounces-19-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-19-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id 98e67ed59e1d1-2bd92e7034asi1272375a91.40.2024.05.21.05.57.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 May 2024 05:57:01 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy+bounces-19-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=JAySk+oX; arc=pass (i=1 spf=pass spfdomain=ieee.org dkim=pass dkdomain=ieee.org dmarc=pass fromdomain=ieee.org); spf=pass (google.com: domain of selinux-refpolicy+bounces-19-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-19-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 1E4BC280EBD for ; Tue, 21 May 2024 12:57:01 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A2B48770E2; Tue, 21 May 2024 12:56:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="JAySk+oX" X-Original-To: selinux-refpolicy@vger.kernel.org Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com [209.85.128.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE9C21E48B for ; Tue, 21 May 2024 12:56:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.170 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716296219; cv=none; b=BuCbab43oqVvoqgI2HmDNXL9a5t/uF5pzPY4pFTHldnORkLt3Ea0G4cBKmtA/+nXqhVMWBUKTtu64pxT2doMQcFpTXuAQbMdraNb+97GdgpJfQPQYYboG78sEZOGy8amHFUhWMoz8j0QVih5el/Il/OICdoQpmsiGDbs7QggSOE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716296219; c=relaxed/simple; bh=FdjiLc6fLOQmtzEZ6IiH/y/NKmyWjHLui/QHSWAk1Uc=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=WiizqKdqsg+v3TnA30Cwuk/INvOXEWjsvPQEFx3ieXHiT7TXZetygvLNWWbcxKO8KYG6hUQQ9+/lSueejG7JmsrdUbF9TULEDr1c2pEruSWZj/knRPxCqbqivqT4rewSH/sgQcgdWHYA0P+VmW6b+ekS5VBcKOfrVOjLfHbKAjk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ieee.org; spf=pass smtp.mailfrom=ieee.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b=JAySk+oX; arc=none smtp.client-ip=209.85.128.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ieee.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ieee.org Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-622ce869e9bso42726277b3.0 for ; Tue, 21 May 2024 05:56:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; t=1716296216; x=1716901016; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=lmkd8RHwKqzU+iR5LKhV1QP2PnJEj7V3iQhIQt0st7Q=; b=JAySk+oX930i+4jxoAxR3FTYFzQqlt0xU6Sx+tO/zd5tCLBjdyJ3kZJL3aRPB6UUaI nwcQw7Sf20OEVj5XyVMuIo+BPZLk6J/MQk487dwHLRgN5oc2isJMgl397YbiRq71vFX8 cKCUHmlGKB+TWT963xayBrgzmLOIs0b32f00Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716296216; x=1716901016; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=lmkd8RHwKqzU+iR5LKhV1QP2PnJEj7V3iQhIQt0st7Q=; b=bnHraeCLnvCBTNj0rNumc4Gt4rKGUDifWC2zfXSgYkZbMEH1A989pUdX0jEEDWATNK UeDz9Sjxnmgzu/LY4AiS+3F2LU1a/gH8cyONDJPxsZP0neByi7CNMoV7tFUvt6u+yrPy 1PWVO+x3aJyLGTjDY3JESVM5oEODBjAV6PUNM6qDrPdKu7n5sxI3K9ioDE+4WlrAWfSr rntWd/+Veq7m8HMkWnd62VhJ5kevgIkJl9NOVZ6OF6PUPl6Our6lf9XQYzakaLKT2QnS lZkY0LqfS1sKURQUK/AtQ0eqL5R2KVhHRhORJon41RHK3Baf8ey7WjcXY2dcR1wN+2vV A9tg== X-Forwarded-Encrypted: i=1; AJvYcCW7zeyykYCrouHScqMN98VNd8oTcT0LNIpD0A0h8g37E8FZEj85DogcSL35hjZn4No/z5zcSnXZMPjMNPOSqhnWYdLFWIokVhpD/r101TV68EQ= X-Gm-Message-State: AOJu0Yw3hJfGNyBI+YMvTMIodCa9tgWuamfVBD/fN7OxfDUigmryAlGv XUb/9nDTXqXBXf5PmcAfk1qV3vMZIp+rZHUnWfExvNjv/9hWtvuMca5wZRVjyg== X-Received: by 2002:a0d:cb51:0:b0:622:e42f:2f16 with SMTP id 00721157ae682-622e42f301fmr249744147b3.43.1716296215214; Tue, 21 May 2024 05:56:55 -0700 (PDT) Received: from ?IPV6:2601:145:c200:2c70:e1b4:2683:17a6:a92e? ([2601:145:c200:2c70:e1b4:2683:17a6:a92e]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6a15f1d8e7dsm122879296d6.121.2024.05.21.05.56.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 21 May 2024 05:56:54 -0700 (PDT) Message-ID: Date: Tue, 21 May 2024 08:56:53 -0400 Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 2/2] Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets. To: Naga Bhavani Akella , selinux-refpolicy@vger.kernel.org Cc: quic_mohamull@quicinc.com, quic_hbandi@quicinc.com, quic_anubhavg@quicinc.com References: <20240521084323.14200-1-quic_nakella@quicinc.com> Content-Language: en-US From: Chris PeBenito In-Reply-To: <20240521084323.14200-1-quic_nakella@quicinc.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 5/21/2024 4:43 AM, Naga Bhavani Akella wrote: > Required for using acquire-notify, acquire-write options (Gatt Client) > and Sending notifications (Gatt Server) > > Below are the avc denials that are fixed with this patch - > > 1. audit: type=1400 audit(1651238006.276:496): > avc: denied { read write } for pid=2165 comm="bluetoothd" > path="socket:[43207]" dev="sockfs" ino=43207 > scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 > tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 > tclass=unix_stream_socket permissive=1 > 2. audit: type=1400 audit(1651238006.276:497): > avc: denied { getattr } for pid=2165 comm="bluetoothd" > path="socket:[43207]" dev="sockfs" ino=43207 > scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 > tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 > tclass=unix_stream_socket permissive=1 > 3. audit: type=1400 audit(1651238006.272:495): > avc: denied { read write } for pid=689 comm="dbus-daemon" > path="socket:[43207]" dev="sockfs" ino=43207 > scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 > tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 > tclass=unix_stream_socket permissive=1 > 4. audit: type=1400 audit(315966559.395:444): > avc: denied { use } for pid=710 comm="dbus-daemon" > path="socket:[13196]" dev="sockfs" ino=13196 > scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 > tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 > tclass=fd permissive=0 > 5. audit: type=1400 audit(315999854.939:523): > avc: denied { read write } for pid=812 comm="dbus-daemon" > path="socket:[99469]" dev="sockfs" ino=99469 > scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 > tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 > tclass=bluetooth_socket permissive=1 > > Signed-off-by: Naga Bhavani Akella > --- > policy/modules/apps/pulseaudio.te | 1 + > policy/modules/services/bluetooth.if | 22 ++++++++++++++++++++++ > policy/modules/services/dbus.te | 1 + > policy/modules/services/obex.te | 1 + > 4 files changed, 25 insertions(+) > > diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te > index 65b9a7428..9bf69bedc 100644 > --- a/policy/modules/apps/pulseaudio.te > +++ b/policy/modules/apps/pulseaudio.te > @@ -194,6 +194,7 @@ optional_policy(` > > optional_policy(` > bluetooth_stream_connect(pulseaudio_t) > + bluetooth_socket_connect(pulseaudio_t) > ') > > optional_policy(` > diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if > index c7e1c3f14..dd26d95f4 100644 > --- a/policy/modules/services/bluetooth.if > +++ b/policy/modules/services/bluetooth.if > @@ -85,6 +85,28 @@ interface(`bluetooth_stream_connect',` > stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t) > ') > > +##################################### > +## > +## Connect to bluetooth over a unix domain > +## stream socket. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`bluetooth_socket_connect',` This should be named "bluetooth_use". > + gen_require(` > + type bluetooth_t, bluetooth_runtime_t; > + ') > + > + files_search_runtime($1) > + allow $1 bluetooth_t:bluetooth_socket rw_socket_perms; > + allow $1 bluetooth_t:unix_stream_socket { accept connectto listen rw_socket_perms }; Do you have example denials for the accept and listen permissions? I wouldn't expect to see accept and listen on a client connection. > + allow $1 bluetooth_t:fd use; > +') > + > ######################################## > ## > ## Execute bluetooth in the bluetooth domain. > diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te > index 2d1d09d71..301c81aa5 100644 > --- a/policy/modules/services/dbus.te > +++ b/policy/modules/services/dbus.te > @@ -266,6 +266,7 @@ optional_policy(` > > optional_policy(` > bluetooth_stream_connect(system_dbusd_t) > + bluetooth_socket_connect(system_dbusd_t) > ') > > optional_policy(` > diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te > index 6686edb37..edbdc7ecf 100644 > --- a/policy/modules/services/obex.te > +++ b/policy/modules/services/obex.te > @@ -32,6 +32,7 @@ userdom_search_user_home_content(obex_t) > > optional_policy(` > bluetooth_stream_connect(obex_t) > + bluetooth_socket_connect(obex_t) > ') Since each of the callers already have bluetooth_stream_connect(), I think the new bluetooth_use() interface should call bluetooth_stream_connect(), then the callers can be simplified to only a bluetooth_use() call. -- Chris PeBenito