Bug 1502141

Summary: SELinux is preventing (uetoothd) from 'mounton' accesses on the dossier /var/lib/bluetooth.
Product: [Fedora] Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bugzilla, dwalsh, jsmith.fedora, lsm5, lvrabec, me+redhat, mgrepl, plautrba, pmoore, suren, tom.mannerhagen, vondruch
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:6421f5ffcabc44dfaec09174bf0a633547dbe1d96a8f21169891dcdf7ea5087c;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-20 11:22:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nicolas Mailhot 2017-10-14 12:35:38 UTC 
Description of problem:
SELinux is preventing (uetoothd) from 'mounton' accesses on the dossier /var/lib/bluetooth.

*****  Plugin catchall (100. confidence) suggests   **************************

If if you believe that (uetoothd) should be allowed mounton access on the bluetooth directory by default.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
allow this access for now by executing:
# ausearch -c '(uetoothd)' --raw | audit2allow -M my-uetoothd
# semodule -X 300 -i my-uetoothd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:bluetooth_var_lib_t:s0
Target Objects                /var/lib/bluetooth [ dir ]
Source                        (uetoothd)
Source Path                   (uetoothd)
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           bluez-5.47-4.fc28.x86_64
Policy RPM                    selinux-policy-3.13.1-295.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.14.0-0.rc3.git3.1.fc28.x86_64 #1
                              SMP Thu Oct 5 20:52:54 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-10-14 14:32:17 CEST
Last Seen                     2017-10-14 14:32:17 CEST
Local ID                      920cfd91-542b-44d4-beca-dd66f9733e26

Raw Audit Messages
type=AVC msg=audit(1507984337.296:1246): avc:  denied  { mounton } for  pid=1418 comm="(uetoothd)" path="/var/lib/bluetooth" dev="dm-0" ino=270685 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:bluetooth_var_lib_t:s0 tclass=dir permissive=0


Hash: (uetoothd),init_t,bluetooth_var_lib_t,dir,mounton

Version-Release number of selected component:
selinux-policy-3.13.1-295.fc28.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.14.0-0.rc3.git3.1.fc28.x86_64
type:           libreport
Comment 1 Tom 2017-10-17 06:53:15 UTC 
Description of problem:
After booting my system I can see BT is not enabled and not possible to enable.
From terminal running:

sudo systemctl status bluetooth.service

results in this:

● bluetooth.service - Bluetooth service
   Loaded: loaded (/usr/lib/systemd/system/bluetooth.service; enabled; vendor preset: enabled)
   Active: failed (Result: signal) since Tue 2017-10-17 08:46:36 CEST; 12s ago
     Docs: man:bluetoothd(8)
  Process: 7926 ExecStart=/usr/libexec/bluetooth/bluetoothd (code=killed, signal=SEGV)
 Main PID: 7926 (code=killed, signal=SEGV)

okt 17 08:46:36 kira-lan systemd[1]: Starting Bluetooth service...
okt 17 08:46:36 kira-lan systemd[1]: bluetooth.service: Main process exited, code=killed, status=11/SEGV
okt 17 08:46:36 kira-lan systemd[1]: bluetooth.service: Failed with result 'signal'.
okt 17 08:46:36 kira-lan systemd[1]: Failed to start Bluetooth service.

Version-Release number of selected component:
selinux-policy-3.13.1-295.fc28.noarch

Additional info:
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.14.0-0.rc4.git4.1.fc28.x86_64
type:           libreport
Comment 2 Lukas Vrabec 2017-10-17 10:36:59 UTC 
Hi, 

This will be fixed in the next selinux-policy rawhide build.
Comment 3 JOduMonT 2017-10-26 06:58:26 UTC 
*** Bug 1506461 has been marked as a duplicate of this bug. ***
Comment 4 Vít Ondruch 2017-10-31 12:22:48 UTC 
This is till not fixed:

$ rpm -q selinux-policy
selinux-policy-3.13.1-300.fc28.noarch
Comment 5 Vít Ondruch 2017-10-31 12:25:13 UTC 
~~~
$ sealert -l 5216c914-46de-49e9-9a19-fce5bf9fd215
SELinux is preventing (uetoothd) from mounton access on the directory /var/lib/bluetooth.

*****  Plugin catchall (100. confidence) suggests   **************************

If if you believe that (uetoothd) should be allowed mounton access on the bluetooth directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(uetoothd)' --raw | audit2allow -M my-uetoothd
# semodule -X 300 -i my-uetoothd.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:bluetooth_var_lib_t:s0
Target Objects                /var/lib/bluetooth [ dir ]
Source                        (uetoothd)
Source Path                   (uetoothd)
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           bluez-5.47-4.fc28.x86_64
Policy RPM                    selinux-policy-3.13.1-300.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.14.0-0.rc6.git0.1.fc28.x86_64 #1 SMP Mon Oct 23
                              16:37:45 UTC 2017 x86_64 x86_64
Alert Count                   5
First Seen                    2017-10-31 12:24:06 CET
Last Seen                     2017-10-31 13:14:27 CET
Local ID                      5216c914-46de-49e9-9a19-fce5bf9fd215

Raw Audit Messages
type=AVC msg=audit(1509452067.79:104): avc:  denied  { mounton } for  pid=874 comm="(uetoothd)" path="/var/lib/bluetooth" dev="dm-0" ino=1966239 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:bluetooth_var_lib_t:s0 tclass=dir permissive=0


Hash: (uetoothd),init_t,bluetooth_var_lib_t,dir,mounton

~~~
Comment 6 Vít Ondruch 2017-10-31 12:26:18 UTC 
(In reply to Tom from comment #1)
This seems to be https://bugzilla.redhat.com/show_bug.cgi?id=1496249#c29
Comment 7 Jared Smith 2018-01-16 20:45:00 UTC 
Description of problem:
Was trying to pair some bluetooth headphones with my laptop.

Version-Release number of selected component:
selinux-policy-3.14.1-1.fc28.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.0-0.rc7.git2.1.fc28.x86_64
type:           libreport
Comment 8 Chris Murphy 2018-01-24 08:18:46 UTC 
This is still a problem with selinux-policy-3.14.1-2.fc28
Comment 9 Nicolas Mailhot 2018-01-27 02:39:02 UTC 
Description of problem:
After clean F27 install, update to rawhide, and reboot

Version-Release number of selected component:
selinux-policy-3.14.1-3.fc28.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.0-0.rc9.git4.1.fc28.x86_64
type:           libreport