Bug 160678

Summary: SELinux prevents setup of BT connections
Product: [Fedora] Fedora Reporter: Stefan Becker <chemobejk>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: dkelson, dwalsh, dwmw2, sergey_udaltsov
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: FEDORA-2005-513 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-08 03:42:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stefan Becker 2005-06-16 15:58:08 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Firefox/1.0.4

Description of problem:
SELinux targeted policy by default covers bluetooth daemon. When hcid tries to setup a BT connection it is prevented by SELinux to do so. 

After selecting "SELinux Service Protection" -> "Disable SELinux protection for 
bluetooth daemon" BT starts to work again.

Version-Release number of selected component (if applicable):
bluez-utils-2.15-7, selinux-policy-targeted-1.23.16-6

How reproducible:
Always

Steps to Reproduce:
1. Base FC4 installation
2. rfcomm connect 0 00:02:EE:93:9F:C8 1
3.

  

Actual Results:  # rfcomm connect 0 00:02:EE:93:9F:C8 1
Can't connect RFCOMM socket: Resource temporarily unavailable


Expected Results:  BT connection should have been initiated

Additional info:

# service bluetooth start
Starting Bluetooth services:                               [  OK  ]

# ps -efw | fgrep hcid
root      2676     1  0 00:31 ?        00:00:00 hcid: processing events

# tail /var/log/messages
...
Jun 16 00:31:22 baraddur hcid[2676]: Bluetooth HCI daemon
Jun 16 00:31:22 baraddur hcid[2676]: Starting security manager 0
Jun 16 00:31:23 baraddur sdpd[2680]: Bluetooth SDP daemon

 ---> Execute "rfcomm connect 0 00:02:EE:93:9F:C8 1"

# tail /var/log/audit.log:
...
type=SYSCALL msg=audit(1118907083.101:13376313): arch=40000003 syscall=146 
success=no exit=-13 a0=6 a1=bfacb070 a2=3 a3=3 items=0 pid=2678 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="hcid" exe="/usr/sbin/hcid"
type=AVC msg=audit(1118907083.101:13376313): avc:  denied  { write } for  
pid=2678 comm="hcid" scontext=root:system_r:bluetooth_t 
tcontext=root:system_r:bluetooth_t tclass=socket
type=SYSCALL msg=audit(1118907083.102:13376320): arch=40000003 syscall=146 
success=no exit=-13 a0=6 a1=bfacb070 a2=3 a3=3 items=0 pid=2678 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="hcid" exe="/usr/sbin/hcid"
type=AVC msg=audit(1118907083.102:13376320): avc:  denied  { write } for  
pid=2678 comm="hcid" scontext=root:system_r:bluetooth_t 
tcontext=root:system_r:bluetooth_t tclass=socket
type=AVC_PATH msg=audit(1118907114.146:13503165):  path="socket:[203470]"
type=SYSCALL msg=audit(1118907114.146:13503165): arch=40000003 syscall=3 
success=no exit=-13 a0=6 a1=bfacb0c4 a2=104 a3=104 items=0 pid=2676 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="hcid" exe="/usr/sbin/hcid"
type=AVC msg=audit(1118907114.146:13503165): avc:  denied  { read } for  
pid=2676 comm="hcid" name=[203470] dev=sockfs ino=203470 
scontext=root:system_r:bluetooth_t tcontext=root:system_r:bluetooth_t 
tclass=socket



With SELinux protection for bluetooth daemon deactivated BT connections work OK:

# hcid -n -f /etc/bluetooth/hcid.conf
hcid[2788]: Bluetooth HCI daemon
hcid[2788]: Starting security manager 0

  ---> now start same rfcomm command as above

hcid[2788]: link_key_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8)

  ---> connection to cell phone established
  ---> Press CTRL-C to abort rfcomm
Comment 1 Stefan Becker 2005-06-21 02:15:19 UTC 
Retried with selinux-policy-targeted-1.23.18-12 which was released today,
because the changelog mentioned the bluetooth daemon. Still no success.

Added Daniel, the SELinux policy maintainer as CC. Maybe he can shed some light
on this problem.
Comment 2 Daniel Walsh 2005-06-26 11:56:14 UTC 
Fixed in selinux-policy-targeted-1.23.18-21
Comment 3 Stefan Becker 2005-07-08 03:42:11 UTC 
Verified correction with selinux-policy-targeted-1.24-3