Bug 165521
Summary: | SELinux targeted policy denies execution of Bluetooth pin helper | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Stefan Becker <chemobejk> | ||||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 4 | ||||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | i386 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | selinux-policy-targeted-1.27.1-2.6 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2005-10-19 01:42:26 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Stefan Becker
2005-08-10 02:59:25 UTC
Fixed in selinux-policy-targeted-1.25.3-12 Retested with selinux-policy-targeted-1.25.4-10: Problem still exists but the error messages are different. The PIN helper seems to be executed now but it fails immediately. messages: Aug 29 16:29:28 barradur hcid[21623]: Bluetooth HCI daemon Aug 29 16:29:28 barradur hcid[21623]: Starting security manager 0 Aug 29 16:29:28 barradur sdpd[21625]: init_server: binding UNIX socket: Address already in use Aug 29 16:29:28 barradur sdpd[21625]: main: Server initialization failed Aug 29 16:29:38 barradur hcid[21623]: link_key_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Aug 29 16:29:38 barradur hcid[21623]: pin_code_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Aug 29 16:29:38 barradur hcid[21632]: PIN helper exited abnormally with code 32512 audit.log type=AVC msg=audit(1125358168.728:7388944): avc: denied { unlink } for pid=21625 comm="sdpd" name="sdp" dev=dm-0 ino=721601 scontext=root:system_r:bluetooth_t tcontext=root:object_r:var_run_t tclass=sock_file type=SYSCALL msg=audit(1125358168.728:7388944): arch=40000003 syscall=10 success=no exit=-13 a0=bfaaa1ac a1=bfaaa160 a2=8e87b8 a3=bfaaa1aa items=1 pid=21625 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sdpd" exe="/usr/sbin/sdpd" type=CWD msg=audit(1125358168.728:7388944): cwd="/" type=PATH msg=audit(1125358168.728:7388944): item=0 name="/var/run/sdp" flags=10 inode=720932 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1125358178.187:7462885): avc: denied { read } for pid=21633 comm="hcid" name="sh" dev=dm-0 ino=753668 scontext=root:system_r:bluetooth_t tcontext=system_u:object_r:bin_t tclass=lnk_file type=SYSCALL msg=audit(1125358178.187:7462885): arch=40000003 syscall=11 success=no exit=-13 a0=295a9b a1=bfda93bc a2=9a54078 a3=400 items=1 pid=21633 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hcid" exe="/usr/sbin/hcid" type=CWD msg=audit(1125358178.187:7462885): cwd="/" type=PATH msg=audit(1125358178.187:7462885): item=0 name="/bin/sh" flags=101 inode=753665 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1125358178.188:7462888): avc: denied { getattr } for pid=21632 comm="hcid" name="[479227]" dev=pipefs ino=479227 scontext=root:system_r:bluetooth_t tcontext=root:system_r:bluetooth_t tclass=fifo_file type=SYSCALL msg=audit(1125358178.188:7462888): arch=40000003 syscall=197 success=no exit=-13 a0=7 a1=bfdaa2ec a2=2a2ff4 a3=7 items=0 pid=21632 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hcid" exe="/usr/sbin/hcid" type=AVC_PATH msg=audit(1125358178.188:7462888): path="pipe:[479227]" type=AVC msg=audit(1125358178.188:7462890): avc: denied { read } for pid=21632 comm="hcid" name="[479227]" dev=pipefs ino=479227 scontext=root:system_r:bluetooth_t tcontext=root:system_r:bluetooth_t tclass=fifo_file type=SYSCALL msg=audit(1125358178.188:7462890): arch=40000003 syscall=3 success=no exit=-13 a0=7 a1=b7fab000 a2=2000 a3=9a55ec8 items=0 pid=21632 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hcid" exe="/usr/sbin/hcid" type=AVC_PATH msg=audit(1125358178.188:7462890): path="pipe:[479227]" Ok can you do a setenforce 0 and then retry, in order to gather all of the denials. Thanks, Dan Commands: # setenforce 0 # service bluetooth start Starting Bluetooth services: [ OK ] # rfcomm connect 0 00:02:EE:93:9F:C8 1 Connected /dev/rfcomm0 to 00:02:EE:93:9F:C8 on channel 1 Press CTRL-C for hangup Disconnected # service bluetooth stop Stopping Bluetooth services: [ OK ] # setenforce 1 messages: Aug 30 21:56:11 barradur dbus: avc: received setenforce notice (enforcing=0) Aug 30 21:56:19 barradur hcid[25976]: Bluetooth HCI daemon Aug 30 21:56:20 barradur hcid[25976]: Starting security manager 0 Aug 30 21:56:20 barradur sdpd[25980]: Bluetooth SDP daemon Aug 30 21:56:42 barradur hcid[25976]: link_key_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Aug 30 21:56:42 barradur hcid[25976]: pin_code_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Aug 30 21:56:56 barradur hcid[25976]: link_key_notify (sba=00:0A:3A:58:BC:54) Aug 30 21:56:56 barradur hcid[25976]: Replacing link key 00:0A:3A:58:BC:54 00:02:EE:93:9F:C8 Aug 30 21:57:14 barradur sdpd[25980]: terminating... Aug 30 21:57:15 barradur hcid[25976]: Exit. Aug 30 21:57:19 barradur dbus: avc: received setenforce notice (enforcing=1) audit.log: (see attachement) Created attachment 118275 [details]
audit.log with setenforce=0
Fixed in selinux-policy-*-1.27.1-2.1 Retested with selinux-policy-targeted-1.27.1-2.1. Still doesn't work :-( From /var/log/messages: Sep 23 20:48:26 barradur hcid[1932]: link_key_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Sep 23 20:48:26 barradur hcid[1932]: pin_code_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Sep 23 20:48:26 barradur hcid[7207]: PIN helper exited abnormally with code 256 From /var/log/audit/audit.log: type=AVC msg=audit(1127533887.164:113): avc: denied { read } for pid=7286 comm="sh" name="mtab" dev=dm-0 ino=1510036 scontext=system_u:system_r:bluetooth_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=SYSCALL msg=audit(1127533887.164:113): arch=40000003 syscall=5 success=no exit=-13 a0=526dba a1=0 a2=1b6 a3=8b8aa60 items=1 pid=7286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh" exe="/bin/bash" type=CWD msg=audit(1127533887.164:113): cwd="/" type=PATH msg=audit(1127533887.164:113): item=0 name="/etc/mtab" flags=101 inode=1510036 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127533887.201:114): avc: denied { read } for pid=7287 comm="sh" name="mtab" dev=dm-0 ino=1510036 scontext=system_u:system_r:bluetooth_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=SYSCALL msg=audit(1127533887.201:114): arch=40000003 syscall=5 success=no exit=-13 a0=526dba a1=0 a2=1b6 a3=919fa60 items=1 pid=7287 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh" exe="/bin/bash" type=CWD msg=audit(1127533887.201:114): cwd="/" type=PATH msg=audit(1127533887.201:114): item=0 name="/etc/mtab" flags=101 inode=1510036 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127533887.207:115): avc: denied { read } for pid=7287 comm="ps" name="mtab" dev=dm-0 ino=1510036 scontext=system_u:system_r:bluetooth_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=SYSCALL msg=audit(1127533887.207:115): arch=40000003 syscall=5 success=no exit=-13 a0=526dba a1=0 a2=1b6 a3=8c39008 items=1 pid=7287 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps" type=CWD msg=audit(1127533887.207:115): cwd="/" type=PATH msg=audit(1127533887.207:115): item=0 name="/etc/mtab" flags=101 inode=1510036 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127533887.208:116): avc: denied { read } for pid=7287 comm="ps" name="stat" dev=proc ino=477560846 scontext=system_u:system_r:bluetooth_t tcontext=system_u:system_r:bluetooth_t tclass=file type=SYSCALL msg=audit(1127533887.208:116): arch=40000003 syscall=5 success=no exit=-13 a0=546200 a1=0 a2=0 a3=546200 items=1 pid=7287 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps" type=CWD msg=audit(1127533887.208:116): cwd="/" type=PATH msg=audit(1127533887.208:116): item=0 name="/proc/self/stat" flags=101 inode=477560846 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127533887.227:117): avc: denied { write } for pid=7286 comm="bluez-pin" name="X0" dev=dm-0 ino=1802361 scontext=system_u:system_r:bluetooth_t tcontext=system_u:object_r:tmp_t tclass=sock_file type=SYSCALL msg=audit(1127533887.227:117): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd2a350 a2=c5cabc a3=13 items=1 pid=7286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bluez-pin" exe="/usr/bin/bluez-pin" type=SOCKADDR msg=audit(1127533887.227:117): saddr=01002F746D702F2E5831312D756E69782F5830 type=SOCKETCALL msg=audit(1127533887.227:117): nargs=3 a0=3 a1=bfd2a4be a2=13 type=PATH msg=audit(1127533887.227:117): item=0 flags=1 inode=1802361 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127533887.229:118): avc: denied { connect } for pid=7286 comm="bluez-pin" scontext=system_u:system_r:bluetooth_t tcontext=system_u:system_r:bluetooth_t tclass=tcp_socket type=SYSCALL msg=audit(1127533887.229:118): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd2a310 a2=c5cabc a3=9b2aa78 items=0 pid=7286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bluez-pin" exe="/usr/bin/bluez-pin" type=SOCKADDR msg=audit(1127533887.229:118): saddr=020017707F0000010000000000000000 type=SOCKETCALL msg=audit(1127533887.229:118): nargs=3 a0=3 a1=9b2aa78 a2=10 Retested with selinux-policy-targeted-1.27.1-2.3. Still doesn't work :-( From /var/log/messages: Oct 7 19:42:11 barradur hcid[3143]: link_key_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Oct 7 19:42:11 barradur hcid[3143]: pin_code_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Oct 7 19:42:12 barradur hcid[3162]: PIN helper exited abnormally with code 256 From /var/log/audit/audit.log: type=AVC msg=audit(1128739332.044:41): avc: denied { read } for pid=3164 comm="ps" name="stat" dev=proc ino=207355918 scontext=root:system_r:bluetooth_t tcontext=root:system_r:bluetooth_t tclass=file type=SYSCALL msg=audit(1128739332.044:41): arch=40000003 syscall=5 success=no exit=-13 a0=546200 a1=0 a2=0 a3=546200 items=1 pid=3164 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps" type=CWD msg=audit(1128739332.044:41): cwd="/" type=PATH msg=audit(1128739332.044:41): item=0 name="/proc/self/stat" flags=101 inode=207355918 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1128739332.097:42): avc: denied { write } for pid=3163 comm="bluez-pin" name="X0" dev=dm-0 ino=1769542 scontext=root:system_r:bluetooth_t tcontext=system_u:object_r:tmp_t tclass=sock_file type=SYSCALL msg=audit(1128739332.097:42): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe6ad40 a2=c00abc a3=13 items=1 pid=3163 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bluez-pin" exe="/usr/bin/bluez-pin" type=SOCKADDR msg=audit(1128739332.097:42): saddr=01002F746D702F2E5831312D756E69782F5830 type=SOCKETCALL msg=audit(1128739332.097:42): nargs=3 a0=3 a1=bfe6aeae a2=13 type=PATH msg=audit(1128739332.097:42): item=0 flags=1 inode=1769542 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1128739332.099:43): avc: denied { connect } for pid=3163 comm="bluez-pin" scontext=root:system_r:bluetooth_t tcontext=root:system_r:bluetooth_t tclass=tcp_socket type=SYSCALL msg=audit(1128739332.099:43): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe6ad00 a2=c00abc a3=81eaa58 items=0 pid=3163 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bluez-pin" exe="/usr/bin/bluez-pin" type=SOCKADDR msg=audit(1128739332.099:43): saddr=020017707F0000010000000000000000 type=SOCKETCALL msg=audit(1128739332.099:43): nargs=3 a0=3 a1=81eaa58 a2=10 Could you try chcon -t bluetooth-helper_t /usr/bin/bluez-pin THen try again in permissive mode, and report AVC messages. The chcon was wrong? # chcon -t bluetooth-helper_t /usr/bin/bluez-pin chcon: failed to change context of /usr/bin/bluez-pin to system_u:object_r:bluetooth-helper_t: Invalid argument # chcon -t bluetooth_helper_t /usr/bin/bluez-pin chcon: failed to change context of /usr/bin/bluez-pin to system_u:object_r:bluetooth_helper_t: Permission denied After a little digging I figured out that this one works: chcon -t bluetooth_helper_exec_t /usr/bin/bluez-pin Commands: # setenforce 0 # service bluetooth start Starting Bluetooth services: [ OK ] # rfcomm connect 0 00:02:EE:93:9F:C8 1 Connected /dev/rfcomm0 to 00:02:EE:93:9F:C8 on channel 1 Press CTRL-C for hangup Disconnected # service bluetooth stop Stopping Bluetooth services: [ OK ] # setenforce 1 messages: Oct 11 19:59:23 barradur hcid[9431]: Bluetooth HCI daemon Oct 11 19:59:23 barradur sdpd[9433]: Bluetooth SDP daemon Oct 11 19:59:23 barradur hcid[9431]: Starting security manager 0 Oct 11 19:59:38 barradur hcid[9431]: link_key_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Oct 11 19:59:38 barradur hcid[9431]: pin_code_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Oct 11 19:59:40 barradur gconfd (root-9444): starting (version 2.10.0), pid 9444 user 'root' Oct 11 19:59:40 barradur gconfd (root-9444): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0 Oct 11 19:59:40 barradur gconfd (root-9444): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 1 Oct 11 19:59:40 barradur gconfd (root-9444): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2 Oct 11 19:59:48 barradur hcid[9431]: link_key_notify (sba=00:0A:3A:58:BC:54) Oct 11 19:59:48 barradur hcid[9431]: Replacing link key 00:0A:3A:58:BC:54 00:02:EE:93:9F:C8 Oct 11 20:00:03 barradur sdpd[9433]: terminating... Oct 11 20:00:03 barradur hcid[9431]: Exit. Oct 11 20:00:10 barradur dbus: avc: received setenforce notice (enforcing=1) audit.log: (see attachement) Created attachment 119826 [details]
audit.log with setenforce=0
Ok lets try selinux-policy-targeted-1.27.1-2.6 Retested with selinux-policy-targeted-1.27.1-2.6: Works OK now. Thanks. |