Bug 1747768

Summary: SELinux prevents NetworkManager from opening bluetooth socket for DUN connections
Product: Red Hat Enterprise Linux 8 Reporter: Thomas Haller <thaller>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.1CC: atragler, bgalvani, fgiudici, lrintel, lvrabec, mmalik, plautrba, rkhan, ssekidde, sukulkar, thaller, zpytela
Target Milestone: rcKeywords: Patch, Reopened
Target Release: 8.2   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-22.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:41:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas Haller 2019-09-01 11:35:45 UTC 
DUN connections are established by creating and connecting an AF_BLUETOOTH socket.

SELinux does not allow NetworkManager to do that:

Sep 01 13:32:45 rh1 audit[8403]: AVC avc:  denied  { create } for  pid=8403 comm="NetworkManager" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=bluetooth_socket permissive=0





Sep 01 13:32:49 rh1 setroubleshoot[8871]: SELinux is preventing NetworkManager from create access on the bluetooth_socket labeled NetworkManager_t. For complete SELinux messages run: sealert -l b1733272-f75d-4f31-8f6f-746a2957c5f7
Sep 01 13:32:49 rh1 python3[8871]: SELinux is preventing NetworkManager from create access on the bluetooth_socket labeled NetworkManager_t.
                                   
                                   *****  Plugin catchall (100. confidence) suggests   **************************
                                   
                                   If you believe that NetworkManager should be allowed create access on bluetooth_socket labeled NetworkManager_t by default.
                                   Then you should report this as a bug.
                                   You can generate a local policy module to allow this access.
                                   Do
                                   allow this access for now by executing:
                                   # ausearch -c 'NetworkManager' --raw | audit2allow -M my-NetworkManager
                                   # semodule -X 300 -i my-NetworkManager.pp
Comment 1 Thomas Haller 2019-09-01 11:48:02 UTC 
https://github.com/fedora-selinux/selinux-policy-contrib/pull/133
Comment 2 Lukas Vrabec 2019-09-23 08:26:17 UTC 
Hi All, 

PR is merged and backported to Rawhide,F31 and F30.
Comment 3 Thomas Haller 2019-09-23 10:28:15 UTC 
(In reply to Lukas Vrabec from comment #2)
> Hi All, 
> 
> PR is merged and backported to Rawhide,F31 and F30.

Thank you Lukas,


I think we can close this bug then.

(maybe I should reassign it to SELinux component, but since it's fixed already, there isn't much point).

Closing.
Comment 4 Thomas Haller 2019-09-23 10:29:21 UTC 
OK, I am an idiot.

This bug is for RHEL-8...

Reopening and reassigning. Sorry.
Comment 14 errata-xmlrpc 2020-04-28 16:41:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1773