Bug 2181362

Summary:	SELinux is preventing blueman-mechani from using the 'signal' accesses on a process.
Product:	[Fedora] Fedora	Reporter:	fschaupp
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	medium
Version:	37	CC:	dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone:	---	Keywords:	Triaged
Target Release:	---
Hardware:	x86_64
OS:	Unspecified
Whiteboard:	abrt_hash:e602373d3a065ec3f5799c32ebba69b254df8dc200a917cd297669346630055f;VARIANT_ID=cinnamon;
Fixed In Version:	selinux-policy-37.22-1.fc37	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-07-15 01:53:42 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description fschaupp 2023-03-23 21:06:20 UTC

Description of problem:
Blueman: Connect to device offering a rfcomm serial device
SELinux is preventing blueman-mechani from using the 'signal' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

Wenn Sie denken, dass es blueman-mechani standardmäßig erlaubt sein sollte, signal Zugriff auf unconfined_t Prozesse zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# ausearch -c 'blueman-mechani' --raw | audit2allow -M my-bluemanmechani
# semodule -X 300 -i my-bluemanmechani.pp

Additional Information:
Source Context                system_u:system_r:blueman_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Objects                Unbekannt [ process ]
Source                        blueman-mechani
Source Path                   blueman-mechani
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-37.19-1.fc37.noarch
Local Policy RPM              selinux-policy-targeted-37.19-1.fc37.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.2.7-200.fc37.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Mar 17 16:16:00 UTC 2023
                              x86_64 x86_64
Alert Count                   1
First Seen                    2023-03-23 22:03:31 CET
Last Seen                     2023-03-23 22:03:31 CET
Local ID                      d6a401db-37fc-4664-a64a-f7abce698834

Raw Audit Messages
type=AVC msg=audit(1679605411.551:296): avc:  denied  { signal } for  pid=4411 comm="blueman-mechani" scontext=system_u:system_r:blueman_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: blueman-mechani,blueman_t,unconfined_t,process,signal

Version-Release number of selected component:
selinux-policy-targeted-37.19-1.fc37.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.17.4
hashmarkername: setroubleshoot
kernel:         6.2.7-200.fc37.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2023-05-11 20:35:42 UTC

Hello,

Do you know which setup is needed to trigger this denial?
Is there any problem with the service logged in journal?

Comment 2 fschaupp 2023-05-12 06:02:04 UTC

If I remember correctly, it happened when connecting to a serial port of the Bluetooth device.

Comment 3 fschaupp 2023-05-16 05:43:18 UTC

 What do you mean with 'Is there any problem with the service logged in journal?
'?

Comment 4 Zdenek Pytela 2023-05-16 15:38:16 UTC

(In reply to fschaupp from comment #3)
>  What do you mean with 'Is there any problem with the service logged in
> journal?
> '?

Trying to gather all relevant information. Apart from the AVC denial reported for "blueman-mechani" in audit log, did you also see any problem with the service as a user, or logged to journal?

Comment 5 fschaupp 2023-05-16 15:44:51 UTC

I got the denial report in Fedora and it didn't seem to work when using it in an application.
So, well, I reported for the next user not to have the issue as always.

Comment 6 Fedora Update System 2023-06-29 19:59:47 UTC

FEDORA-2023-e74ea79879 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-e74ea79879

Comment 7 Fedora Update System 2023-06-30 02:05:08 UTC

FEDORA-2023-e74ea79879 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-e74ea79879`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-e74ea79879

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2023-07-15 01:53:42 UTC

FEDORA-2023-e74ea79879 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.