Bug 2332148
| Summary: | There are three different bluetooth socket rules. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Steve <y9t7sypezp> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 41 | CC: | dwalsh, lvrabec, mmalik, omosnacek, pav, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-12-13 22:41:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Copied from Bug 2331485: $ sudo ausearch -i -c dbus-broker -m avc ---- type=PROCTITLE msg=audit(12/10/2024 18:13:42.714:508) : proctitle=dbus-broker --log 4 --controller 9 --machine-id 86933a03d0904efdac861089c417e8c3 --max-bytes 536870912 --max-fds 4096 --max-matc type=SYSCALL msg=audit(12/10/2024 18:13:42.714:508) : arch=x86_64 syscall=recvmsg success=yes exit=310 a0=0x3e a1=0x7ffcf2954830 a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0x10 items=0 ppid=905 pid=906 auid=unset uid=dbus gid=dbus euid=dbus suid=dbus fsuid=dbus egid=dbus sgid=dbus fsgid=dbus tty=(none) ses=unset comm=dbus-broker exe=/usr/bin/dbus-broker subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(12/10/2024 18:13:42.714:508) : avc: denied { read write } for pid=906 comm=dbus-broker path=socket:[74394] dev="sockfs" ino=74394 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:bluetooth_t:s0 tclass=unix_stream_socket permissive=0 $ ps -eL -o pid,tid,ppid,comm,cmd,label | egrep 'PID|system_dbusd_t|bluetooth_t' PID TID PPID COMMAND CMD LABEL 925 925 1 dbus-broker-lau /usr/bin/dbus-broker-launch system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 926 926 925 dbus-broker dbus-broker --log 4 --contr system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 928 928 1 bluetoothd /usr/libexec/bluetooth/blue system_u:system_r:bluetooth_t:s0 NB: The "dbus-broker" PID, 926, doesn't match the PID in the AVC, because the above "ps" output was captured in a different test run. These are the Unix domain sockets opened by bluetoothd: $ sudo lsof -w +c0 -Z -a -U -c bluetooth COMMAND PID SECURITY-CONTEXT USER FD TYPE DEVICE SIZE/OFF NODE NAME bluetoothd 928 system_u:system_r:bluetooth_t:s0 root 1u unix 0x00000000adb3c8b0 0t0 10553 type=STREAM (CONNECTED) bluetoothd 928 system_u:system_r:bluetooth_t:s0 root 2u unix 0x00000000adb3c8b0 0t0 10553 type=STREAM (CONNECTED) bluetoothd 928 system_u:system_r:bluetooth_t:s0 root 4u unix 0x00000000d179786f 0t0 10652 type=DGRAM (CONNECTED) bluetoothd 928 system_u:system_r:bluetooth_t:s0 root 6u unix 0x0000000018b093c6 0t0 10654 type=DGRAM (CONNECTED) bluetoothd 928 system_u:system_r:bluetooth_t:s0 root 7u unix 0x00000000a2237004 0t0 10659 type=STREAM (CONNECTED) This shows the connected endpoints -- systemd, systemd-journal, dbus-broker, bluetoothd. In particular, dbus-broker (INO=10659) connects to bluetoothd (NODE 10659). $ sudo lsof -w +c0 -Z +E -a -U -c bluetooth COMMAND PID SECURITY-CONTEXT USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 system_u:system_r:init_t:s0 root 51u unix 0x00000000ec16c9a6 0t0 6742 /run/systemd/notify type=DGRAM ->INO=10652 928,,4u (CONNECTED) systemd 1 system_u:system_r:init_t:s0 root 68u unix 0x00000000b1347d03 0t0 6758 /run/systemd/journal/dev-log type=DGRAM ->INO=14387 1079,,3u (CONNECTED) systemd 1 system_u:system_r:init_t:s0 root 198u unix 0x00000000ebd55535 0t0 8593 /run/systemd/journal/stdout type=STREAM ->INO=10553 928,,2u 928,,1u (CONNECTED) systemd-journal 696 system_u:system_r:syslogd_t:s0 root 6u unix 0x00000000b1347d03 0t0 6758 /run/systemd/journal/dev-log type=DGRAM ->INO=14387 1079,,3u (CONNECTED) systemd-journal 696 system_u:system_r:syslogd_t:s0 root 26u unix 0x00000000ebd55535 0t0 8593 /run/systemd/journal/stdout type=STREAM ->INO=10553 928,,2u 928,,1u (CONNECTED) dbus-broker 926 system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 dbus 26u unix 0x000000005d428ebd 0t0 11772 /run/dbus/system_bus_socket type=STREAM ->INO=10659 928,,7u (CONNECTED) bluetoothd 928 system_u:system_r:bluetooth_t:s0 root 1u unix 0x00000000adb3c8b0 0t0 10553 type=STREAM ->INO=8593 696,,26u 1,,198u (CONNECTED) bluetoothd 928 system_u:system_r:bluetooth_t:s0 root 2u unix 0x00000000adb3c8b0 0t0 10553 type=STREAM ->INO=8593 696,,26u 1,,198u (CONNECTED) bluetoothd 928 system_u:system_r:bluetooth_t:s0 root 4u unix 0x00000000d179786f 0t0 10652 type=DGRAM ->INO=6742 1,,51u (CONNECTED) bluetoothd 928 system_u:system_r:bluetooth_t:s0 root 6u unix 0x0000000018b093c6 0t0 10654 type=DGRAM ->INO=6758 696,,6u 1,,68u (CONNECTED) bluetoothd 928 system_u:system_r:bluetooth_t:s0 root 7u unix 0x00000000a2237004 0t0 10659 type=STREAM ->INO=11772 926,,26u (CONNECTED) These are the socket files from Comment 3: $ ls -lFZ /run/dbus/system_bus_socket /run/systemd/journal/dev-log /run/systemd/journal/stdout /run/systemd/notify srw-rw-rw-. 1 root root system_u:object_r:system_dbusd_var_run_t:s0 0 Dec 12 18:18 /run/dbus/system_bus_socket= srw-rw-rw-. 1 root root system_u:object_r:devlog_t:s0 0 Dec 12 18:18 /run/systemd/journal/dev-log= srw-rw-rw-. 1 root root system_u:object_r:syslogd_var_run_t:s0 0 Dec 12 18:18 /run/systemd/journal/stdout= srwxrwxrwx. 1 root root system_u:object_r:init_var_run_t:s0 0 Dec 12 18:18 /run/systemd/notify= Closing as a duplicate of Bug 2331485, because the selinux "bluetooth_socket" class appears to correspond to the "AF_BLUETOOTH" address family (address_families(7)) and is therefore distinct from the selinux "unix_stream_socket" class. https://github.com/fedora-selinux/selinux-policy/blob/v41.26/policy/flask/access_vectors#L1029-L1030 https://github.com/fedora-selinux/selinux-policy/blob/v41.26/policy/policy_capabilities#L45-L49 https://github.com/fedora-selinux/selinux-policy/commit/0a9d4c41b010f7daef39473d37d8c162ffe18a3a *** This bug has been marked as a duplicate of bug 2331485 *** (In reply to Steve from comment #5) > ... the selinux "bluetooth_socket" class appears to correspond to the "AF_BLUETOOTH" address family (address_families(7)) ... The mapping is here: static inline u16 socket_type_to_security_class(int family, int type, int protocol) ... case PF_BLUETOOTH: return SECCLASS_BLUETOOTH_SOCKET; ... https://github.com/gregkh/linux/blob/v6.11.11/security/selinux/hooks.c#L1155 https://github.com/gregkh/linux/blob/v6.11.11/security/selinux/hooks.c#L1270-L1271 /* Protocol families, same as address families. */ ... #define PF_BLUETOOTH AF_BLUETOOTH ... https://github.com/gregkh/linux/blob/v6.11.11/include/linux/socket.h#L246 https://github.com/gregkh/linux/blob/v6.11.11/include/linux/socket.h#L280 SECCLASS_BLUETOOTH_SOCKET is defined in ./security/selinux/flask.h, which is generated when the kernel is built: $ egrep -n -C0 'generated|SECCLASS_BLUETOOTH_SOCKET|security_is_socket_class' ./security/selinux/flask.h 1:/* This file is automatically generated. Do not edit. */ -- 80:#define SECCLASS_BLUETOOTH_SOCKET 76 -- 117:static inline bool security_is_socket_class(u16 kern_tclass) -- 166: case SECCLASS_BLUETOOTH_SOCKET: |
There are three different bluetooth socket rules: $ sesearch -A -s system_dbusd_t -t bluetooth_t | fgrep socket allow system_dbusd_t bluetooth_t:bluetooth_socket { append bind connect getattr getopt ioctl lock read setattr setopt shutdown write }; [ deny_bluetooth ]:False allow system_dbusd_t bluetooth_t:socket { append bind connect getattr getopt ioctl lock read setattr setopt shutdown write }; allow system_dbusd_t bluetooth_t:unix_stream_socket connectto; $ sudo semodule -lfull | fgrep bluetooth 100 bluetooth pp Tested with: $ rpm -q selinux-policy selinux-policy-41.26-1.fc41.noarch Reproducible: Always