Bug 1473954 - blueman not allowed to setup bluetooth network
blueman not allowed to setup bluetooth network
Status: ASSIGNED
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
26
All Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-22 13:47 EDT by Aleksandar Kostadinov
Modified: 2017-10-03 13 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ausearch -m USER_AVC,AVC -ts today (1.47 KB, text/plain)
2017-10-03 09:28 EDT, Aleksandar Kostadinov
no flags Details
ausearch -m USER_AVC,AVC -ts today (re comment 7) (2.56 KB, text/plain)
2017-10-03 13:42 EDT, Aleksandar Kostadinov
no flags Details

  None (edit)
Description Aleksandar Kostadinov 2017-07-22 13:47:55 EDT
Description of problem:
g-io-error-quark: GDBus.Error:org.freedesktop.DBus.Python.GLib.Error: Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/dbus/service.py", line 707, in _message_cb
    retval = candidate_method(self, *args, **keywords)
  File "/usr/lib/python3.6/site-packages/blueman/main/DbusService.py", line 38, in wrapper
    return method(*args[1:], **kwargs)
  File "/usr/lib/python3.6/site-packages/blueman/plugins/mechanism/Network.py", line 56, in ReloadNetwork
    self.confirm_authorization(caller, "org.blueman.network.setup")
  File "/usr/libexec/blueman-mechanism", line 166, in confirm_authorization
    action_id, {}, 1, "")
  File "/usr/lib64/python3.6/site-packages/gi/overrides/Gio.py", line 172, in __call__
    None)
GLib.GError: g-dbus-error-quark: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.67" (uid=0 pid=2407 comm="python3 /usr/libexec/blueman-mechanism " label="system_u:system_r:blueman_t:s0") interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" error name="(unset)" requested_reply="0" destination=":1.9" (uid=995 pid=1113 comm="/usr/lib/polkit-1/polkitd --no-debug " label="system_u:system_r:policykit_t:s0") (9)
 (36)

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-260.1.fc26.noarch
blueman-2.1-0.5.alpha1.fc26.x86_64

How reproducible:
always

Steps to Reproduce:
1. type in terminal `blueman-report`

And error window appears with the error pasted under Description.
Comment 1 Raphael Groner 2017-09-01 13:06:58 EDT
Reproducible here after the upgrade to Fedora 26, never seen with Fedora 25.

selinux-policy-3.13.1-260.6.fc26.noarch
blueman-2.1-0.5.alpha1.fc26.x86_64

Output of blueman-report:

blueman: 2.1.alpha1
BlueZ: 5.46
Distribution: 
Desktop: X-Cinnamon
Comment 2 Raphael Groner 2017-09-02 05:50:28 EDT
The error seems to be related to Cinnamon's bluetooth service. If this service is disabled in autostart settings, we don't see the popup window with the mentioned message, after the login to a cinnamon session.
Comment 3 Aleksandar Kostadinov 2017-09-03 11:09:02 EDT
It should be policy for blueman. I'm on XFCE so not related to Cinnamon. Most likely, when you disable the service, blueman is just not started, thus error is gone. But to have BT working, we need it started.
Comment 4 Raphael Groner 2017-09-22 06:26:13 EDT
Did you try bluetoothctl?
https://gist.github.com/0/c73e2557d875446b9603
Comment 5 Lukas Vrabec 2017-10-03 06:35:11 EDT
Could you please reproduce the scenario and then attach output of:
# ausearch -m USER_AVC,AVC -ts today 

Thanks,
Lukas.
Comment 6 Aleksandar Kostadinov 2017-10-03 09:28 EDT
Created attachment 1333664 [details]
ausearch -m USER_AVC,AVC -ts today

Attached, thank you.
Comment 7 Lukas Vrabec 2017-10-03 10:26:44 EDT
Could you add local policy module and then reproduce the scenario? 

# cat blueman_local.cil 
(allow blueman_t policykit_t (dbus (send_msg)))

# semodule -i blueman_local.cil

Thanks,
Lukas.
Comment 8 Aleksandar Kostadinov 2017-10-03 13:42 EDT
Created attachment 1333841 [details]
ausearch -m USER_AVC,AVC -ts today (re comment 7)

This one helped to some degree. The initial error message is now gone.

Blueman takes some time to be launched with the new policy and it asks twice for policykit password prompt. I think it is related to networking because I had a message prompt after the second polkit password prompt of

> g-io-error-quark: Timeout was reached (24)

I also see more messages in the log you asked me to attach (which you can find above).

On the bright side I was able to connect my android phone as audio source which is great!

Note You need to log in before you can comment on or make changes to this bug.