Description of problem: SELinux is preventing bluetoothd from 'shutdown' accesses on the сокет Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If if you believe that bluetoothd should be allowed shutdown access on the Unknown socket by default. Then рекомендуется создать отчет об ошибке. Чтобы разрешить доступ, можно создать локальный модуль политики. Do allow this access for now by executing: # ausearch -c 'bluetoothd' --raw | audit2allow -M my-bluetoothd # semodule -X 300 -i my-bluetoothd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:system_r:init_t:s0 Target Objects Unknown [ socket ] Source bluetoothd Source Path bluetoothd Port <Неизвестно> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-288.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.14.0-0.rc1.git4.1.fc28.x86_64 #1 SMP Fri Sep 22 21:46:10 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-09-27 01:48:11 +07 Last Seen 2017-09-27 01:48:11 +07 Local ID 793dfbbd-a490-4d09-a5c0-b12e745754a5 Raw Audit Messages type=AVC msg=audit(1506451691.24:132008): avc: denied { shutdown } for pid=18103 comm="bluetoothd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=socket permissive=1 Hash: bluetoothd,init_t,init_t,socket,shutdown Version-Release number of selected component: selinux-policy-3.13.1-288.fc28.noarch Additional info: component: selinux-policy reporter: libreport-2.9.2 hashmarkername: setroubleshoot kernel: 4.14.0-0.rc1.git4.1.fc28.x86_64 type: libreport
*** Bug 1496248 has been marked as a duplicate of this bug. ***
*** Bug 1496247 has been marked as a duplicate of this bug. ***
*** Bug 1496123 has been marked as a duplicate of this bug. ***
*** Bug 1494924 has been marked as a duplicate of this bug. ***
*** Bug 1494925 has been marked as a duplicate of this bug. ***
*** Bug 1494926 has been marked as a duplicate of this bug. ***
*** Bug 1494927 has been marked as a duplicate of this bug. ***
*** Bug 1494928 has been marked as a duplicate of this bug. ***
*** Bug 1494929 has been marked as a duplicate of this bug. ***
*** Bug 1494930 has been marked as a duplicate of this bug. ***
*** Bug 1494932 has been marked as a duplicate of this bug. ***
*** Bug 1494933 has been marked as a duplicate of this bug. ***
*** Bug 1494934 has been marked as a duplicate of this bug. ***
*** Bug 1494936 has been marked as a duplicate of this bug. ***
*** Bug 1494937 has been marked as a duplicate of this bug. ***
*** Bug 1494938 has been marked as a duplicate of this bug. ***
*** Bug 1494696 has been marked as a duplicate of this bug. ***
*** Bug 1494977 has been marked as a duplicate of this bug. ***
For some reason, bluetoothd deamon run as init_t instead of bluetooth_t. How did you start this daemon? Lukas.
(In reply to Lukas Vrabec from comment #19) > For some reason, bluetoothd deamon run as init_t instead of bluetooth_t. How > did you start this daemon? > > Lukas. It got started by systemd... Basically systemctl start bluetooth.service
Yeah, I believe in bluetoothd service file is new systemd security feature "NoNewPrivileges=true" which cause broken SELinux transition. We have fixes for this in new rawhide. If you would like to use SELinux for bluetoothd, you need to remove this Systemd feature from service file.
Excuse my ignorance, but could you be please more specific about "We have fixes for this in new rawhide."? I have recent rawhide version of bluez and selinux-policy and I hit this issue. So what else should I have installed to get this fixed? $ rpm -q bluez bluez-5.47-3.fc28.x86_64 $ rpm -q selinux-policy selinux-policy-3.13.1-294.fc28.noarch
Pretty please, how to fix this? I cannot use my BT mouse which is pretty annoying ...
(In reply to Vít Ondruch from comment #23) > Pretty please, how to fix this? I cannot use my BT mouse which is pretty > annoying ... # setenforce 0 =)
Fix will be part of the next selinux-policy build for Rawhide. Moving to POST.
This si still not resolved: $ rpm -q selinux-policy selinux-policy-3.13.1-300.fc28.noarch
Vit, Is are you still able to reproduce it after restarting bluetoothd service? What is output of: # ls -Z /usr/libexec/bluetooth/bluetoothd # sesearch -A -s init_t -c process2 -t bluetooth_t Thanks, Lukas.
(In reply to Lukas Vrabec from comment #27) > Is are you still able to reproduce it after restarting bluetoothd service? I even restarted the whole computer, but just FTR: ~~~ $ systemctl restart bluetooth.service Job for bluetooth.service failed because a fatal signal was delivered to the control process. See "systemctl status bluetooth.service" and "journalctl -xe" for details. $ LANG=C.UTF-8 systemctl status bluetooth.service ● bluetooth.service - Bluetooth service Loaded: loaded (/usr/lib/systemd/system/bluetooth.service; enabled; vendor preset: enabled) Active: failed (Result: signal) since Tue 2017-10-31 12:29:06 CET; 29s ago Docs: man:bluetoothd(8) Process: 2622 ExecStart=/usr/libexec/bluetooth/bluetoothd (code=killed, signal=SEGV) Main PID: 2622 (code=killed, signal=SEGV) Oct 31 12:29:06 localhost.localdomain systemd[1]: Starting Bluetooth service... Oct 31 12:29:06 localhost.localdomain systemd[1]: bluetooth.service: Main process exited, code=killed, status=11/SEGV Oct 31 12:29:06 localhost.localdomain systemd[1]: bluetooth.service: Failed with result 'signal'. Oct 31 12:29:06 localhost.localdomain systemd[1]: Failed to start Bluetooth service. $ journalctl -xe ... snip ... Oct 31 12:29:06 localhost.localdomain systemd[1]: Starting Bluetooth service... -- Subject: Unit bluetooth.service has begun start-up -- Defined-By: systemd -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit bluetooth.service has begun starting up. Oct 31 12:29:06 localhost.localdomain audit[2622]: AVC avc: denied { mounton } for pid=2622 comm="(uetoothd)" path="/var/lib/bluetooth" dev="dm-0" ino=1966239 scontext=system_u:system_r:init_t:s0 tcontext=sys Oct 31 12:29:06 localhost.localdomain audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:bluetooth_t:s0 Oct 31 12:29:06 localhost.localdomain audit[2622]: AVC avc: denied { map } for pid=2622 comm="bluetoothd" path="/usr/libexec/bluetooth/bluetoothd" dev="dm-0" ino=3015450 scontext=system_u:system_r:init_t:s0 t Oct 31 12:29:06 localhost.localdomain audit[2622]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:init_t:s0 pid=2622 comm="bluetoothd" exe="/usr/libexec/bluetooth/bluetoothd" sig=11 Oct 31 12:29:06 localhost.localdomain systemd[1]: bluetooth.service: Main process exited, code=killed, status=11/SEGV Oct 31 12:29:06 localhost.localdomain systemd[1]: bluetooth.service: Failed with result 'signal'. Oct 31 12:29:06 localhost.localdomain systemd[1]: Failed to start Bluetooth service. -- Subject: Unit bluetooth.service has failed -- Defined-By: systemd -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit bluetooth.service has failed. -- -- The result is RESULT. Oct 31 12:29:06 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=bluetooth comm="systemd" exe="/usr/lib/systemd/systemd" hostnam Oct 31 12:29:06 localhost.localdomain polkitd[939]: Unregistered Authentication Agent for unix-process:2570:8900462 (system bus name :1.590, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C. Oct 31 12:29:09 localhost.localdomain sealert[2043]: gtk_grid_attach: assertion '_gtk_widget_get_parent (child) == NULL' failed Oct 31 12:29:09 localhost.localdomain setroubleshoot[1727]: SELinux is preventing (uetoothd) from mounton access on the directory /var/lib/bluetooth. For complete SELinux messages run: sealert -l 5216c914-46de-4 Oct 31 12:29:09 localhost.localdomain python3[1727]: SELinux is preventing (uetoothd) from mounton access on the directory /var/lib/bluetooth. ***** Plugin catchall (100. confidence) suggests ************************** If if you believe that (uetoothd) should be allowed mounton access on the bluetooth directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(uetoothd)' --raw | audit2allow -M my-uetoothd # semodule -X 300 -i my-uetoothd.pp Oct 31 12:29:09 localhost.localdomain sealert[2043]: gtk_grid_attach: assertion '_gtk_widget_get_parent (child) == NULL' failed Oct 31 12:29:09 localhost.localdomain setroubleshoot[1727]: SELinux is preventing bluetoothd from map access on the file /usr/libexec/bluetooth/bluetoothd. For complete SELinux messages run: sealert -l e06f57fa- Oct 31 12:29:09 localhost.localdomain python3[1727]: SELinux is preventing bluetoothd from map access on the file /usr/libexec/bluetooth/bluetoothd. ***** Plugin catchall (100. confidence) suggests ************************** If if you believe that bluetoothd should be allowed map access on the bluetoothd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'bluetoothd' --raw | audit2allow -M my-bluetoothd # semodule -X 300 -i my-bluetoothd.pp Oct 31 12:29:09 localhost.localdomain sealert[2043]: gtk_grid_attach: assertion '_gtk_widget_get_parent (child) == NULL' failed Oct 31 12:29:34 localhost.localdomain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? ~~~ > What is output of: > > # ls -Z /usr/libexec/bluetooth/bluetoothd $ sudo ls -Z /usr/libexec/bluetooth/bluetoothd system_u:object_r:bluetooth_exec_t:s0 /usr/libexec/bluetooth/bluetoothd > # sesearch -A -s init_t -c process2 -t bluetooth_t $ sudo sesearch -A -s init_t -c process2 -t bluetooth_t allow init_t bluetooth_t:process2 { nnp_transition nosuid_transition };
Vit, I found issue here. In F27 is kernel version 4.13 and we need 4.14+. I need to ask if 4.14 will be backported to Fedora 27 or we need to backport the patch.
Trying latest kernel: $ rpm -q kernel kernel-4.13.9-300.fc27.x86_64 kernel-4.14.0-0.rc6.git0.1.fc28.x86_64 $ uname -a Linux localhost.localdomain 4.14.0-0.rc6.git0.1.fc28.x86_64 #1 SMP Mon Oct 23 16:37:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux This specific issue has gone it seems and BT service is up now. However there still remains this: ~~~ Oct 31 13:14:31 localhost.localdomain setroubleshoot[1409]: SELinux is preventing (uetoothd) from mounton access on the directory /var/lib/bluetooth. For complete SELinux messages run: sealert -l 5216c914-46de-4 Oct 31 13:14:31 localhost.localdomain python3[1409]: SELinux is preventing (uetoothd) from mounton access on the directory /var/lib/bluetooth. ***** Plugin catchall (100. confidence) suggests ************************** If if you believe that (uetoothd) should be allowed mounton access on the bluetooth directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '(uetoothd)' --raw | audit2allow -M my-uetoothd # semodule -X 300 -i my-uetoothd.pp ~~~ This appears to be bug #1502141