Bug 1502141 - SELinux is preventing (uetoothd) from 'mounton' accesses on the dossier /var/lib/bluetooth.
Summary: SELinux is preventing (uetoothd) from 'mounton' accesses on the dossier /var/...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:6421f5ffcabc44dfaec09174bf0...
: 1506461 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-14 12:35 UTC by Nicolas Mailhot
Modified: 2018-03-18 09:07 UTC (History)
12 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2018-02-20 11:22:05 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Nicolas Mailhot 2017-10-14 12:35:38 UTC 
Description of problem:
SELinux is preventing (uetoothd) from 'mounton' accesses on the dossier /var/lib/bluetooth.

*****  Plugin catchall (100. confidence) suggests   **************************

If if you believe that (uetoothd) should be allowed mounton access on the bluetooth directory by default.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
allow this access for now by executing:
# ausearch -c '(uetoothd)' --raw | audit2allow -M my-uetoothd
# semodule -X 300 -i my-uetoothd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:bluetooth_var_lib_t:s0
Target Objects                /var/lib/bluetooth [ dir ]
Source                        (uetoothd)
Source Path                   (uetoothd)
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           bluez-5.47-4.fc28.x86_64
Policy RPM                    selinux-policy-3.13.1-295.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.14.0-0.rc3.git3.1.fc28.x86_64 #1
                              SMP Thu Oct 5 20:52:54 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-10-14 14:32:17 CEST
Last Seen                     2017-10-14 14:32:17 CEST
Local ID                      920cfd91-542b-44d4-beca-dd66f9733e26

Raw Audit Messages
type=AVC msg=audit(1507984337.296:1246): avc:  denied  { mounton } for  pid=1418 comm="(uetoothd)" path="/var/lib/bluetooth" dev="dm-0" ino=270685 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:bluetooth_var_lib_t:s0 tclass=dir permissive=0


Hash: (uetoothd),init_t,bluetooth_var_lib_t,dir,mounton

Version-Release number of selected component:
selinux-policy-3.13.1-295.fc28.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.14.0-0.rc3.git3.1.fc28.x86_64
type:           libreport
Comment 1 Tom 2017-10-17 06:53:15 UTC 
Description of problem:
After booting my system I can see BT is not enabled and not possible to enable.
From terminal running:

sudo systemctl status bluetooth.service

results in this:

● bluetooth.service - Bluetooth service
   Loaded: loaded (/usr/lib/systemd/system/bluetooth.service; enabled; vendor preset: enabled)
   Active: failed (Result: signal) since Tue 2017-10-17 08:46:36 CEST; 12s ago
     Docs: man:bluetoothd(8)
  Process: 7926 ExecStart=/usr/libexec/bluetooth/bluetoothd (code=killed, signal=SEGV)
 Main PID: 7926 (code=killed, signal=SEGV)

okt 17 08:46:36 kira-lan systemd[1]: Starting Bluetooth service...
okt 17 08:46:36 kira-lan systemd[1]: bluetooth.service: Main process exited, code=killed, status=11/SEGV
okt 17 08:46:36 kira-lan systemd[1]: bluetooth.service: Failed with result 'signal'.
okt 17 08:46:36 kira-lan systemd[1]: Failed to start Bluetooth service.

Version-Release number of selected component:
selinux-policy-3.13.1-295.fc28.noarch

Additional info:
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.14.0-0.rc4.git4.1.fc28.x86_64
type:           libreport
Comment 2 Lukas Vrabec 2017-10-17 10:36:59 UTC 
Hi, 

This will be fixed in the next selinux-policy rawhide build.
Comment 3 JOduMonT 2017-10-26 06:58:26 UTC 
*** Bug 1506461 has been marked as a duplicate of this bug. ***
Comment 4 Vít Ondruch 2017-10-31 12:22:48 UTC 
This is till not fixed:

$ rpm -q selinux-policy
selinux-policy-3.13.1-300.fc28.noarch
Comment 5 Vít Ondruch 2017-10-31 12:25:13 UTC 
~~~
$ sealert -l 5216c914-46de-49e9-9a19-fce5bf9fd215
SELinux is preventing (uetoothd) from mounton access on the directory /var/lib/bluetooth.

*****  Plugin catchall (100. confidence) suggests   **************************

If if you believe that (uetoothd) should be allowed mounton access on the bluetooth directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(uetoothd)' --raw | audit2allow -M my-uetoothd
# semodule -X 300 -i my-uetoothd.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:bluetooth_var_lib_t:s0
Target Objects                /var/lib/bluetooth [ dir ]
Source                        (uetoothd)
Source Path                   (uetoothd)
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           bluez-5.47-4.fc28.x86_64
Policy RPM                    selinux-policy-3.13.1-300.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.14.0-0.rc6.git0.1.fc28.x86_64 #1 SMP Mon Oct 23
                              16:37:45 UTC 2017 x86_64 x86_64
Alert Count                   5
First Seen                    2017-10-31 12:24:06 CET
Last Seen                     2017-10-31 13:14:27 CET
Local ID                      5216c914-46de-49e9-9a19-fce5bf9fd215

Raw Audit Messages
type=AVC msg=audit(1509452067.79:104): avc:  denied  { mounton } for  pid=874 comm="(uetoothd)" path="/var/lib/bluetooth" dev="dm-0" ino=1966239 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:bluetooth_var_lib_t:s0 tclass=dir permissive=0


Hash: (uetoothd),init_t,bluetooth_var_lib_t,dir,mounton

~~~
Comment 6 Vít Ondruch 2017-10-31 12:26:18 UTC 
(In reply to Tom from comment #1)
This seems to be https://bugzilla.redhat.com/show_bug.cgi?id=1496249#c29
Comment 7 Jared Smith 2018-01-16 20:45:00 UTC 
Description of problem:
Was trying to pair some bluetooth headphones with my laptop.

Version-Release number of selected component:
selinux-policy-3.14.1-1.fc28.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.0-0.rc7.git2.1.fc28.x86_64
type:           libreport
Comment 8 Chris Murphy 2018-01-24 08:18:46 UTC 
This is still a problem with selinux-policy-3.14.1-2.fc28
Comment 9 Nicolas Mailhot 2018-01-27 02:39:02 UTC 
Description of problem:
After clean F27 install, update to rawhide, and reboot

Version-Release number of selected component:
selinux-policy-3.14.1-3.fc28.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.15.0-0.rc9.git4.1.fc28.x86_64
type:           libreport
Note You need to log in before you can comment on or make changes to this bug.