Bug 160678 - SELinux prevents setup of BT connections
SELinux prevents setup of BT connections
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-16 11:58 EDT by Stefan Becker
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version: FEDORA-2005-513
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-07 23:42:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stefan Becker 2005-06-16 11:58:08 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Firefox/1.0.4

Description of problem:
SELinux targeted policy by default covers bluetooth daemon. When hcid tries to setup a BT connection it is prevented by SELinux to do so. 

After selecting "SELinux Service Protection" -> "Disable SELinux protection for 
bluetooth daemon" BT starts to work again.

Version-Release number of selected component (if applicable):
bluez-utils-2.15-7, selinux-policy-targeted-1.23.16-6

How reproducible:
Always

Steps to Reproduce:
1. Base FC4 installation
2. rfcomm connect 0 00:02:EE:93:9F:C8 1
3.

  

Actual Results:  # rfcomm connect 0 00:02:EE:93:9F:C8 1
Can't connect RFCOMM socket: Resource temporarily unavailable


Expected Results:  BT connection should have been initiated

Additional info:

# service bluetooth start
Starting Bluetooth services:                               [  OK  ]

# ps -efw | fgrep hcid
root      2676     1  0 00:31 ?        00:00:00 hcid: processing events

# tail /var/log/messages
...
Jun 16 00:31:22 baraddur hcid[2676]: Bluetooth HCI daemon
Jun 16 00:31:22 baraddur hcid[2676]: Starting security manager 0
Jun 16 00:31:23 baraddur sdpd[2680]: Bluetooth SDP daemon

 ---> Execute "rfcomm connect 0 00:02:EE:93:9F:C8 1"

# tail /var/log/audit.log:
...
type=SYSCALL msg=audit(1118907083.101:13376313): arch=40000003 syscall=146 
success=no exit=-13 a0=6 a1=bfacb070 a2=3 a3=3 items=0 pid=2678 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="hcid" exe="/usr/sbin/hcid"
type=AVC msg=audit(1118907083.101:13376313): avc:  denied  { write } for  
pid=2678 comm="hcid" scontext=root:system_r:bluetooth_t 
tcontext=root:system_r:bluetooth_t tclass=socket
type=SYSCALL msg=audit(1118907083.102:13376320): arch=40000003 syscall=146 
success=no exit=-13 a0=6 a1=bfacb070 a2=3 a3=3 items=0 pid=2678 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="hcid" exe="/usr/sbin/hcid"
type=AVC msg=audit(1118907083.102:13376320): avc:  denied  { write } for  
pid=2678 comm="hcid" scontext=root:system_r:bluetooth_t 
tcontext=root:system_r:bluetooth_t tclass=socket
type=AVC_PATH msg=audit(1118907114.146:13503165):  path="socket:[203470]"
type=SYSCALL msg=audit(1118907114.146:13503165): arch=40000003 syscall=3 
success=no exit=-13 a0=6 a1=bfacb0c4 a2=104 a3=104 items=0 pid=2676 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="hcid" exe="/usr/sbin/hcid"
type=AVC msg=audit(1118907114.146:13503165): avc:  denied  { read } for  
pid=2676 comm="hcid" name=[203470] dev=sockfs ino=203470 
scontext=root:system_r:bluetooth_t tcontext=root:system_r:bluetooth_t 
tclass=socket



With SELinux protection for bluetooth daemon deactivated BT connections work OK:

# hcid -n -f /etc/bluetooth/hcid.conf
hcid[2788]: Bluetooth HCI daemon
hcid[2788]: Starting security manager 0

  ---> now start same rfcomm command as above

hcid[2788]: link_key_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8)

  ---> connection to cell phone established
  ---> Press CTRL-C to abort rfcomm
Comment 1 Stefan Becker 2005-06-20 22:15:19 EDT
Retried with selinux-policy-targeted-1.23.18-12 which was released today,
because the changelog mentioned the bluetooth daemon. Still no success.

Added Daniel, the SELinux policy maintainer as CC. Maybe he can shed some light
on this problem.
Comment 2 Daniel Walsh 2005-06-26 07:56:14 EDT
Fixed in selinux-policy-targeted-1.23.18-21
Comment 3 Stefan Becker 2005-07-07 23:42:11 EDT
Verified correction with selinux-policy-targeted-1.24-3

Note You need to log in before you can comment on or make changes to this bug.