From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6 Description of problem: Pairing of new bluetooth devices fails because the pin helper execution is denied by the SELinux targeted policy. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.25.3-9 How reproducible: Always Steps to Reproduce: 1. Start pairing mode on a new Bluetooth device 2. Connect to the device, e.g. rfcomm connect <baddr> 3. Actual Results: Pairing fails. From /var/log/messages: Aug 9 19:44:04 baraddur hcid[5892]: Bluetooth HCI daemon Aug 9 19:44:04 baraddur sdpd[5894]: Bluetooth SDP daemon Aug 9 19:44:04 baraddur hcid[5892]: Starting security manager 0 Aug 9 19:50:02 baraddur kernel: snd-bt-sco revision 1.6 $ Aug 9 19:50:07 baraddur hcid[5892]: link_key_request (sba=00:0A:3A:58:BC:54, dba=00:07:A4:10:30:C6) Aug 9 19:50:08 baraddur hcid[5892]: pin_code_request (sba=00:0A:3A:58:BC:54, dba=00:07:A4:10:30:C6) Aug 9 19:50:08 baraddur hcid[5985]: Can't exec PIN helper /usr/bin/bluez-pin: Permission denied (13) Aug 9 19:50:09 baraddur hcid[5892]: link_key_request (sba=00:0A:3A:58:BC:54, dba=00:07:A4:10:30:C6) Aug 9 19:50:09 baraddur hcid[5892]: pin_code_request (sba=00:0A:3A:58:BC:54, dba=00:07:A4:10:30:C6) Aug 9 19:50:09 baraddur hcid[5986]: Can't exec PIN helper /usr/bin/bluez-pin: Permission denied (13) Expected Results: PIN requester pops up, allowing the pairing to be complete. From /var/log/messages: Aug 9 19:54:23 baraddur hcid[6026]: Bluetooth HCI daemon Aug 9 19:54:23 baraddur hcid[6026]: Starting security manager 0 Aug 9 19:54:23 baraddur sdpd[6028]: Bluetooth SDP daemon Aug 9 19:55:50 baraddur hcid[6026]: link_key_request (sba=00:0A:3A:58:BC:54, dba=00:07:A4:10:30:C6) Aug 9 19:55:50 baraddur hcid[6026]: pin_code_request (sba=00:0A:3A:58:BC:54, dba=00:07:A4:10:30:C6) Aug 9 19:55:55 baraddur hcid[6026]: link_key_notify (sba=00:0A:3A:58:BC:54) Aug 9 19:55:55 baraddur hcid[6026]: Replacing link key 00:0A:3A:58:BC:54 00:07:A4:10:30:C6 Additional info: From /var/log/audit/auditd.log: type=AVC msg=audit(1123642208.045:14417398): avc: denied { search } for pid=5985 comm="hcid" name="bin" dev=hda3 ino=2490467 scontext=root:system_r:bluetooth_t tcontext=system_u:object_r:bin_t tclass=dir type=SYSCALL msg=audit(1123642208.045:14417398): arch=40000003 syscall=33 success=no exit=-13 a0=9701030 a1=5 a2=c965d8 a3=9701470 items=1 pid=5985 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hcid" exe="/usr/sbin/hcid" type=CWD msg=audit(1123642208.045:14417398): cwd="/" type=PATH msg=audit(1123642208.045:14417398): item=0 name="/usr/bin/bluez-pin" flags=401 inode=2490467 dev=03:03 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1123642209.314:14427668): avc: denied { search } for pid=5986 comm="hcid" name="bin" dev=hda3 ino=2490467 scontext=root:system_r:bluetooth_t tcontext=system_u:object_r:bin_t tclass=dir type=SYSCALL msg=audit(1123642209.314:14427668): arch=40000003 syscall=33 success=no exit=-13 a0=9701030 a1=5 a2=c965d8 a3=9701470 items=1 pid=5986 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hcid" exe="/usr/sbin/hcid" type=CWD msg=audit(1123642209.314:14427668): cwd="/" type=PATH msg=audit(1123642209.314:14427668): item=0 name="/usr/bin/bluez-pin" flags=401 inode=2490467 dev=03:03 mode=040755 ouid=0 ogid=0 rdev=00:00
Fixed in selinux-policy-targeted-1.25.3-12
Retested with selinux-policy-targeted-1.25.4-10: Problem still exists but the error messages are different. The PIN helper seems to be executed now but it fails immediately. messages: Aug 29 16:29:28 barradur hcid[21623]: Bluetooth HCI daemon Aug 29 16:29:28 barradur hcid[21623]: Starting security manager 0 Aug 29 16:29:28 barradur sdpd[21625]: init_server: binding UNIX socket: Address already in use Aug 29 16:29:28 barradur sdpd[21625]: main: Server initialization failed Aug 29 16:29:38 barradur hcid[21623]: link_key_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Aug 29 16:29:38 barradur hcid[21623]: pin_code_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Aug 29 16:29:38 barradur hcid[21632]: PIN helper exited abnormally with code 32512 audit.log type=AVC msg=audit(1125358168.728:7388944): avc: denied { unlink } for pid=21625 comm="sdpd" name="sdp" dev=dm-0 ino=721601 scontext=root:system_r:bluetooth_t tcontext=root:object_r:var_run_t tclass=sock_file type=SYSCALL msg=audit(1125358168.728:7388944): arch=40000003 syscall=10 success=no exit=-13 a0=bfaaa1ac a1=bfaaa160 a2=8e87b8 a3=bfaaa1aa items=1 pid=21625 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sdpd" exe="/usr/sbin/sdpd" type=CWD msg=audit(1125358168.728:7388944): cwd="/" type=PATH msg=audit(1125358168.728:7388944): item=0 name="/var/run/sdp" flags=10 inode=720932 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1125358178.187:7462885): avc: denied { read } for pid=21633 comm="hcid" name="sh" dev=dm-0 ino=753668 scontext=root:system_r:bluetooth_t tcontext=system_u:object_r:bin_t tclass=lnk_file type=SYSCALL msg=audit(1125358178.187:7462885): arch=40000003 syscall=11 success=no exit=-13 a0=295a9b a1=bfda93bc a2=9a54078 a3=400 items=1 pid=21633 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hcid" exe="/usr/sbin/hcid" type=CWD msg=audit(1125358178.187:7462885): cwd="/" type=PATH msg=audit(1125358178.187:7462885): item=0 name="/bin/sh" flags=101 inode=753665 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1125358178.188:7462888): avc: denied { getattr } for pid=21632 comm="hcid" name="[479227]" dev=pipefs ino=479227 scontext=root:system_r:bluetooth_t tcontext=root:system_r:bluetooth_t tclass=fifo_file type=SYSCALL msg=audit(1125358178.188:7462888): arch=40000003 syscall=197 success=no exit=-13 a0=7 a1=bfdaa2ec a2=2a2ff4 a3=7 items=0 pid=21632 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hcid" exe="/usr/sbin/hcid" type=AVC_PATH msg=audit(1125358178.188:7462888): path="pipe:[479227]" type=AVC msg=audit(1125358178.188:7462890): avc: denied { read } for pid=21632 comm="hcid" name="[479227]" dev=pipefs ino=479227 scontext=root:system_r:bluetooth_t tcontext=root:system_r:bluetooth_t tclass=fifo_file type=SYSCALL msg=audit(1125358178.188:7462890): arch=40000003 syscall=3 success=no exit=-13 a0=7 a1=b7fab000 a2=2000 a3=9a55ec8 items=0 pid=21632 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hcid" exe="/usr/sbin/hcid" type=AVC_PATH msg=audit(1125358178.188:7462890): path="pipe:[479227]"
Ok can you do a setenforce 0 and then retry, in order to gather all of the denials. Thanks, Dan
Commands: # setenforce 0 # service bluetooth start Starting Bluetooth services: [ OK ] # rfcomm connect 0 00:02:EE:93:9F:C8 1 Connected /dev/rfcomm0 to 00:02:EE:93:9F:C8 on channel 1 Press CTRL-C for hangup Disconnected # service bluetooth stop Stopping Bluetooth services: [ OK ] # setenforce 1 messages: Aug 30 21:56:11 barradur dbus: avc: received setenforce notice (enforcing=0) Aug 30 21:56:19 barradur hcid[25976]: Bluetooth HCI daemon Aug 30 21:56:20 barradur hcid[25976]: Starting security manager 0 Aug 30 21:56:20 barradur sdpd[25980]: Bluetooth SDP daemon Aug 30 21:56:42 barradur hcid[25976]: link_key_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Aug 30 21:56:42 barradur hcid[25976]: pin_code_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Aug 30 21:56:56 barradur hcid[25976]: link_key_notify (sba=00:0A:3A:58:BC:54) Aug 30 21:56:56 barradur hcid[25976]: Replacing link key 00:0A:3A:58:BC:54 00:02:EE:93:9F:C8 Aug 30 21:57:14 barradur sdpd[25980]: terminating... Aug 30 21:57:15 barradur hcid[25976]: Exit. Aug 30 21:57:19 barradur dbus: avc: received setenforce notice (enforcing=1) audit.log: (see attachement)
Created attachment 118275 [details] audit.log with setenforce=0
Fixed in selinux-policy-*-1.27.1-2.1
Retested with selinux-policy-targeted-1.27.1-2.1. Still doesn't work :-( From /var/log/messages: Sep 23 20:48:26 barradur hcid[1932]: link_key_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Sep 23 20:48:26 barradur hcid[1932]: pin_code_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Sep 23 20:48:26 barradur hcid[7207]: PIN helper exited abnormally with code 256 From /var/log/audit/audit.log: type=AVC msg=audit(1127533887.164:113): avc: denied { read } for pid=7286 comm="sh" name="mtab" dev=dm-0 ino=1510036 scontext=system_u:system_r:bluetooth_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=SYSCALL msg=audit(1127533887.164:113): arch=40000003 syscall=5 success=no exit=-13 a0=526dba a1=0 a2=1b6 a3=8b8aa60 items=1 pid=7286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh" exe="/bin/bash" type=CWD msg=audit(1127533887.164:113): cwd="/" type=PATH msg=audit(1127533887.164:113): item=0 name="/etc/mtab" flags=101 inode=1510036 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127533887.201:114): avc: denied { read } for pid=7287 comm="sh" name="mtab" dev=dm-0 ino=1510036 scontext=system_u:system_r:bluetooth_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=SYSCALL msg=audit(1127533887.201:114): arch=40000003 syscall=5 success=no exit=-13 a0=526dba a1=0 a2=1b6 a3=919fa60 items=1 pid=7287 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh" exe="/bin/bash" type=CWD msg=audit(1127533887.201:114): cwd="/" type=PATH msg=audit(1127533887.201:114): item=0 name="/etc/mtab" flags=101 inode=1510036 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127533887.207:115): avc: denied { read } for pid=7287 comm="ps" name="mtab" dev=dm-0 ino=1510036 scontext=system_u:system_r:bluetooth_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=SYSCALL msg=audit(1127533887.207:115): arch=40000003 syscall=5 success=no exit=-13 a0=526dba a1=0 a2=1b6 a3=8c39008 items=1 pid=7287 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps" type=CWD msg=audit(1127533887.207:115): cwd="/" type=PATH msg=audit(1127533887.207:115): item=0 name="/etc/mtab" flags=101 inode=1510036 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127533887.208:116): avc: denied { read } for pid=7287 comm="ps" name="stat" dev=proc ino=477560846 scontext=system_u:system_r:bluetooth_t tcontext=system_u:system_r:bluetooth_t tclass=file type=SYSCALL msg=audit(1127533887.208:116): arch=40000003 syscall=5 success=no exit=-13 a0=546200 a1=0 a2=0 a3=546200 items=1 pid=7287 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps" type=CWD msg=audit(1127533887.208:116): cwd="/" type=PATH msg=audit(1127533887.208:116): item=0 name="/proc/self/stat" flags=101 inode=477560846 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127533887.227:117): avc: denied { write } for pid=7286 comm="bluez-pin" name="X0" dev=dm-0 ino=1802361 scontext=system_u:system_r:bluetooth_t tcontext=system_u:object_r:tmp_t tclass=sock_file type=SYSCALL msg=audit(1127533887.227:117): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd2a350 a2=c5cabc a3=13 items=1 pid=7286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bluez-pin" exe="/usr/bin/bluez-pin" type=SOCKADDR msg=audit(1127533887.227:117): saddr=01002F746D702F2E5831312D756E69782F5830 type=SOCKETCALL msg=audit(1127533887.227:117): nargs=3 a0=3 a1=bfd2a4be a2=13 type=PATH msg=audit(1127533887.227:117): item=0 flags=1 inode=1802361 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1127533887.229:118): avc: denied { connect } for pid=7286 comm="bluez-pin" scontext=system_u:system_r:bluetooth_t tcontext=system_u:system_r:bluetooth_t tclass=tcp_socket type=SYSCALL msg=audit(1127533887.229:118): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd2a310 a2=c5cabc a3=9b2aa78 items=0 pid=7286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bluez-pin" exe="/usr/bin/bluez-pin" type=SOCKADDR msg=audit(1127533887.229:118): saddr=020017707F0000010000000000000000 type=SOCKETCALL msg=audit(1127533887.229:118): nargs=3 a0=3 a1=9b2aa78 a2=10
Retested with selinux-policy-targeted-1.27.1-2.3. Still doesn't work :-( From /var/log/messages: Oct 7 19:42:11 barradur hcid[3143]: link_key_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Oct 7 19:42:11 barradur hcid[3143]: pin_code_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Oct 7 19:42:12 barradur hcid[3162]: PIN helper exited abnormally with code 256 From /var/log/audit/audit.log: type=AVC msg=audit(1128739332.044:41): avc: denied { read } for pid=3164 comm="ps" name="stat" dev=proc ino=207355918 scontext=root:system_r:bluetooth_t tcontext=root:system_r:bluetooth_t tclass=file type=SYSCALL msg=audit(1128739332.044:41): arch=40000003 syscall=5 success=no exit=-13 a0=546200 a1=0 a2=0 a3=546200 items=1 pid=3164 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps" type=CWD msg=audit(1128739332.044:41): cwd="/" type=PATH msg=audit(1128739332.044:41): item=0 name="/proc/self/stat" flags=101 inode=207355918 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1128739332.097:42): avc: denied { write } for pid=3163 comm="bluez-pin" name="X0" dev=dm-0 ino=1769542 scontext=root:system_r:bluetooth_t tcontext=system_u:object_r:tmp_t tclass=sock_file type=SYSCALL msg=audit(1128739332.097:42): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe6ad40 a2=c00abc a3=13 items=1 pid=3163 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bluez-pin" exe="/usr/bin/bluez-pin" type=SOCKADDR msg=audit(1128739332.097:42): saddr=01002F746D702F2E5831312D756E69782F5830 type=SOCKETCALL msg=audit(1128739332.097:42): nargs=3 a0=3 a1=bfe6aeae a2=13 type=PATH msg=audit(1128739332.097:42): item=0 flags=1 inode=1769542 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1128739332.099:43): avc: denied { connect } for pid=3163 comm="bluez-pin" scontext=root:system_r:bluetooth_t tcontext=root:system_r:bluetooth_t tclass=tcp_socket type=SYSCALL msg=audit(1128739332.099:43): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe6ad00 a2=c00abc a3=81eaa58 items=0 pid=3163 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bluez-pin" exe="/usr/bin/bluez-pin" type=SOCKADDR msg=audit(1128739332.099:43): saddr=020017707F0000010000000000000000 type=SOCKETCALL msg=audit(1128739332.099:43): nargs=3 a0=3 a1=81eaa58 a2=10
Could you try chcon -t bluetooth-helper_t /usr/bin/bluez-pin THen try again in permissive mode, and report AVC messages.
The chcon was wrong? # chcon -t bluetooth-helper_t /usr/bin/bluez-pin chcon: failed to change context of /usr/bin/bluez-pin to system_u:object_r:bluetooth-helper_t: Invalid argument # chcon -t bluetooth_helper_t /usr/bin/bluez-pin chcon: failed to change context of /usr/bin/bluez-pin to system_u:object_r:bluetooth_helper_t: Permission denied After a little digging I figured out that this one works: chcon -t bluetooth_helper_exec_t /usr/bin/bluez-pin Commands: # setenforce 0 # service bluetooth start Starting Bluetooth services: [ OK ] # rfcomm connect 0 00:02:EE:93:9F:C8 1 Connected /dev/rfcomm0 to 00:02:EE:93:9F:C8 on channel 1 Press CTRL-C for hangup Disconnected # service bluetooth stop Stopping Bluetooth services: [ OK ] # setenforce 1 messages: Oct 11 19:59:23 barradur hcid[9431]: Bluetooth HCI daemon Oct 11 19:59:23 barradur sdpd[9433]: Bluetooth SDP daemon Oct 11 19:59:23 barradur hcid[9431]: Starting security manager 0 Oct 11 19:59:38 barradur hcid[9431]: link_key_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Oct 11 19:59:38 barradur hcid[9431]: pin_code_request (sba=00:0A:3A:58:BC:54, dba=00:02:EE:93:9F:C8) Oct 11 19:59:40 barradur gconfd (root-9444): starting (version 2.10.0), pid 9444 user 'root' Oct 11 19:59:40 barradur gconfd (root-9444): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0 Oct 11 19:59:40 barradur gconfd (root-9444): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 1 Oct 11 19:59:40 barradur gconfd (root-9444): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2 Oct 11 19:59:48 barradur hcid[9431]: link_key_notify (sba=00:0A:3A:58:BC:54) Oct 11 19:59:48 barradur hcid[9431]: Replacing link key 00:0A:3A:58:BC:54 00:02:EE:93:9F:C8 Oct 11 20:00:03 barradur sdpd[9433]: terminating... Oct 11 20:00:03 barradur hcid[9431]: Exit. Oct 11 20:00:10 barradur dbus: avc: received setenforce notice (enforcing=1) audit.log: (see attachement)
Created attachment 119826 [details] audit.log with setenforce=0
Ok lets try selinux-policy-targeted-1.27.1-2.6
Retested with selinux-policy-targeted-1.27.1-2.6: Works OK now. Thanks.