Bug 183145 - SELinux prevents setup of BT connections (again...)
SELinux prevents setup of BT connections (again...)
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity high
: ---
: ---
Assigned To: Russell Coker
:
: 160676 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-26 18:55 EST by Stefan Becker
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-29 00:26:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Stefan Becker 2006-02-26 18:55:17 EST
Description of problem:

Similiar to FC4 bug #160678 but this time with FC5 test3. SELinux service
protection prevents the startup of the sdpd daemon.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.2.21-7
bluez-utils-2.22-2.2.1

How reproducible:

Standard FC5 test 3 installation.

Steps to Reproduce:
1. service bluetooth start
2. service bluetooth status
3. rfcomm connect 0 00:07:A4:10:30:C6
  
Actual results:

/var/log/messages:
Feb 26 15:47:44 baraddur hcid[3379]: Bluetooth HCI daemon
Feb 26 15:47:44 baraddur hcid[3379]: Can't get system message bus name:
Connection ":1.6" is not allowed to own the service "org.bluez" due to SELinux
policy
Feb 26 15:47:44 baraddur hcid[3379]: Starting security manager 0
Feb 26 15:47:44 baraddur hcid[3379]: Registering DBUS Path:
/org/bluez/Manager/default/Controller
Feb 26 15:47:44 baraddur hcid[3379]: Registering DBUS Path:
/org/bluez/Manager/hci0/Controller
Feb 26 15:47:44 baraddur hcid[3379]: Registering DBUS Path: /org/bluez/Device/hci0
Feb 26 15:47:44 baraddur hcid[3379]: return_link_keys (sba=00:0A:3A:58:BC:54,
dba=00:02:76:00:00:0B)
Feb 26 15:47:44 baraddur sdpd[3384]: init_server: binding UNIX socket: Address
already in use
Feb 26 15:47:44 baraddur sdpd[3384]: main: Server initialization failed

# service bluetooth status
hcid (pid 3379) is running...
sdpd is stopped

# rfcomm connect 0 00:07:A4:10:30:C6
Can't connect RFCOMM socket: Permission denied

Expected results:

/var/log/messages:
Feb 26 15:49:28 baraddur sdpd[3446]: Bluetooth SDP daemon
Feb 26 15:49:28 baraddur hcid[3443]: Bluetooth HCI daemon
Feb 26 15:49:28 baraddur hcid[3443]: Starting security manager 0
Feb 26 15:49:28 baraddur hcid[3443]: Registering DBUS Path:
/org/bluez/Manager/default/Controller
Feb 26 15:49:28 baraddur hcid[3443]: Registering DBUS Path:
/org/bluez/Manager/hci0/Controller
Feb 26 15:49:28 baraddur hcid[3443]: Registering DBUS Path: /org/bluez/Device/hci0
Feb 26 15:49:28 baraddur hcid[3443]: return_link_keys (sba=00:0A:3A:58:BC:54,
dba=00:02:76:00:00:0B)

# service bluetooth status
hcid (pid 3443) is running...
sdpd (pid 3446) is running...

# rfcomm connect 0 00:07:A4:10:30:C6
Connected /dev/rfcomm0 to 00:07:A4:10:30:C6 on channel 1
Press CTRL-C for hangup
...

Additional info:

/var/log/audit/audit.log:
type=AVC msg=audit(1140998282.608:792): avc:  denied  { unlink } for  pid=3527
comm="sdpd" name="sdp" dev=dm-0 ino=1410118
scontext=user_u:system_r:bluetooth_t:s0 tcontext=user_u:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1140998282.608:792): arch=40000003 syscall=10 success=no
exit=-13 a0=bf827608 a1=bf827500 a2=c010fc a3=8fd96c0 items=1 pid=3527 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sdpd"
exe="/usr/sbin/sdpd"
type=CWD msg=audit(1140998282.608:792):  cwd="/"
type=PATH msg=audit(1140998282.608:792): item=0 name="/var/run/sdp" flags=10 
inode=1409063 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
Comment 1 Daniel Walsh 2006-02-27 17:44:55 EST
This file has the wrong context on it.   Remove the /var/run/sdp file and the
application will create it with the correct context or run restorecon
/var/run/sdp.  Do you know how the file got created with the wrong context?
Comment 2 Stefan Becker 2006-02-27 19:55:42 EST
sdpd or the bluetooth service script don't delete that file when the service is
stopped. So if you run it once with the SELinux protection for that service
disabled -> wrong context. /var/lib/bluetooth is also affected by this, ie. you
need to restore it too:

# rm -rf /var/lib/bluetooth
# mkdir /var/lib/bluetooth
# restorecon /var/lib/bluetooth

The problem started, because I couldn't get PIN entry working so I disabled the
SELinux protection to be able to enter the PIN. I reopen this bug as you can't
run PIN code entry with SELinux enabled. The following is the audit.log excerpt
when you use bluez-pin has hcid PIN helper:

Feb 27 16:48:08 baraddur hcid[10106]: link_key_request (sba=00:0A:3A:58:BC:54,
dba=00:07:A4:10:30:C6)
Feb 27 16:48:08 baraddur hcid[10106]: pin_code_request (sba=00:0A:3A:58:BC:54,
dba=00:07:A4:10:30:C6)
Feb 27 16:48:08 baraddur hcid[10137]: PIN helper exited abnormally with code 256


type=AVC msg=audit(1141087688.216:1799): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=26804237
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:udev_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.216:1799): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.216:1799):  cwd="/"
type=PATH msg=audit(1141087688.216:1799): item=0 name="/proc/409/stat" flags=101
 inode=26804237 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.232:1800): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=106627085
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.232:1800): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.232:1800):  cwd="/"
type=PATH msg=audit(1141087688.232:1800): item=0 name="/proc/1627/stat"
flags=101  inode=106627085 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.232:1801): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=109576205
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:crond_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.232:1801): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.232:1801):  cwd="/"
type=PATH msg=audit(1141087688.232:1801): item=0 name="/proc/1672/stat"
flags=101  inode=109576205 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.248:1802): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=118161421
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.248:1802): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.248:1802):  cwd="/"
type=PATH msg=audit(1141087688.248:1802): item=0 name="/proc/1803/stat"
flags=101  inode=118161421 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.248:1803): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=119799821
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.248:1803): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.248:1803):  cwd="/"
type=PATH msg=audit(1141087688.248:1803): item=0 name="/proc/1828/stat"
flags=101  inode=119799821 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.248:1804): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=119996429
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.248:1804): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.248:1804):  cwd="/"
type=PATH msg=audit(1141087688.248:1804): item=0 name="/proc/1831/stat"
flags=101  inode=119996429 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.264:1805): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=140967949
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.264:1805): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.264:1805):  cwd="/"
type=PATH msg=audit(1141087688.264:1805): item=0 name="/proc/2151/stat"
flags=101  inode=140967949 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.264:1806): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=141295629
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.264:1806): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.264:1806):  cwd="/"
type=PATH msg=audit(1141087688.264:1806): item=0 name="/proc/2156/stat"
flags=101  inode=141295629 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.268:1807): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=554762253
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.268:1807): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.268:1807):  cwd="/"
type=PATH msg=audit(1141087688.268:1807): item=0 name="/proc/8465/stat"
flags=101  inode=554762253 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.272:1808): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=609091597
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.272:1808): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.272:1808):  cwd="/"
type=PATH msg=audit(1141087688.272:1808): item=0 name="/proc/9294/stat"
flags=101  inode=609091597 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.272:1809): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=609288205
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.272:1809): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.272:1809):  cwd="/"
type=PATH msg=audit(1141087688.272:1809): item=0 name="/proc/9297/stat"
flags=101  inode=609288205 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.272:1810): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=610926605
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.272:1810): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.272:1810):  cwd="/"
type=PATH msg=audit(1141087688.272:1810): item=0 name="/proc/9322/stat"
flags=101  inode=610926605 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.276:1811): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=632422413
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.276:1811): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.276:1811):  cwd="/"
type=PATH msg=audit(1141087688.276:1811): item=0 name="/proc/9650/stat"
flags=101  inode=632422413 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.276:1812): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=632619021
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.276:1812): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.276:1812):  cwd="/"
type=PATH msg=audit(1141087688.276:1812): item=0 name="/proc/9653/stat"
flags=101  inode=632619021 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.276:1813): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=634060813
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.276:1813): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.276:1813):  cwd="/"
type=PATH msg=audit(1141087688.276:1813): item=0 name="/proc/9675/stat"
flags=101  inode=634060813 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.276:1814): avc:  denied  { read } for  pid=10139
comm="ps" name="stat" dev=proc ino=664272909
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=file
type=SYSCALL msg=audit(1141087688.276:1814): arch=40000003 syscall=5 success=no
exit=-13 a0=ac98c0 a1=0 a2=0 a3=ac98c0 items=1 pid=10139 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ps" exe="/bin/ps"
type=CWD msg=audit(1141087688.276:1814):  cwd="/"
type=PATH msg=audit(1141087688.276:1814): item=0 name="/proc/10136/stat"
flags=101  inode=664272909 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.296:1815): avc:  denied  { connectto } for 
pid=10138 comm="bluez-pin" name="X0"
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=unix_stream_socket
type=SYSCALL msg=audit(1141087688.296:1815): arch=40000003 syscall=102
success=no exit=-13 a0=3 a1=bfb884f8 a2=be5b24 a3=13 items=1 pid=10138 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bluez-pin"
exe="/usr/bin/bluez-pin"
type=AVC_PATH msg=audit(1141087688.296:1815):  path="/tmp/.X11-unix/X0"
type=SOCKADDR msg=audit(1141087688.296:1815):
saddr=01002F746D702F2E5831312D756E69782F5830
type=SOCKETCALL msg=audit(1141087688.296:1815): nargs=3 a0=3 a1=bfb886a2 a2=13
type=PATH msg=audit(1141087688.296:1815): item=0 flags=1  inode=232923 dev=fd:00
mode=0140777 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141087688.296:1816): avc:  denied  { create } for  pid=10138
comm="bluez-pin" scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1141087688.296:1816): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bfb88668 a2=be5b24 a3=a items=0 pid=10138 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bluez-pin"
exe="/usr/bin/bluez-pin"
type=SOCKETCALL msg=audit(1141087688.296:1816): nargs=3 a0=a a1=1 a2=0
type=AVC msg=audit(1141087688.296:1817): avc:  denied  { create } for  pid=10138
comm="bluez-pin" scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1141087688.296:1817): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bfb88668 a2=be5b24 a3=2 items=0 pid=10138 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bluez-pin"
exe="/usr/bin/bluez-pin"
type=SOCKETCALL msg=audit(1141087688.296:1817): nargs=3 a0=2 a1=1 a2=0

Same problem exists with bluepin as PIN helper. I guess the above translates too
"Can't open X window, permission denied"...

Using the alternative dbus_pin_helper/"bluez-pin --dbus" doesn't currently work,
see bug #160676. So the only alternative currently is to use a dummy pin script:

# ls -l --lcontext /usr/bin/bluetooth-dummypin
-rwxr-xr-x 1 system_u:object_r:bluetooth_helper_exec_t root root 24 Feb 25 01:02
/usr/bin/bluetooth-dummypin

# cat /usr/bin/bluetooth-dummypin
#!/bin/sh
echo PIN:0000
Comment 3 Stefan Becker 2006-02-28 20:31:57 EST
Even if bug #160676 would be fixed hcid can't access DBUS because of SElinux:

# fgrep dbus_ /etc/bluetooth/hcid.conf
        dbus_pin_helper;
# service bluetooth start
Starting Bluetooth services:                               [  OK  ]
# service bluetooth status
hcid is stopped
sdpd (pid 2865) is running...

/var/log/messages:
Feb 28 17:35:43 baraddur hcid[2862]: Bluetooth HCI daemon
Feb 28 17:35:43 baraddur hcid[2862]: Can't get system message bus name:
Connection ":1.7" is not allowed to own the service "org.bluez" due to SELinux
policy
Feb 28 17:35:43 baraddur hcid[2862]: Unable to get on D-BUS
Feb 28 17:35:43 baraddur sdpd[2865]: Bluetooth SDP daemon

Nothing in audit.log though...
Comment 4 Stefan Becker 2006-02-28 20:48:11 EST
SELinux also prevents execution of "bluez-pin --dbus":

/var/log/audit/audit.log:
type=AVC msg=audit(1141177936.927:390): avc:  denied  { read } for  pid=3220
comm="bluez-pin" name=".fonts.cache-2" dev=dm-1 ino=557553
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1141177936.927:390): arch=40000003 syscall=11 success=yes
exit=0 a0=8a74f30 a1=8a7daf0 a2=8a6c9e0 a3=8a886d0 items=2 pid=3220 auid=500
uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
comm="bluez-pin" exe="/usr/bin/bluez-pin"
type=AVC_PATH msg=audit(1141177936.927:390): 
path="/home/stefanb/.rh-fontconfig/.fonts.cache-2"
type=CWD msg=audit(1141177936.927:390):  cwd="/home/stefanb"
type=PATH msg=audit(1141177936.927:390): item=0 name="/usr/bin/bluez-pin"
flags=101  inode=1808260 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1141177936.927:390): item=1 flags=101  inode=1998850
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141177936.951:391): avc:  denied  { connectto } for 
pid=3220 comm="bluez-pin" name="X0"
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=unix_stream_socket
type=SYSCALL msg=audit(1141177936.951:391): arch=40000003 syscall=102 success=no
exit=-13 a0=3 a1=bfdc8128 a2=be5b24 a3=13 items=1 pid=3220 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="bluez-pin"
exe="/usr/bin/bluez-pin"
type=AVC_PATH msg=audit(1141177936.951:391):  path="/tmp/.X11-unix/X0"
type=SOCKADDR msg=audit(1141177936.951:391):
saddr=01002F746D702F2E5831312D756E69782F5830
type=SOCKETCALL msg=audit(1141177936.951:391): nargs=3 a0=3 a1=bfdc82d2 a2=13
type=PATH msg=audit(1141177936.951:391): item=0 flags=1  inode=557061 dev=fd:00
mode=0140777 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141177936.955:392): avc:  denied  { create } for  pid=3220
comm="bluez-pin" scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1141177936.955:392): arch=40000003 syscall=102 success=no
exit=-13 a0=1 a1=bfdc8298 a2=be5b24 a3=a items=0 pid=3220 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="bluez-pin"
exe="/usr/bin/bluez-pin"
type=SOCKETCALL msg=audit(1141177936.955:392): nargs=3 a0=a a1=1 a2=0
type=AVC msg=audit(1141177936.955:393): avc:  denied  { create } for  pid=3220
comm="bluez-pin" scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1141177936.955:393): arch=40000003 syscall=102 success=no
exit=-13 a0=1 a1=bfdc8298 a2=be5b24 a3=2 items=0 pid=3220 auid=500 uid=500
gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="bluez-pin"
exe="/usr/bin/bluez-pin"
type=SOCKETCALL msg=audit(1141177936.955:393): nargs=3 a0=2 a1=1 a2=0
Comment 5 Daniel Walsh 2006-03-06 09:51:26 EST
What policy are you seeing this with?  Is it able to communicate with dbus when
you set enforing to permissive?  

setenforce 0
Comment 6 Stefan Becker 2006-03-06 19:03:16 EST
selinux-policy-targeted-2.2.21-7

After "setenforce 0" bluez-pin starts up with the --dbus parameter, so DBUS
communcation is possible for hcid & bluez-pin but you'll run into bug #160676...
Comment 7 Daniel Walsh 2006-03-08 11:31:52 EST
Fixed in selinux-policy-targeted-2.2.23-7
Comment 8 Stefan Becker 2006-03-09 23:17:44 EST
selinux-policy-targeted-2.2.23-11

With this update "bluez-pin --dbus" starts up OK now.

But still SELinux prevents hcid to connect to DBUS:

Mar  9 20:12:32 baraddur hcid[13340]: Bluetooth HCI daemon
Mar  9 20:12:32 baraddur hcid[13340]: Can't get system message bus name:
Connection ":1.14" is not allowed to own the service "org.bluez" due to SELinux
policy
Mar  9 20:12:32 baraddur hcid[13340]: Unable to get on D-BUS

bluepin/bluez-pin can also still not be executed by hcid:

Mar  9 20:12:08 baraddur hcid[13298]: pin_code_request (sba=00:0A:3A:58:BC:54,
dba=00:02:EE:93:9F:C8)
Mar  9 20:12:08 baraddur hcid[13312]: PIN helper exited abnormally with code 256
Comment 9 John (J5) Palmieri 2006-03-15 10:56:22 EST
*** Bug 160676 has been marked as a duplicate of this bug. ***
Comment 10 Daniel Walsh 2006-03-15 11:54:10 EST
Can someone verify whether this bug is fixed or not.  If not please add AVC
messages.

As far as I am concerned and can test, this works.
Comment 11 Stefan Becker 2006-03-15 21:19:11 EST
Tested with the following versions:

dbus-glib-0.61-3
dbus-x11-0.61-3
dbus-0.61-3
dbus-python-0.61-3
selinux-policy-targeted-2.2.23-15
bluez-libs-2.25-1
bluez-pin-0.30-2
bluez-utils-2.25-4


Using "pin_helper /usr/bin/bluepin;" in /etc/bluetooth/hcid.conf:

/var/log/messages:
Mar 15 18:17:22 baraddur hcid[2985]: pin_code_request (sba=00:0A:3A:58:BC:54,
dba=00:02:EE:93:9F:C8)
Mar 15 18:17:22 baraddur hcid[3019]: PIN helper exited abnormally with code 256

/var/log/audit/audit.log:
type=AVC msg=audit(1142475442.466:652): avc:  denied  { search } for  pid=3020
comm="bluepin" name="gdm" dev=dm-0 ino=1409079
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:object_r:xserver_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1142475442.466:652): arch=40000003 syscall=33 success=no
exit=-13 a0=b7f1081f a1=4 a2=bf1b60 a3=b7f1081f items=1 pid=3020 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bluepin"
exe="/usr/bin/python"
type=CWD msg=audit(1142475442.466:652):  cwd="/"
type=PATH msg=audit(1142475442.466:652): item=0 name="/var/gdm/:0.Xauth" flags=1


Using "pin_helper /usr/bin/bluez-pin;" in /etc/bluetooth/hcid.conf:

/var/log/messages:
Mar 15 18:20:07 baraddur hcid[3053]: pin_code_request (sba=00:0A:3A:58:BC:54,
dba=00:02:EE:93:9F:C8)
Mar 15 18:20:08 baraddur hcid[3073]: PIN helper exited abnormally with code 256

/var/log/audit/audit.log:
type=AVC msg=audit(1142475608.063:653): avc:  denied  { search } for  pid=3074
comm="bluez-pin" name="gdm" dev=dm-0 ino=1409079
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:object_r:xserver_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1142475608.063:653): arch=40000003 syscall=33 success=no
exit=-13 a0=9f608b3 a1=4 a2=bf1b60 a3=9f608b3 items=1 pid=3074 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="bluez-pin"
exe="/usr/bin/bluez-pin"
type=CWD msg=audit(1142475608.063:653):  cwd="/"
type=PATH msg=audit(1142475608.063:653): item=0 name="/var/gdm/:0.Xauth" flags=1


Using "dbus_pin_helper;" in /etc/bluetooth/hcid.conf:

/# service bluetooth status
hcid is stopped
sdpd (pid 3114) is running...

var/log/messages:
Mar 15 18:21:55 baraddur hcid[3111]: Bluetooth HCI daemon
Mar 15 18:21:55 baraddur hcid[3111]: Can't get system message bus name:
Connection ":1.20" is not allowed to own the service "org.bluez" due to SELinux
policy
Mar 15 18:21:55 baraddur hcid[3111]: Unable to get on D-BUS
Mar 15 18:21:55 baraddur sdpd[3114]: Bluetooth SDP daemon

/var/log/audit/audit.log:
No messages...

So bluepin/bluez-pin fail, because SELinux forbids accessing to the X server. In
the DBUS pin helper case SELinux prevents hcid from connecting to the DBUS.
Comment 12 Russell Coker 2006-03-16 07:35:36 EST
The access to /var/gdm is strange.  How is the PIN helper program run?  Does  
gdm launch it before (or as part of) the system login process? 
 
If it's run as part of a regular user session then it shouldn't be 
accessing /var/gdm.  If it's run from gdm before the user logs in then we have 
to write policy accordingly. 
 
If it runs after you have logged in, did you login as root or some other user? 
Comment 13 David Woodhouse 2006-03-16 07:51:50 EST
I wouldn't worry about the failure of anything but the dbus version on an
SE-enabled system. That would really have to be considered a feature, not a bug.

The user is logged in as normal. The PIN helper is run as root, at the time we
want to find a PIN. It's accessing /var/gdm because it wants to find the X
server's auth cookie there, so that it can open a client on the X display and
thus ask the user for the PIN.

As I said, you really don't want that to work on an SE-enabled system.
Concentrate on the final one instead, where the user is running 'bluez-pin
--dbus' as part of the login session, and hcid tries to use dbus to communicate
with it.
Comment 14 Russell Coker 2006-03-16 08:42:36 EST
How would I go about reproducing this given that I don't own any bluetooth 
hardware? 
 
I run "bluez-pin --dbus" and it displays nothing on screen but has an open 
connection to the X server which receives events on mouse clicks in other 
windows.  Whether I do it in permissive or enforcing mode makes no apparent 
difference. 
Comment 15 David Woodhouse 2006-03-16 09:18:38 EST
That seems right -- it wasn't the bluez-pin side which was having problems. The
problem was with hcid, which is the dæmon which monitors the bluetooth devices.
When we need a PIN to pair with something, it'll send a message via dbus to the
listening bluez-pin. It's sending that message which was failing, I believe.

The easiest way to test this is to build your own bluez-utils package. Add a
little wrapper function around hcid_dbus_request_pin() in hcid/dbus.c, something
like this:

void rq_fake_pin(void)
{
 struct hci_conn_info ci = { .bdaddr = { 1,2,3,4,5,6 }, .out = 1 };
 hcid_dbus_request_pin(0, &ci);
}

Then use run 'hcid -n' in gdb and p rq_fake_pin() to make it request a pin.
Comment 16 Stefan Becker 2006-03-16 10:30:33 EST
No, it's not the message sending which fails, hcid startup fails completely if
you select "dbus_pin_helper". See /var/log/messages when you run "service
bluetooth start":

Mar 15 18:21:55 baraddur hcid[3111]: Bluetooth HCI daemon
Mar 15 18:21:55 baraddur hcid[3111]: Can't get system message bus name:
Connection ":1.20" is not allowed to own the service "org.bluez" due to SELinux
policy
Mar 15 18:21:55 baraddur hcid[3111]: Unable to get on D-BUS

If you check with "service bluetooth status" after this you'll see that hcid is
*NOT* running.


I agree, you don't need to fix "normal" bluepin/bluez-pin operation under
SELinux as the DBUS configuration is the default in hcid.conf.
Comment 17 Stefan Becker 2006-04-29 00:26:38 EDT
It works OK now with the latest stuff for FC5, ie. hcid can now connect to D-BUS
and therefore talk to bluez-pin:

dbus-glib-0.61-3
dbus-x11-0.61-3
dbus-devel-0.61-3
dbus-0.61-3
dbus-python-0.61-3
bluez-libs-2.25-1
bluez-pin-0.30-2
bluez-utils-2.25-4
bluez-libs-devel-2.25-1
selinux-policy-targeted-2.2.34-3.fc5

Note You need to log in before you can comment on or make changes to this bug.