Bug 185817 - selinux denials of bluez-pin
selinux denials of bluez-pin
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: gdm (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-18 14:04 EST by David Baron
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-22 08:05:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Baron 2006-03-18 14:04:36 EST
Description of problem:  I did an install of FC5t3, upgraded to development, and
just to be sure, did a restorecon -r -v on most toplevel directories.  I see
selinux denials in a pretty-close-to-default install (although I've turned off
some services) related to bluez-pin.  The denials happen when I log in to GNOME
from gdm.  Sometimes they look like this:

type=AVC msg=audit(1142707722.113:106): avc:  denied  { use } for  pid=28209
comm="bluez-pin" name="[203655]" dev=pipefs ino=203655
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
type=AVC msg=audit(1142707722.113:106): avc:  denied  { use } for  pid=28209
comm="bluez-pin" name="[203655]" dev=pipefs ino=203655
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd

But sometimes (originally, and again since the restorecon) like this:

type=AVC msg=audit(1142708490.610:137): avc:  denied  { use } for  pid=2060
comm="bluez-pin" name="[212972]" dev=pipefs ino=212972
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
type=AVC msg=audit(1142708490.610:137): avc:  denied  { use } for  pid=2060
comm="bluez-pin" name="[212972]" dev=pipefs ino=212972
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
type=AVC msg=audit(1142708490.654:138): avc:  denied  { search } for  pid=2060
comm="bluez-pin" name=".X11-unix" dev=sda6 ino=47611914
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1142708492.354:139): avc:  denied  { read } for  pid=2060
comm="bluez-pin" name="resolv.conf" dev=sda6 ino=10781621
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(1142708492.354:140): avc:  denied  { name_connect } for 
pid=2060 comm="bluez-pin" dest=6000
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

I don't know what this is breaking (or perhaps bluez-pin is doing something it
shouldn't be), but it seems to me that there shouldn't be selinux denials just
logging in in the default install.

Version-Release number of selected component (if applicable):
bluez-pin-0.30-2
selinux-policy-2.2.23-15
selinux-policy-targeted-2.2.23-15

How reproducible:
always, although with two variants

Steps to Reproduce:
1. log in to GNOME from gdm
2. grep denied /var/log/audit/audit.log
  
Actual results:  selinux denials of things bluez-pin is doing

Expected results:  no selinux denials in normal use in default install
Comment 1 Christian Nolte 2006-03-30 11:23:17 EST
I see the same type of problems with an actual FC5 installation. I did an
upgrade from FC4 to FC5 via anaconda. At least the first type of messages the
original poster mentiones are visible in audit.log:

type=AVC msg=audit(1143668235.915:56): avc:  denied  { use } for  pid=5100
comm="bluez-pin" name="[12631]" dev=pipefs ino=12631
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
type=AVC msg=audit(1143668235.915:56): avc:  denied  { use } for  pid=5100
comm="bluez-pin" name="[12631]" dev=pipefs ino=12631
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
type=AVC msg=audit(1143668745.020:168): avc:  denied  { use } for  pid=6027
comm="bluez-pin" name="[21489]" dev=pipefs ino=21489
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
type=AVC msg=audit(1143668745.020:168): avc:  denied  { write } for  pid=6027
comm="bluez-pin" name="[21489]" dev=pipefs ino=21489
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fifo_file
type=AVC msg=audit(1143668953.405:225): avc:  denied  { use } for  pid=6305
comm="bluez-pin" name="[23457]" dev=pipefs ino=23457
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
type=AVC msg=audit(1143668953.405:225): avc:  denied  { write } for  pid=6305
comm="bluez-pin" name="[23457]" dev=pipefs ino=23457
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fifo_file
type=AVC msg=audit(1143669188.100:315): avc:  denied  { use } for  pid=7166
comm="bluez-pin" name="[30130]" dev=pipefs ino=30130
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
type=AVC msg=audit(1143669188.100:315): avc:  denied  { write } for  pid=7166
comm="bluez-pin" name="[30130]" dev=pipefs ino=30130
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fifo_file
type=AVC msg=audit(1143673289.132:491): avc:  denied  { use } for  pid=7166
comm="bluez-pin" name="[30130]" dev=pipefs ino=30130
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
type=AVC msg=audit(1143673289.132:491): avc:  denied  { write } for  pid=7166
comm="bluez-pin" name="[30130]" dev=pipefs ino=30130
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fifo_file
type=AVC msg=audit(1143700988.924:43): avc:  denied  { use } for  pid=2786
comm="bluez-pin" name="[8931]" dev=pipefs ino=8931
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd
type=AVC msg=audit(1143700988.924:43): avc:  denied  { use } for  pid=2786
comm="bluez-pin" name="[8931]" dev=pipefs ino=8931
scontext=user_u:system_r:bluetooth_helper_t:s0
tcontext=system_u:system_r:xdm_t:s0-s0:c0.c255 tclass=fd

audit2why reports:

type=AVC msg=audit(1143673289.132:491): avc:  denied  { write } for  pid=7166
comm="bluez-pin" name="[301 30]" dev=pipefs ino=30130
scontext=user_u:system_r:bluetooth_helper_t:s0 tcontext=system_u:system_r:xdm_t
:s0-s0:c0.c255 tclass=fifo_file
        Was caused by:
                Missing or disabled TE allow rule.
                Allow rules may exist but be disabled by boolean settings; check
boolean settings.
                You can see the necessary allow rules by running audit2allow
with this audit message as i nput.

audit2allow says that these are the missing rules:

allow bluetooth_helper_t xdm_t:fd use;
allow bluetooth_helper_t xdm_t:fifo_file write;

Comment 2 Christian Nolte 2006-03-30 11:24:56 EST
I forgot the versions:

bluez-pin-0.30-2
selinux-policy-2.2.25-2.fc5
Comment 3 Daniel Walsh 2006-04-03 11:55:47 EDT
With the machine in enforcing mode is the bluetooth working?  IE are these
denials actually necessary or are they caused by a leaking file descriptor in xdm?
Comment 4 David Baron 2006-04-03 14:53:50 EDT
No idea.  I don't have any bluetooth stuff.
Comment 5 Daniel Walsh 2006-04-05 09:15:56 EDT
Jeremy do you think this is a file descriptor leak?
Comment 7 Daniel Walsh 2006-09-18 15:23:09 EDT
Fixed in selinux-policy-2.3.14-3
Comment 8 A S Alam 2007-09-19 07:31:38 EDT
can someone please check and confirm about this bug?

Note You need to log in before you can comment on or make changes to this bug.