Description of problem: SELinux is preventing brltty from 'create' accesses on the bluetooth_socket labeled brltty_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that brltty should be allowed create access on bluetooth_socket labeled brltty_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'brltty' --raw | audit2allow -M my-brltty # semodule -X 300 -i my-brltty.pp Additional Information: Source Context system_u:system_r:brltty_t:s0 Target Context system_u:system_r:brltty_t:s0 Target Objects Unknown [ bluetooth_socket ] Source brltty Source Path brltty Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.6-36.fc33.noarch Local Policy RPM selinux-policy-targeted-3.14.6-36.fc33.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.11.11-200.fc33.x86_64 #1 SMP Tue Mar 30 16:53:32 UTC 2021 x86_64 x86_64 Alert Count 12 First Seen 2021-04-03 17:21:40 CEST Last Seen 2021-04-03 17:22:35 CEST Local ID 846027de-4cb8-401d-85f4-6d5dccdd8f40 Raw Audit Messages type=AVC msg=audit(1617463355.470:556): avc: denied { create } for pid=697 comm="brltty" scontext=system_u:system_r:brltty_t:s0 tcontext=system_u:system_r:brltty_t:s0 tclass=bluetooth_socket permissive=0 Hash: brltty,brltty_t,brltty_t,bluetooth_socket,create Version-Release number of selected component: selinux-policy-targeted-3.14.6-36.fc33.noarch Additional info: component: selinux-policy reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.11-200.fc33.x86_64 type: libreport
Francisco, Can you switch the system into SELinux permissive mode, or create a custom policy: # cat local_brltty.cil (allow brltty_t brltty_t (bluetooth_socket (create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown))) # semodule -i local_brltty.cil to check if there are any additional denials? I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/682
Hello there, Since I do not need selinux for anything, I completely disabled it, and everything after that was fine. I simply wanted to report it so you'd be aware of it. Thank you and kind regards.
Francisco, Thank you for the report, the PR is already there and the fix, hopefully complete, will be a part of the next build.
Backported to F33.
FEDORA-2021-050d4e8def has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-050d4e8def
FEDORA-2021-050d4e8def has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-050d4e8def` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-050d4e8def See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-050d4e8def has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.