Description of problem: SSIA Version-Release number of selected component (if applicable): bluez-utils-2.25-4 How reproducible: Always Steps to Reproduce: 1. service hidd start 2. select Remote Desktop from your phone menu Actual results: Aug 30 18:43:40 stinker hcid[3389]: link_key_request (sba=SNIP, dba=SNIP) Aug 30 18:43:40 stinker hidd[3783]: HID create error 13 (Permission denied) Aug 30 18:43:40 stinker kernel: audit(1156956220.482:29): avc: denied { read } for pid=3783 comm="hidd" name="hidd" dev=sda1 ino=4300071 scontext=user_u:system_r:bluetooth_t:s0 tcontext=user_u:object_r:var_lib_t:s0 tclass=file Expected results: guess what :) it works great after setenforce 0 (kernel: input: Bluetooth HID Boot Protocol Device as /class/input/input4)
BTW, audit2allow saye: allow bluetooth_t var_lib_t:file read;
Do you know which file/directory this is? Which bluetooth rpms do you have installed?
$ ls -dZ /var/lib/bluetooth/ drwxr-xr-x root root user_u:object_r:var_lib_t /var/lib/bluetooth/ $ rpm -qa | grep ^bluez bluez-libs-2.25-1 bluez-utils-2.25-4 bluez-pin-0.30-2 HTH
Fixed in selinux-policy-2.3.14-3
That's not sufficient, at least in rawhide. Now we get... accept(4, {sa_family=AF_BLUETOOTH, sa_data="\21\0\27~\300\224\n\0\0m\221\251\177\355"}, [10]) = 7 getsockname(7, 0x7fed8ff6, [10]) = -1 EACCES (Permission denied) audit(1159480772.521:12): avc: denied { getattr } for pid=1804 comm="hidd" scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket
I also see this (with setenforce 0): audit(1159518792.004:35): avc: denied { write } for pid=5852 comm="khidpd_00000000" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket
(In reply to comment #5) > That's not sufficient, at least in rawhide. Now we get... > > accept(4, {sa_family=AF_BLUETOOTH, > sa_data="\21\0\27~\300\224\n\0\0m\221\251\177\355"}, [10]) = 7 > getsockname(7, 0x7fed8ff6, [10]) = -1 EACCES (Permission denied) > > > audit(1159480772.521:12): avc: denied { getattr } for pid=1804 comm="hidd" > scontext=system_u:system_r:bluetooth_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=socket Userland sockets should never end up unlabled. Can you post a full strace -f of the program from start?
Suspect selinux_sock_graft is erroneously replacing the isec->sid of accepted sockets that are not INET and thus never get their sksec->sid set up properly.
Actually, INET | INET6 | LOCAL should be ok I believe, but other families wouldn't have the necessary hooks to set up the sksec SID.
Created attachment 137414 [details] Potential fix. This makes it work, but could do with vetting by someone who actually understands the code in question.