Bug 444606 - service bluetooth fails to selinux
service bluetooth fails to selinux
Product: Fedora
Classification: Fedora
Component: kdebase (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-04-29 10:56 EDT by Juha Tuomala
Modified: 2008-07-28 16:35 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-28 16:35:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Juha Tuomala 2008-04-29 10:56:06 EDT
Description of problem:

I plug bt adapter into USB and run 'service bluetooth start' and
get dbus notification about AVC.

type=AVC msg=audit(1209491018.883:82): avc: denied { read write } for pid=10193
comm="rfcomm" path="/var/tmp/kdecache-jutuomal/kpc/kde-icon-cache.data" dev=dm-2
ino=2981925 scontext=unconfined_u:system_r:bluetooth_t:s0
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file 

Version-Release number of selected component (if applicable):

How reproducible:


Additional info:

I'm running KDE desktop and kbluetooth applet/plasmoid.
Comment 1 Daniel Walsh 2008-04-29 11:14:44 EDT
Well first of all this is a security vulnerability having a well known path that
a user can manipulate and get a process running as root to write to it.

There has got to be a better way to handle this.  The inter process
communication should be taking place in a file directory controlled by rfcomm

Comment 2 Daniel Walsh 2008-04-29 11:15:25 EDT
You can temporarily allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp
Comment 3 Bastien Nocera 2008-04-29 11:58:32 EDT
That must be a kdebluetooth problem, because the bluez-utils don't do any such
Comment 4 Gilboa Davara 2008-04-29 14:23:16 EDT
Actually, I'm seeing the same error on a number of KDE applications running on
the current rawhide.
This doesn't look like a kdebluetooth problem. (I'd venture and guess this is a
generic KDE/SELinux problem).

Never the less, I'll do some testing before pushing the pushing the bug back to

- Gilboa
Comment 5 Gilboa Davara 2008-04-30 02:01:44 EDT
OK. I'm seeing the same warning on a number of other services.

E.g. (arp, ip)
host=gilboa-vmh-rawhide64 type=AVC msg=audit(1209542094.49:765): avc: denied {
read write } for pid=4303 comm="arping"
path="/var/tmp/kdecache-gilboa/kpc/kde-icon-cache.index" dev=dm-0 ino=535929
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file host=gilboa-

host=gilboa-vmh-rawhide64 type=AVC msg=audit(1209542093.514:764): avc: denied {
read write } for pid=4300 comm="ip"
path="/var/tmp/kdecache-gilboa/kpc/kde-icon-cache.index" dev=dm-0 ino=535929
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file 

Refiling against SELinux.

- Gilboa
Comment 6 Daniel Walsh 2008-05-07 13:55:07 EDT
This is a leaked file descriptor from the kde login/session.

All open file descriptors need to be closed on exec

Comment 7 Bug Zapper 2008-05-14 06:22:44 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
Comment 8 Steven M. Parrish 2008-06-23 16:48:07 EDT
Has this been resolve in KDE 4.0.5?
Comment 9 Juha Tuomala 2008-06-24 03:26:53 EDT
> Changing version to '9' as part of upcoming Fedora 9 GA.

> Has this been resolve in KDE 4.0.5?

I don't know. I've filed this against f8 and that is still supported release 
and that's what I will be using for quite a while.
Comment 10 Juha Tuomala 2008-06-24 03:29:44 EDT
err, that was rawhide. Well, don't have that installation anymore.
Comment 11 Kevin Kofler 2008-06-24 03:34:33 EDT
That "kpc" directory is the KDE 4 icon cache (it stands for "KDE Pixmap 
Cache"). It can't be a kdebluetooth issue, as kdebluetooth is still KDE 3.
Comment 12 Steven M. Parrish 2008-07-28 16:35:52 EDT
Going to close this with the impending release of KDE4.1  If you find this is
still an issue feel free to reopen this bug.

Note You need to log in before you can comment on or make changes to this bug.