bluetooth on FC5

Charles-Edouard Ruault ce at ruault.com
Wed Apr 26 10:58:08 UTC 2006 

Charles-Edouard Ruault wrote:
> Charles-Edouard Ruault wrote:
>> Hi All,
>>
>> i've compiled and installed kdebluetooth on my Fedora ppc distro, i'm 
>> trying to get the stuff working and i'm getting the following 
>> problems related to SELinux:
>>
>> When i want to browse a device which is not yet paired with the 
>> laptop i'm getting errors, because hcid is denied a few filesystem 
>> operations:
>>
>> audit(1146044994.917:786): avc:  denied  { create } for  pid=1836 
>> comm="hcid" name="bluetooth" 
>> scontext=system_u:system_r:bluetooth_t:s0 
>> tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
>>
>> I've then straced hcid and found out that it's trying to create a 
>> directory /var/lib/bluetooth and that this operation is being denied 
>> ( thus the above log ).
>> I've manually created the directory:
>> mkdir -p /var/lib/bluetooth/
>> and then
>> chcon system_u:object_r:bluetooth_var_lib_t bluetooth
>>
>> and now everything's fine.
>> So i guess two things could be done in order to fix this :
>>
>> 1) allow hcid to create a dir in /var/lib ( i.e add this to the 
>> policy : allow bluetooth_t var_lib_t:dir create; )
>> 2) during installation of the bluetooth packages, create the 
>> /var/lib/bluetooth directory and tag it properly.
>>
> Ok i spoke too quickly, after trying to pair with my phone i got the 
> following avc message:
> audit(1146046683.267:792): avc:  denied  { execute_no_trans } for  
> pid=3742 comm="sh" name="kbluepin" dev=hda10 ino=1740403 
> scontext=user_u:system_r:bluetooth_t:s0 
> tcontext=system_u:object_r:lib_t:s0 tclass=file
>
> So we should also add the following to the policy:
> allow bluetooth_t lib_t:file execute_no_trans;
>
>
Sorry for the noise, here's the follow up on my findings:

I figured out that it was because i manually compiled & installed kbluepin.
I simply relabeled the binary as follows and was able to move on ( just 
one step further unfortunately ):

chcon system_u:object_r:bluetooth_helper_exec_t  
/usr/lib/kdebluetooth/kbluepin

Then, trying to pair, i got the following:

Apr 26 12:49:06 kaluha hcid[3727]: link_key_request 
(sba=00:0D:93:05:FF:AE, dba=00:12:62:A3:80:A5)
Apr 26 12:49:06 kaluha hcid[3727]: pin_code_request 
(sba=00:0D:93:05:FF:AE, dba=00:12:62:A3:80:A5)
Apr 26 12:49:06 kaluha kernel: audit(1146048546.275:843): avc:  denied  
{ read } for  pid=4261 comm="kbluepin" name="sbin" dev=hda9 ino=589825 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:sbin_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.275:844): avc:  denied  
{ search } for  pid=4261 comm="kbluepin" name="spool" dev=hda11 
ino=491521 scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.275:845): avc:  denied  
{ read } for  pid=4261 comm="kbluepin" name="sbin" dev=hda9 ino=589825 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:sbin_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.275:846): avc:  denied  
{ read } for  pid=4261 comm="kbluepin" name="sbin" dev=hda9 ino=589825 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:sbin_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.279:847): avc:  denied  
{ read } for  pid=4261 comm="kbluepin" name="sbin" dev=hda9 ino=589825 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:sbin_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.279:848): avc:  denied  
{ search } for  pid=4261 comm="kbluepin" name="spool" dev=hda11 
ino=491521 scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.279:849): avc:  denied  
{ search } for  pid=4261 comm="kbluepin" name="spool" dev=hda11 
ino=491521 scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.283:850): avc:  denied  
{ read } for  pid=4261 comm="kbluepin" name="ftp" dev=hda11 ino=131074 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:public_content_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.283:851): avc:  denied  
{ search } for  pid=4261 comm="kbluepin" name="lib" dev=hda11 ino=294913 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.287:852): avc:  denied  
{ read } for  pid=4261 comm="kbluepin" name="www" dev=hda11 ino=262145 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.291:853): avc:  denied  
{ search } for  pid=4261 comm="kbluepin" name="lib" dev=hda11 ino=294913 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.295:854): avc:  denied  
{ read } for  pid=4261 comm="kbluepin" name="named" dev=hda11 ino=98307 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.295:855): avc:  denied  
{ search } for  pid=4261 comm="kbluepin" name="spool" dev=hda11 
ino=491521 scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.295:856): avc:  denied  
{ search } for  pid=4261 comm="kbluepin" name="spool" dev=hda11 
ino=491521 scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:857): avc:  denied  
{ search } for  pid=4261 comm="kbluepin" name="lib" dev=hda11 ino=294913 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:858): avc:  denied  
{ search } for  pid=4261 comm="kbluepin" name="lib" dev=hda11 ino=294913 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:859): avc:  denied  
{ search } for  pid=4261 comm="kbluepin" name="lib" dev=hda11 ino=294913 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:860): avc:  denied  
{ dac_override } for  pid=4261 comm="kbluepin" capability=1 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=capability
Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:861): avc:  denied  
{ dac_read_search } for  pid=4261 comm="kbluepin" capability=2 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=capability
Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:862): avc:  denied  
{ read } for  pid=4261 comm="kbluepin" name="beagle" dev=hda11 ino=32835 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:var_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:863): avc:  denied  
{ read } for  pid=4261 comm="kbluepin" name="gdm" dev=hda11 ino=425986 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=system_u:object_r:xserver_log_t:s0 tclass=dir
Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:864): avc:  denied  
{ dac_override } for  pid=4261 comm="kbluepin" capability=1 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=capability
Apr 26 12:49:06 kaluha kernel: audit(1146048546.299:865): avc:  denied  
{ dac_read_search } for  pid=4261 comm="kbluepin" capability=2 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=capability

which should translate to the following rules ( why is bluezpin 
searching through that many directories .... )

allow bluetooth_helper_t self:capability { dac_override dac_read_search };
allow bluetooth_helper_t httpd_sys_content_t:dir read;
allow bluetooth_helper_t named_zone_t:dir read;
allow bluetooth_helper_t public_content_t:dir read;
allow bluetooth_helper_t sbin_t:dir read;
allow bluetooth_helper_t var_lib_t:dir search;
allow bluetooth_helper_t var_spool_t:dir search;
allow bluetooth_helper_t var_t:dir read;
allow bluetooth_helper_t xserver_log_t:dir read;

Then i reverted to bluez-pin ( default ) and then got the following :

Apr 26 12:52:10 kaluha hcid[4351]: link_key_request 
(sba=00:0D:93:05:FF:AE, dba=00:12:62:A3:80:A5)
Apr 26 12:52:10 kaluha hcid[4351]: pin_code_request 
(sba=00:0D:93:05:FF:AE, dba=00:12:62:A3:80:A5)
Apr 26 12:52:10 kaluha kernel: audit(1146048730.536:889): avc:  denied  
{ search } for  pid=4363 comm="sh" name="home" dev=hda9 ino=1048577 
scontext=user_u:system_r:bluetooth_t:s0 
tcontext=system_u:object_r:home_root_t:s0 tclass=dir
Apr 26 12:52:10 kaluha kernel: audit(1146048730.580:890): avc:  denied  
{ dac_override } for  pid=4363 comm="bluez-pin" capability=1 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=capability
Apr 26 12:52:10 kaluha kernel: audit(1146048730.580:891): avc:  denied  
{ dac_read_search } for  pid=4363 comm="bluez-pin" capability=2 
scontext=user_u:system_r:bluetooth_helper_t:s0 
tcontext=user_u:system_r:bluetooth_helper_t:s0 tclass=capability
Apr 26 12:52:10 kaluha hcid[4362]: PIN helper exited abnormally with 
code 256

which transaltes to the following policy changes:
allow bluetooth_helper_t self:capability { dac_override dac_read_search };
allow bluetooth_t home_root_t:dir search;

-- 
Charles-Edouard Ruault
GPG key Id E4D2B80C

More information about the selinux mailing list