aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNaga Bhavani Akella <quic_nakella@quicinc.com>2024-08-16 10:54:24 +0530
committerJason Zaman <perfinion@gentoo.org>2024-09-21 15:28:29 -0700
commit4b469439447303847f750af5853231ea880985dc (patch)
treeccc6509ef6a0f069a86ade5f7006e15dffeb12c0
parentkubernetes: allow kubelet to connect all TCP ports (diff)
downloadhardened-refpolicy-4b469439447303847f750af5853231ea880985dc.tar.gz
hardened-refpolicy-4b469439447303847f750af5853231ea880985dc.tar.bz2
hardened-refpolicy-4b469439447303847f750af5853231ea880985dc.zip
Adding SE Policy rules to allow usage of unix stream sockets by dbus and bluetooth contexts when Gatt notifications are turned on by remote.
Below are the avc denials that are resolved - 1. AVC avc: denied { use } for pid=916 comm="dbus-daemon" path="socket:[71126]" dev="sockfs" ino=71126 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023 tclass=fd permissive=0 2. AVC avc: denied { read write } for pid=913 comm="dbus-daemon" path="socket:[25037]" dev="sockfs" ino=25037 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=0 3. AVC avc: denied { use } for pid=910 comm="bluetoothd" path="socket:[23966]" dev="sockfs" ino=23966 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023 tclass=fd permissive=0 4. AVC avc: denied { read write } for pid=2229 comm="bluetoothd" path="socket:[27264]" dev="sockfs" ino=27264 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=0 Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r--policy/modules/services/bluetooth.if22
-rw-r--r--policy/modules/services/bluetooth.te3
-rw-r--r--policy/modules/services/dbus.te1
3 files changed, 26 insertions, 0 deletions
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 0f45a8cc2..bc3a72c15 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -188,6 +188,28 @@ interface(`bluetooth_dontaudit_read_helper_state',`
dontaudit $1 bluetooth_helper_t:file read_file_perms;
')
+#####################################
+## <summary>
+## Connect to bluetooth over a unix domain
+## stream socket. The socket can be used
+## for read and write. This is required for
+# bluetooth helper context.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bluetooth_use_inherited_helper_stream_sockets',`
+ gen_require(`
+ type bluetooth_helper_t;
+ ')
+
+ allow $1 bluetooth_helper_t:unix_stream_socket rw_socket_perms;
+ allow $1 bluetooth_helper_t:fd use;
+')
+
########################################
## <summary>
## All of the rules required to
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 10d099d3d..baf1016f0 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -77,6 +77,9 @@ filetrans_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t, { dir file
allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
+bluetooth_use_inherited_helper_stream_sockets(bluetooth_t)
+
+
manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 58ac501d3..fcb45ccd9 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -272,6 +272,7 @@ optional_policy(`
optional_policy(`
bluetooth_use(system_dbusd_t)
+ bluetooth_use_inherited_helper_stream_sockets(system_dbusd_t)
')
optional_policy(`