@@ -193,7 +193,7 @@ optional_policy(`
')
optional_policy(`
- bluetooth_stream_connect(pulseaudio_t)
+ bluetooth_use(pulseaudio_t)
')
optional_policy(`
@@ -85,6 +85,29 @@ interface(`bluetooth_stream_connect',`
stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
')
+#####################################
+## <summary>
+## Connect to bluetooth over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bluetooth_use',`
+ gen_require(`
+ type bluetooth_t, bluetooth_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;
+ allow $1 bluetooth_t:unix_stream_socket { connectto rw_socket_perms };
+ allow $1 bluetooth_t:fd use;
+ bluetooth_stream_connect($1);
+')
+
########################################
## <summary>
## Execute bluetooth in the bluetooth domain.
@@ -265,7 +265,7 @@ optional_policy(`
')
optional_policy(`
- bluetooth_stream_connect(system_dbusd_t)
+ bluetooth_use(system_dbusd_t)
')
optional_policy(`
@@ -31,7 +31,7 @@ miscfiles_read_localization(obex_t)
userdom_search_user_home_content(obex_t)
optional_policy(`
- bluetooth_stream_connect(obex_t)
+ bluetooth_use(obex_t)
')
optional_policy(`
Required for using acquire-notify, acquire-write options (Gatt Client) and Sending notifications (Gatt Server) Below are the avc denials that are fixed with this patch - 1. audit: type=1400 audit(1651238006.276:496): avc: denied { read write } for pid=2165 comm="bluetoothd" path="socket:[43207]" dev="sockfs" ino=43207 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=1 2. audit: type=1400 audit(1651238006.276:497): avc: denied { getattr } for pid=2165 comm="bluetoothd" path="socket:[43207]" dev="sockfs" ino=43207 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=1 3. audit: type=1400 audit(1651238006.272:495): avc: denied { read write } for pid=689 comm="dbus-daemon" path="socket:[43207]" dev="sockfs" ino=43207 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=unix_stream_socket permissive=1 4. audit: type=1400 audit(315966559.395:444): avc: denied { use } for pid=710 comm="dbus-daemon" path="socket:[13196]" dev="sockfs" ino=13196 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=fd permissive=0 5. audit: type=1400 audit(315999854.939:523): avc: denied { read write } for pid=812 comm="dbus-daemon" path="socket:[99469]" dev="sockfs" ino=99469 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com> --- policy/modules/apps/pulseaudio.te | 2 +- policy/modules/services/bluetooth.if | 23 +++++++++++++++++++++++ policy/modules/services/dbus.te | 2 +- policy/modules/services/obex.te | 2 +- 4 files changed, 26 insertions(+), 3 deletions(-) --