diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch new file mode 100644 index 0000000..39e72e8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From dfc3e78dfee0709bcbfc2d1959e5b7c27922b1b7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 23 Jun 2020 08:54:20 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/bluetooth: allow bluetooth_t to | ||
5 | create and use bluetooth_socket | ||
6 | |||
7 | Fixes: | ||
8 | type=AVC msg=audit(1592813138.485:17): avc: denied { create } for | ||
9 | pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t | ||
10 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
11 | permissive=1 | ||
12 | type=AVC msg=audit(1592813138.485:18): avc: denied { bind } for | ||
13 | pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t | ||
14 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
15 | permissive=1 | ||
16 | type=AVC msg=audit(1592813138.485:19): avc: denied { write } for | ||
17 | pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t | ||
18 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
19 | permissive=1 | ||
20 | type=AVC msg=audit(1592813138.488:20): avc: denied { getattr } for | ||
21 | pid=324 comm="bluetoothd" path="socket:[11771]" dev="sockfs" ino=11771 | ||
22 | scontext=system_u:system_r:bluetooth_t | ||
23 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
24 | permissive=1 | ||
25 | type=AVC msg=audit(1592813138.488:21): avc: denied { listen } for | ||
26 | pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t | ||
27 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
28 | permissive=1 | ||
29 | type=AVC msg=audit(1592813138.498:22): avc: denied { read } for | ||
30 | pid=324 comm="bluetoothd" path="socket:[11771]" dev="sockfs" ino=11771 | ||
31 | scontext=system_u:system_r:bluetooth_t | ||
32 | tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket | ||
33 | permissive=1 | ||
34 | |||
35 | Upstream-Status: Inappropriate [embedded specific] | ||
36 | |||
37 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
38 | --- | ||
39 | policy/modules/services/bluetooth.te | 3 +++ | ||
40 | 1 file changed, 3 insertions(+) | ||
41 | |||
42 | diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te | ||
43 | index 025eff444..63e50aeda 100644 | ||
44 | --- a/policy/modules/services/bluetooth.te | ||
45 | +++ b/policy/modules/services/bluetooth.te | ||
46 | @@ -60,6 +60,7 @@ allow bluetooth_t self:socket create_stream_socket_perms; | ||
47 | allow bluetooth_t self:unix_stream_socket { accept connectto listen }; | ||
48 | allow bluetooth_t self:tcp_socket { accept listen }; | ||
49 | allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms; | ||
50 | +allow bluetooth_t self:bluetooth_socket create_stream_socket_perms; | ||
51 | |||
52 | read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t) | ||
53 | |||
54 | @@ -127,6 +128,8 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t) | ||
55 | userdom_dontaudit_use_user_terminals(bluetooth_t) | ||
56 | userdom_dontaudit_search_user_home_dirs(bluetooth_t) | ||
57 | |||
58 | +init_dbus_send_script(bluetooth_t) | ||
59 | + | ||
60 | optional_policy(` | ||
61 | dbus_system_bus_client(bluetooth_t) | ||
62 | dbus_connect_system_bus(bluetooth_t) | ||
63 | -- | ||
64 | 2.17.1 | ||
65 | |||