1 files changed, 65 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch
new file mode 100644
index 0000000..39e72e8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch
@@ -0,0 +1,65 @@
+From dfc3e78dfee0709bcbfc2d1959e5b7c27922b1b7 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Tue, 23 Jun 2020 08:54:20 +0800
+Subject: [PATCH] policy/modules/services/bluetooth: allow bluetooth_t to
+ create and use bluetooth_socket
+Fixes:
+type=AVC msg=audit(1592813138.485:17): avc:  denied  { create } for
+pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t
+tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
+permissive=1
+type=AVC msg=audit(1592813138.485:18): avc:  denied  { bind } for
+pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t
+tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
+permissive=1
+type=AVC msg=audit(1592813138.485:19): avc:  denied  { write } for
+pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t
+tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
+permissive=1
+type=AVC msg=audit(1592813138.488:20): avc:  denied  { getattr } for
+pid=324 comm="bluetoothd" path="socket:[11771]" dev="sockfs" ino=11771
+scontext=system_u:system_r:bluetooth_t
+tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
+permissive=1
+type=AVC msg=audit(1592813138.488:21): avc:  denied  { listen } for
+pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t
+tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
+permissive=1
+type=AVC msg=audit(1592813138.498:22): avc:  denied  { read } for
+pid=324 comm="bluetoothd" path="socket:[11771]" dev="sockfs" ino=11771
+scontext=system_u:system_r:bluetooth_t
+tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
+permissive=1
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/services/bluetooth.te | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
+index 025eff444..63e50aeda 100644
+--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
+@@ -60,6 +60,7 @@ allow bluetooth_t self:socket create_stream_socket_perms;
+ allow bluetooth_t self:unix_stream_socket { accept connectto listen };
+ allow bluetooth_t self:tcp_socket { accept listen };
+ allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
+ 
+ read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
+ 
+@@ -127,6 +128,8 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+ userdom_dontaudit_use_user_terminals(bluetooth_t)
+ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+ 
+init_dbus_send_script(bluetooth_t)
+
+ optional_policy(`
+        dbus_system_bus_client(bluetooth_t)
+        dbus_connect_system_bus(bluetooth_t)
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch new file mode 100644 index 0000000..39e72e8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-services-bluetooth-allow-bluetooth_t-.patch
@@ -0,0 +1,65 @@
	1	From dfc3e78dfee0709bcbfc2d1959e5b7c27922b1b7 Mon Sep 17 00:00:00 2001
	2	From: Yi Zhao <yi.zhao@windriver.com>
	3	Date: Tue, 23 Jun 2020 08:54:20 +0800
	4	Subject: [PATCH] policy/modules/services/bluetooth: allow bluetooth_t to
	5	create and use bluetooth_socket
	6
	7	Fixes:
	8	type=AVC msg=audit(1592813138.485:17): avc: denied { create } for
	9	pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t
	10	tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
	11	permissive=1
	12	type=AVC msg=audit(1592813138.485:18): avc: denied { bind } for
	13	pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t
	14	tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
	15	permissive=1
	16	type=AVC msg=audit(1592813138.485:19): avc: denied { write } for
	17	pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t
	18	tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
	19	permissive=1
	20	type=AVC msg=audit(1592813138.488:20): avc: denied { getattr } for
	21	pid=324 comm="bluetoothd" path="socket:[11771]" dev="sockfs" ino=11771
	22	scontext=system_u:system_r:bluetooth_t
	23	tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
	24	permissive=1
	25	type=AVC msg=audit(1592813138.488:21): avc: denied { listen } for
	26	pid=324 comm="bluetoothd" scontext=system_u:system_r:bluetooth_t
	27	tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
	28	permissive=1
	29	type=AVC msg=audit(1592813138.498:22): avc: denied { read } for
	30	pid=324 comm="bluetoothd" path="socket:[11771]" dev="sockfs" ino=11771
	31	scontext=system_u:system_r:bluetooth_t
	32	tcontext=system_u:system_r:bluetooth_t tclass=bluetooth_socket
	33	permissive=1
	34
	35	Upstream-Status: Inappropriate [embedded specific]
	36
	37	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	38	---
	39	policy/modules/services/bluetooth.te \| 3 +++
	40	1 file changed, 3 insertions(+)
	41
	42	diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
	43	index 025eff444..63e50aeda 100644
	44	--- a/policy/modules/services/bluetooth.te
	45	+++ b/policy/modules/services/bluetooth.te
	46	@@ -60,6 +60,7 @@ allow bluetooth_t self:socket create_stream_socket_perms;
	47	allow bluetooth_t self:unix_stream_socket { accept connectto listen };
	48	allow bluetooth_t self:tcp_socket { accept listen };
	49	allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
	50	+allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
	51
	52	read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
	53
	54	@@ -127,6 +128,8 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
	55	userdom_dontaudit_use_user_terminals(bluetooth_t)
	56	userdom_dontaudit_search_user_home_dirs(bluetooth_t)
	57
	58	+init_dbus_send_script(bluetooth_t)
	59	+
	60	optional_policy(`
	61	dbus_system_bus_client(bluetooth_t)
	62	dbus_connect_system_bus(bluetooth_t)
	63	--
	64	2.17.1
	65