Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1586003
Summary: | BRLTTY needs additional allow rules in the Selinux policy to function properly. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lukáš Tyrychtr <ltyrycht> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | dwalsh, lvrabec, mgrepl, mmalik, plautrba, pmoore, pvlcek |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.2-34.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-09-12 02:57:31 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukáš Tyrychtr
2018-06-05 09:33:42 UTC
Excuse the typo in the description. And, the selinux-policy version was 3.14.1-30. After starting bluetooth and brltty services following SELinux denial appears in enforcing mode: ---- type=USER_AVC msg=audit(06/05/2018 12:07:49.155:215) : pid=580 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects dest=org.bluez spid=1349 tpid=1521 scontext=system_u:system_r:brltty_t:s0 tcontext=system_u:system_r:bluetooth_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' ---- Following SELinux denials appear in permissive mode: ---- type=USER_AVC msg=audit(06/05/2018 12:17:09.857:340) : pid=580 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects dest=org.bluez spid=1659 tpid=1521 scontext=system_u:system_r:brltty_t:s0 tcontext=system_u:system_r:bluetooth_t:s0 tclass=dbus permissive=1 exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' ---- type=USER_AVC msg=audit(06/05/2018 12:17:09.858:341) : pid=580 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.19 spid=1521 tpid=1659 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:system_r:brltty_t:s0 tclass=dbus permissive=1 exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' ---- I can't reproduce the dac_read_search / dac_override denials when following packages are installed: # rpm -qa selinux\* brl\* blue\* kernel\* | sort bluez-5.49-3.fc28.x86_64 bluez-libs-5.49-3.fc28.x86_64 brlapi-0.6.7-12.fc28.x86_64 brltty-5.6-12.fc28.x86_64 kernel-4.16.12-300.fc28.x86_64 kernel-core-4.16.12-300.fc28.x86_64 kernel-headers-4.16.12-300.fc28.x86_64 kernel-modules-4.16.12-300.fc28.x86_64 selinux-policy-3.14.1-30.fc28.noarch selinux-policy-devel-3.14.1-30.fc28.noarch selinux-policy-doc-3.14.1-30.fc28.noarch selinux-policy-minimum-3.14.1-30.fc28.noarch selinux-policy-mls-3.14.1-30.fc28.noarch selinux-policy-targeted-3.14.1-30.fc28.noarch # Strange, but the dac_ovveride failures are the ones with least importance on the actual functioning. This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'. selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726 selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |