1496249 – SELinux is preventing bluetoothd from 'shutdown' accesses on the сокет Unknown.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1496249 - SELinux is preventing bluetoothd from 'shutdown' accesses on the сокет Unknown.

Summary: SELinux is preventing bluetoothd from 'shutdown' accesses on the сокет Unknown.

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:1bc26f874dc65a7905f6a9af73a...
Duplicates (18):	1494696 1494924 1494925 1494926 1494927 1494928 1494929 1494930 1494932 1494933 1494934 1494936 1494937 1494938 1494977 1496123 1496247 1496248 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-09-26 18:52 UTC by lonelywoolf
Modified:	2018-02-20 11:21 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-20 11:21:02 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description lonelywoolf 2017-09-26 18:52:27 UTC

Description of problem:
SELinux is preventing bluetoothd from 'shutdown' accesses on the сокет Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If if you believe that bluetoothd should be allowed shutdown access on the Unknown socket by default.
Then рекомендуется создать отчет об ошибке.
Чтобы разрешить доступ, можно создать локальный модуль политики.
Do
allow this access for now by executing:
# ausearch -c 'bluetoothd' --raw | audit2allow -M my-bluetoothd
# semodule -X 300 -i my-bluetoothd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:init_t:s0
Target Objects                Unknown [ socket ]
Source                        bluetoothd
Source Path                   bluetoothd
Port                          <Неизвестно>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-288.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.14.0-0.rc1.git4.1.fc28.x86_64 #1
                              SMP Fri Sep 22 21:46:10 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-09-27 01:48:11 +07
Last Seen                     2017-09-27 01:48:11 +07
Local ID                      793dfbbd-a490-4d09-a5c0-b12e745754a5

Raw Audit Messages
type=AVC msg=audit(1506451691.24:132008): avc:  denied  { shutdown } for  pid=18103 comm="bluetoothd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=socket permissive=1


Hash: bluetoothd,init_t,init_t,socket,shutdown

Version-Release number of selected component:
selinux-policy-3.13.1-288.fc28.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.14.0-0.rc1.git4.1.fc28.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2017-09-27 11:06:17 UTC

*** Bug 1496248 has been marked as a duplicate of this bug. ***

Comment 2 Lukas Vrabec 2017-09-27 11:06:24 UTC

*** Bug 1496247 has been marked as a duplicate of this bug. ***

Comment 3 Lukas Vrabec 2017-09-27 11:06:58 UTC

*** Bug 1496123 has been marked as a duplicate of this bug. ***

Comment 4 Lukas Vrabec 2017-09-27 11:45:12 UTC

*** Bug 1494924 has been marked as a duplicate of this bug. ***

Comment 5 Lukas Vrabec 2017-09-27 11:45:18 UTC

*** Bug 1494925 has been marked as a duplicate of this bug. ***

Comment 6 Lukas Vrabec 2017-09-27 11:45:25 UTC

*** Bug 1494926 has been marked as a duplicate of this bug. ***

Comment 7 Lukas Vrabec 2017-09-27 11:45:31 UTC

*** Bug 1494927 has been marked as a duplicate of this bug. ***

Comment 8 Lukas Vrabec 2017-09-27 11:45:42 UTC

*** Bug 1494928 has been marked as a duplicate of this bug. ***

Comment 9 Lukas Vrabec 2017-09-27 11:45:51 UTC

*** Bug 1494929 has been marked as a duplicate of this bug. ***

Comment 10 Lukas Vrabec 2017-09-27 11:45:57 UTC

*** Bug 1494930 has been marked as a duplicate of this bug. ***

Comment 11 Lukas Vrabec 2017-09-27 11:46:03 UTC

*** Bug 1494932 has been marked as a duplicate of this bug. ***

Comment 12 Lukas Vrabec 2017-09-27 11:46:08 UTC

*** Bug 1494933 has been marked as a duplicate of this bug. ***

Comment 13 Lukas Vrabec 2017-09-27 11:46:15 UTC

*** Bug 1494934 has been marked as a duplicate of this bug. ***

Comment 14 Lukas Vrabec 2017-09-27 11:46:22 UTC

*** Bug 1494936 has been marked as a duplicate of this bug. ***

Comment 15 Lukas Vrabec 2017-09-27 11:46:28 UTC

*** Bug 1494937 has been marked as a duplicate of this bug. ***

Comment 16 Lukas Vrabec 2017-09-27 11:50:51 UTC

*** Bug 1494938 has been marked as a duplicate of this bug. ***

Comment 17 Lukas Vrabec 2017-09-27 11:51:00 UTC

*** Bug 1494696 has been marked as a duplicate of this bug. ***

Comment 18 Lukas Vrabec 2017-09-27 11:51:09 UTC

*** Bug 1494977 has been marked as a duplicate of this bug. ***

Comment 19 Lukas Vrabec 2017-10-03 13:07:23 UTC

For some reason, bluetoothd deamon run as init_t instead of bluetooth_t. How did you start this daemon? 

Lukas.

Comment 20 Igor Gnatenko 2017-10-03 13:08:14 UTC

(In reply to Lukas Vrabec from comment #19)
> For some reason, bluetoothd deamon run as init_t instead of bluetooth_t. How
> did you start this daemon? 
> 
> Lukas.

It got started by systemd... Basically systemctl start bluetooth.service

Comment 21 Lukas Vrabec 2017-10-03 16:21:55 UTC

Yeah, 

I believe in bluetoothd service file is new systemd security feature "NoNewPrivileges=true" which cause broken SELinux transition. We have fixes for this in new rawhide. 
If you would like to use SELinux for bluetoothd, you need to remove this Systemd feature from service file.

Comment 22 Vít Ondruch 2017-10-09 13:36:56 UTC

Excuse my ignorance, but could you be please more specific about "We have fixes for this in new rawhide."? I have recent rawhide version of bluez and selinux-policy and I hit this issue. So what else should I have installed to get this fixed?

$ rpm -q bluez
bluez-5.47-3.fc28.x86_64

$ rpm -q selinux-policy
selinux-policy-3.13.1-294.fc28.noarch

Comment 23 Vít Ondruch 2017-10-11 18:51:14 UTC

Pretty please, how to fix this? I cannot use my BT mouse which is pretty annoying ...

Comment 24 Igor Gnatenko 2017-10-12 07:32:10 UTC

(In reply to Vít Ondruch from comment #23)
> Pretty please, how to fix this? I cannot use my BT mouse which is pretty
> annoying ...

# setenforce 0 =)

Comment 25 Lukas Vrabec 2017-10-16 15:20:52 UTC

Fix will be part of the next selinux-policy build for Rawhide. Moving to POST.

Comment 26 Vít Ondruch 2017-10-30 10:49:26 UTC

This si still not resolved:

$ rpm -q selinux-policy
selinux-policy-3.13.1-300.fc28.noarch

Comment 27 Lukas Vrabec 2017-10-31 09:36:04 UTC

Vit, 

Is are you still able to reproduce it after restarting bluetoothd service? 

What is output of:

# ls -Z /usr/libexec/bluetooth/bluetoothd 
# sesearch -A -s init_t -c process2 -t bluetooth_t

Thanks,
Lukas.

Comment 28 Vít Ondruch 2017-10-31 11:33:42 UTC

(In reply to Lukas Vrabec from comment #27)
> Is are you still able to reproduce it after restarting bluetoothd service? 

I even restarted the whole computer, but just FTR:

~~~
$ systemctl restart bluetooth.service 
Job for bluetooth.service failed because a fatal signal was delivered to the control process.
See "systemctl  status bluetooth.service" and "journalctl  -xe" for details.

$ LANG=C.UTF-8 systemctl status bluetooth.service
● bluetooth.service - Bluetooth service
   Loaded: loaded (/usr/lib/systemd/system/bluetooth.service; enabled; vendor preset: enabled)
   Active: failed (Result: signal) since Tue 2017-10-31 12:29:06 CET; 29s ago
     Docs: man:bluetoothd(8)
  Process: 2622 ExecStart=/usr/libexec/bluetooth/bluetoothd (code=killed, signal=SEGV)
 Main PID: 2622 (code=killed, signal=SEGV)

Oct 31 12:29:06 localhost.localdomain systemd[1]: Starting Bluetooth service...
Oct 31 12:29:06 localhost.localdomain systemd[1]: bluetooth.service: Main process exited, code=killed, status=11/SEGV
Oct 31 12:29:06 localhost.localdomain systemd[1]: bluetooth.service: Failed with result 'signal'.
Oct 31 12:29:06 localhost.localdomain systemd[1]: Failed to start Bluetooth service.

$ journalctl -xe

... snip ...

Oct 31 12:29:06 localhost.localdomain systemd[1]: Starting Bluetooth service...
-- Subject: Unit bluetooth.service has begun start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit bluetooth.service has begun starting up.
Oct 31 12:29:06 localhost.localdomain audit[2622]: AVC avc:  denied  { mounton } for  pid=2622 comm="(uetoothd)" path="/var/lib/bluetooth" dev="dm-0" ino=1966239 scontext=system_u:system_r:init_t:s0 tcontext=sys
Oct 31 12:29:06 localhost.localdomain audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:bluetooth_t:s0
Oct 31 12:29:06 localhost.localdomain audit[2622]: AVC avc:  denied  { map } for  pid=2622 comm="bluetoothd" path="/usr/libexec/bluetooth/bluetoothd" dev="dm-0" ino=3015450 scontext=system_u:system_r:init_t:s0 t
Oct 31 12:29:06 localhost.localdomain audit[2622]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:init_t:s0 pid=2622 comm="bluetoothd" exe="/usr/libexec/bluetooth/bluetoothd" sig=11
Oct 31 12:29:06 localhost.localdomain systemd[1]: bluetooth.service: Main process exited, code=killed, status=11/SEGV
Oct 31 12:29:06 localhost.localdomain systemd[1]: bluetooth.service: Failed with result 'signal'.
Oct 31 12:29:06 localhost.localdomain systemd[1]: Failed to start Bluetooth service.
-- Subject: Unit bluetooth.service has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit bluetooth.service has failed.
-- 
-- The result is RESULT.
Oct 31 12:29:06 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=bluetooth comm="systemd" exe="/usr/lib/systemd/systemd" hostnam
Oct 31 12:29:06 localhost.localdomain polkitd[939]: Unregistered Authentication Agent for unix-process:2570:8900462 (system bus name :1.590, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C.
Oct 31 12:29:09 localhost.localdomain sealert[2043]: gtk_grid_attach: assertion '_gtk_widget_get_parent (child) == NULL' failed
Oct 31 12:29:09 localhost.localdomain setroubleshoot[1727]: SELinux is preventing (uetoothd) from mounton access on the directory /var/lib/bluetooth. For complete SELinux messages run: sealert -l 5216c914-46de-4
Oct 31 12:29:09 localhost.localdomain python3[1727]: SELinux is preventing (uetoothd) from mounton access on the directory /var/lib/bluetooth.
                                                     
                                                     *****  Plugin catchall (100. confidence) suggests   **************************
                                                     
                                                     If if you believe that (uetoothd) should be allowed mounton access on the bluetooth directory by default.
                                                     Then you should report this as a bug.
                                                     You can generate a local policy module to allow this access.
                                                     Do
                                                     allow this access for now by executing:
                                                     # ausearch -c '(uetoothd)' --raw | audit2allow -M my-uetoothd
                                                     # semodule -X 300 -i my-uetoothd.pp
                                                     
Oct 31 12:29:09 localhost.localdomain sealert[2043]: gtk_grid_attach: assertion '_gtk_widget_get_parent (child) == NULL' failed
Oct 31 12:29:09 localhost.localdomain setroubleshoot[1727]: SELinux is preventing bluetoothd from map access on the file /usr/libexec/bluetooth/bluetoothd. For complete SELinux messages run: sealert -l e06f57fa-
Oct 31 12:29:09 localhost.localdomain python3[1727]: SELinux is preventing bluetoothd from map access on the file /usr/libexec/bluetooth/bluetoothd.
                                                     
                                                     *****  Plugin catchall (100. confidence) suggests   **************************
                                                     
                                                     If if you believe that bluetoothd should be allowed map access on the bluetoothd file by default.
                                                     Then you should report this as a bug.
                                                     You can generate a local policy module to allow this access.
                                                     Do
                                                     allow this access for now by executing:
                                                     # ausearch -c 'bluetoothd' --raw | audit2allow -M my-bluetoothd
                                                     # semodule -X 300 -i my-bluetoothd.pp
                                                     
Oct 31 12:29:09 localhost.localdomain sealert[2043]: gtk_grid_attach: assertion '_gtk_widget_get_parent (child) == NULL' failed
Oct 31 12:29:34 localhost.localdomain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=?
~~~


> What is output of:
> 
> # ls -Z /usr/libexec/bluetooth/bluetoothd

$ sudo ls -Z /usr/libexec/bluetooth/bluetoothd 
system_u:object_r:bluetooth_exec_t:s0 /usr/libexec/bluetooth/bluetoothd

> # sesearch -A -s init_t -c process2 -t bluetooth_t

$ sudo sesearch -A -s init_t -c process2 -t bluetooth_t
allow init_t bluetooth_t:process2 { nnp_transition nosuid_transition };

Comment 29 Lukas Vrabec 2017-10-31 11:58:49 UTC

Vit, 

I found issue here. In F27 is kernel version 4.13 and we need 4.14+. I need to ask if 4.14 will be backported to Fedora 27 or we need to backport the patch.

Comment 30 Vít Ondruch 2017-10-31 12:22:06 UTC

Trying latest kernel:

$ rpm -q kernel
kernel-4.13.9-300.fc27.x86_64
kernel-4.14.0-0.rc6.git0.1.fc28.x86_64

$ uname -a
Linux localhost.localdomain 4.14.0-0.rc6.git0.1.fc28.x86_64 #1 SMP Mon Oct 23 16:37:45 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

This specific issue has gone it seems and BT service is up now. However there still remains this:

~~~
Oct 31 13:14:31 localhost.localdomain setroubleshoot[1409]: SELinux is preventing (uetoothd) from mounton access on the directory /var/lib/bluetooth. For complete SELinux messages run: sealert -l 5216c914-46de-4
Oct 31 13:14:31 localhost.localdomain python3[1409]: SELinux is preventing (uetoothd) from mounton access on the directory /var/lib/bluetooth.
                                                     
                                                     *****  Plugin catchall (100. confidence) suggests   **************************
                                                     
                                                     If if you believe that (uetoothd) should be allowed mounton access on the bluetooth directory by default.
                                                     Then you should report this as a bug.
                                                     You can generate a local policy module to allow this access.
                                                     Do
                                                     allow this access for now by executing:
                                                     # ausearch -c '(uetoothd)' --raw | audit2allow -M my-uetoothd
                                                     # semodule -X 300 -i my-uetoothd.pp
~~~

This appears to be bug #1502141

Note You need to log in before you can comment on or make changes to this bug.