1586003 – BRLTTY needs additional allow rules in the Selinux policy to function properly.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1586003 - BRLTTY needs additional allow rules in the Selinux policy to function properly.

Summary: BRLTTY needs additional allow rules in the Selinux policy to function properly.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	29
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-06-05 09:33 UTC by Lukáš Tyrychtr
Modified:	2018-09-12 02:57 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.14.2-34.fc29
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-09-12 02:57:31 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lukáš Tyrychtr 2018-06-05 09:33:42 UTC

Description of problem:
When enabling the BRLTTY damenon to start after boot, a high number of Selinux denials basically floods the system log and makes the usability of the system at least questionable. In addition, it for some reason stops Orca from speaking on the login screen. Also, BRLTTY's Bluetooth support is not working.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Run sudo systemctl enable brltty
2. Do a reboot.
3. Log in again and observe increased CPU usage and the flooded audit log, also, when Orca is enabled on the login screen, it does not speak in this case.

Actual results:
The audit log is flooded with messages like these (every of them repeats, an example of each category follows):
type=AVC msg=audit(1527847059.729:5038758): avc:  denied  { dac_override } for  pid=1174 comm="brltty" capability=1  scontext=system_u:system_r:brltty_t:s0 tcontext=system_u:system_r:brltty_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1527847059.729:5038760): avc:  denied  { dac_read_search } for  pid=1174 comm="brltty" capability=2  scontext=system_u:system_r:brltty_t:s0 tcontext=system_u:system_r:brltty_t:s0 tclass=capability permissive=0
type=USER_AVC msg=audit(1527848534.716:447): pid=1131 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects dest=org.bluez spid=1151 tpid=1130 scontext=system_u:system_r:brltty_t:s0 tcontext=system_u:system_r:bluetooth_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1527848539.734:452): pid=1131 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.153 spid=1130 tpid=1151 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:system_r:brltty_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1527847014.839:5038653): avc:  denied  { accept } for  pid=1174 comm="server-main" laddr=127.0.0.1 lport=4101 scontext=system_u:system_r:brltty_t:s0 tcontext=system_u:system_r:brltty_t:s0 tclass=tcp_socket permissive=0

Expected results:
There are no denials and BRLTTY works.

Additional info:
Applying the following local policy fixes the issues:

module brltty_additional 1.0;

require {
	type brltty_t;
	type bluetooth_t;
	class dbus send_msg;
		class tcp_socket accept;
		class capability { dac_override dac_read_search };
}
# Bluetooth communication.
allow brltty_t bluetooth_t:dbus send_msg;
allow bluetooth_t brltty_t:dbus send_msg;
# Fixes the bugs when brltty starts after boot.
allow brltty_t self:tcp_socket accept;
# And this stops the log flood completely.
allow brltty_t self:capability { dac_override dac_read_search };

Integrating the policy additions to the BRLTTY and Bluetooth policies should not be hard, i think.

Comment 1 Lukáš Tyrychtr 2018-06-05 09:45:18 UTC

Excuse the typo in the description. And, the selinux-policy version was 3.14.1-30.

Comment 2 Milos Malik 2018-06-05 10:18:29 UTC

After starting bluetooth and brltty services following SELinux denial appears in enforcing mode:
----
type=USER_AVC msg=audit(06/05/2018 12:07:49.155:215) : pid=580 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects dest=org.bluez spid=1349 tpid=1521 scontext=system_u:system_r:brltty_t:s0 tcontext=system_u:system_r:bluetooth_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----

Following SELinux denials appear in permissive mode:
----
type=USER_AVC msg=audit(06/05/2018 12:17:09.857:340) : pid=580 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects dest=org.bluez spid=1659 tpid=1521 scontext=system_u:system_r:brltty_t:s0 tcontext=system_u:system_r:bluetooth_t:s0 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/05/2018 12:17:09.858:341) : pid=580 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.19 spid=1521 tpid=1659 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:system_r:brltty_t:s0 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----

Comment 3 Milos Malik 2018-06-05 10:21:17 UTC

I can't reproduce the dac_read_search / dac_override denials when following packages are installed:

# rpm -qa selinux\* brl\* blue\* kernel\* | sort
bluez-5.49-3.fc28.x86_64
bluez-libs-5.49-3.fc28.x86_64
brlapi-0.6.7-12.fc28.x86_64
brltty-5.6-12.fc28.x86_64
kernel-4.16.12-300.fc28.x86_64
kernel-core-4.16.12-300.fc28.x86_64
kernel-headers-4.16.12-300.fc28.x86_64
kernel-modules-4.16.12-300.fc28.x86_64
selinux-policy-3.14.1-30.fc28.noarch
selinux-policy-devel-3.14.1-30.fc28.noarch
selinux-policy-doc-3.14.1-30.fc28.noarch
selinux-policy-minimum-3.14.1-30.fc28.noarch
selinux-policy-mls-3.14.1-30.fc28.noarch
selinux-policy-targeted-3.14.1-30.fc28.noarch
#

Comment 4 Lukáš Tyrychtr 2018-06-05 12:09:09 UTC

Strange, but the dac_ovveride failures are the ones with least importance on the actual functioning.

Comment 5 Jan Kurik 2018-08-14 11:21:32 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.

Comment 6 Fedora Update System 2018-09-11 12:51:10 UTC

selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726

Comment 7 Fedora Update System 2018-09-12 02:57:31 UTC

selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.