From 7a33b4bc872529612f44a4e6f648dbb84bae7b14 Mon Sep 17 00:00:00 2001 From: Amisha Jain Date: Wed, 5 Jun 2024 16:53:26 +0530 Subject: [PATCH 1/3] Sepolicy changes for bluez to access uhid Resolve selinux premission for HID Below avc denials that are fixed with this patch - avc: denied { read write } for pid=656 comm="bluetoothd" name="uhid" dev="devtmpfs" ino=841 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:object_r:uhid_device_t:s0 tclass=chr_file permissive=0 Signed-off-by: Amisha Jain --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/services/bluetooth.te | 1 + 2 files changed, 19 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index d8a5c97df..6e0a9499e 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -5858,3 +5858,21 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') + +##################### +## +## Allow open/read/write uhid device +## +## +## +## Domain allowed rw to uhid device +## to communicate with uhid input node +## +## +# +interface(`dev_rw_uhid',` + gen_require(` + type uhid_device_t; + ') + allow $1 uhid_device_t:chr_file rw_chr_file_perms ; +') diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index f23a979de..0cbff0714 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -104,6 +104,7 @@ dev_rw_generic_usb_dev(bluetooth_t) dev_read_urand(bluetooth_t) dev_rw_input_dev(bluetooth_t) dev_rw_wireless(bluetooth_t) +dev_rw_uhid(bluetooth_t) domain_use_interactive_fds(bluetooth_t) domain_dontaudit_search_all_domains_state(bluetooth_t) From 1cbe455a5e1c3ad5eab8ab8c7e16a1586062fcb4 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 5 Jun 2024 15:25:24 -0400 Subject: [PATCH 2/3] device: Move dev_rw_uhid definition. Signed-off-by: Chris PeBenito --- policy/modules/kernel/devices.if | 37 ++++++++++++++++---------------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 6e0a9499e..e401bd77b 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4851,6 +4851,25 @@ interface(`dev_rw_tpm',` rw_chr_files_pattern($1, device_t, tpm_device_t) ') +##################### +## +## Allow open/read/write uhid device +## +## +## +## Domain allowed rw to uhid device +## to communicate with uhid input node +## +## +# +interface(`dev_rw_uhid',` + gen_require(` + type uhid_device_t; + ') + + allow $1 uhid_device_t:chr_file rw_chr_file_perms; +') + ######################################## ## ## Read from pseudo random number generator devices (e.g., /dev/urandom). @@ -5858,21 +5877,3 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') - -##################### -## -## Allow open/read/write uhid device -## -## -## -## Domain allowed rw to uhid device -## to communicate with uhid input node -## -## -# -interface(`dev_rw_uhid',` - gen_require(` - type uhid_device_t; - ') - allow $1 uhid_device_t:chr_file rw_chr_file_perms ; -') From 2102055d4d9f0db0dc0380650c6c6a42be8153ba Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 5 Jun 2024 15:26:56 -0400 Subject: [PATCH 3/3] devices: Change dev_rw_uhid() to use a policy pattern. Signed-off-by: Chris PeBenito --- policy/modules/kernel/devices.if | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index e401bd77b..aaa5807bb 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4864,10 +4864,10 @@ interface(`dev_rw_tpm',` # interface(`dev_rw_uhid',` gen_require(` - type uhid_device_t; + type device_t, uhid_device_t; ') - allow $1 uhid_device_t:chr_file rw_chr_file_perms; + rw_chr_files_pattern($1, device_t, uhid_device_t) ') ########################################