Skip to content

Allow bluez dbus api pass sockets over dbus #2898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: rawhide
Choose a base branch
from
Draft

Allow bluez dbus api pass sockets over dbus #2898

wants to merge 1 commit into from
+42 −0

Conversation

zpytela
Copy link
Contributor

@zpytela zpytela commented Oct 6, 2025

The commit addresses the following AVC denial example: type=AVC msg=audit(16.11.2022 18:32:57.441:509) : avc: denied { read write } for pid=762 comm=dbus-broker path=socket:[29888] dev="sockfs" ino=29888 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:bluetooth_t:s0 tclass=unix_stream_socket permissive=1

Resolves: #1458

@zpytela
Allow bluez dbus api pass sockets over dbus
1e7f353 
The commit addresses the following AVC denial example:
type=AVC msg=audit(16.11.2022 18:32:57.441:509) : avc:  denied  { read write } for  pid=762 comm=dbus-broker path=socket:[29888] dev="sockfs" ino=29888 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:bluetooth_t:s0 tclass=unix_stream_socket permissive=1

Resolves: fedora-selinux#1458
@pv
Copy link

pv commented Oct 6, 2025
edited
Loading

1e7f353 does not fix it on Fedora 43 VM with copr installed:

$ sudo semanage dontaudit off
$ rpm -qa|grep selinux-policy
selinux-policy-42.12-1.20251006112610409316.pr2898.1.g1e7f35318.fc43.noarch
selinux-policy-targeted-42.12-1.20251006112610409316.pr2898.1.g1e7f35318.fc43.noarch
$ bluetootctl power on
$ pw-link -i
Midi-Bridge:Midi Through Port-0 (playback)
bluez_midi.server:in
alsa_output.pci-0000_00_1b.0.analog-stereo:playback_FL
alsa_output.pci-0000_00_1b.0.analog-stereo:playback_FR
bluez_midi.74_7A_90_XX_XX_XX:in
$ pw-link "Midi-Bridge:Midi Through Port-0 (capture)" "bluez_midi.74_7A_90_XX_XX_XX:in"

In journalctl the following appears then (bluetoothd terminates)

loka 06 21:34:53 localhost-live audit[899]: AVC avc:  denied  { read write } for  pid=899 comm="dbus-broker" path="socket:[129676]" dev="sockfs" ino=129676 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:bluetooth_t:s0 tclass=unix_stream_socket permissive=0
loka 06 21:34:53 localhost-live bluetoothd[25126]: Terminating
loka 06 21:34:53 localhost-live bluetoothd[25126]: Disconnected from D-Bus. Exiting.

MIDI works with setenforce 0 or with this: https://gitlab.freedesktop.org/pipewire/pipewire/-/blob/master/spa/plugins/bluez5/README-MIDI.md

@pv
Copy link

pv commented Oct 8, 2025
edited
Loading

What seems to be missing here is allow system_dbusd_t bluetooth_t:unix_stream_socket { read write };. For bluetooth_socket this appears to come from:

selinux-policy/policy/modules/contrib/bluetooth.if

Line 82 in 03c9f8f

allow $1 bluetooth_t:bluetooth_socket rw_socket_perms;

selinux-policy/policy/modules/contrib/dbus.te

Line 182 in 03c9f8f

bluetooth_stream_connect(system_dbusd_t)

so maybe unix_stream_socket allow should be added there (it probably doesn't need full rw_socket_perms for this).

The other needed rule allow bluetooth_t unconfined_t:unix_stream_socket { read write }; appears to be added here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bluetooth GATT API partially broken by the policy

2 participants

@zpytela @pv