diff options
| author |   Amisha Jain <quic_amisjain@quicinc.com> | 2024-06-05 16:53:26 +0530 |
|---|---|---|
| committer |   Jason Zaman <perfinion@gentoo.org> | 2024-09-21 15:07:14 -0700 |
| commit | c53869fbfa4cbf66ef8d96bbbcbeb013f76ef734 (patch) | |
| tree | 7c564bdf187b47c837ce90895802e5cae3196bed /policy | |
| parent | selinuxutil: make policykit optional (diff) | |
| download | hardened-refpolicy-c53869fbfa4cbf66ef8d96bbbcbeb013f76ef734.tar.gz hardened-refpolicy-c53869fbfa4cbf66ef8d96bbbcbeb013f76ef734.tar.bz2 hardened-refpolicy-c53869fbfa4cbf66ef8d96bbbcbeb013f76ef734.zip | |
Sepolicy changes for bluez to access uhid
Resolve selinux premission for HID
Below avc denials that are fixed with this patch -
avc: denied { read write } for pid=656 comm="bluetoothd" name="uhid" dev="devtmpfs" ino=841 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:object_r:uhid_device_t:s0 tclass=chr_file permissive=0
Signed-off-by: Amisha Jain <quic_amisjain@quicinc.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'policy')
| -rw-r--r-- | policy/modules/kernel/devices.if | 18 | ||||
| -rw-r--r-- | policy/modules/services/bluetooth.te | 1 |
2 files changed, 19 insertions, 0 deletions
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index c7af194b..b5a9109f 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -5859,6 +5859,24 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') +##################### +## <summary> +## Allow open/read/write uhid device +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed rw to uhid device +## to communicate with uhid input node +## </summary> +## </param> +# +interface(`dev_rw_uhid',` + gen_require(` + type uhid_device_t; + ') + allow $1 uhid_device_t:chr_file rw_chr_file_perms ; +') + # We cannot use ifdef distro_gentoo for interfaces ######################################## diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te index 14773722..2a3d7b6d 100644 --- a/policy/modules/services/bluetooth.te +++ b/policy/modules/services/bluetooth.te @@ -105,6 +105,7 @@ dev_rw_generic_usb_dev(bluetooth_t) dev_read_urand(bluetooth_t) dev_rw_input_dev(bluetooth_t) dev_rw_wireless(bluetooth_t) +dev_rw_uhid(bluetooth_t) domain_use_interactive_fds(bluetooth_t) domain_dontaudit_search_all_domains_state(bluetooth_t) |