Sepolicy changes for bluez to access uhid

Resolve selinux premission for HID Below avc denials that are fixed with this patch - avc: denied { read write } for pid=656 comm="bluetoothd" name="uhid" dev="devtmpfs" ino=841 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:object_r:uhid_device_t:s0 tclass=chr_file permissive=0 Signed-off-by: Amisha Jain <[email protected]>
SELinuxProject · Jun 5, 2024 · 7a33b4b · 7a33b4b
1 parent d53aa53
commit 7a33b4b
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
@@ -5858,3 +5858,21 @@ interface(`dev_unconfined',`
 
 	typeattribute $1 devices_unconfined_type;
 ')
+
+#####################
+## <summary>
+## Allow open/read/write uhid device
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed rw to uhid device
+##  to communicate with uhid input node
+##  </summary>
+## </param>
+#
+interface(`dev_rw_uhid',`
+        gen_require(`
+                type uhid_device_t;
+        ')
+        allow $1 uhid_device_t:chr_file rw_chr_file_perms ;
+')
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
@@ -104,6 +104,7 @@ dev_rw_generic_usb_dev(bluetooth_t)
 dev_read_urand(bluetooth_t)
 dev_rw_input_dev(bluetooth_t)
 dev_rw_wireless(bluetooth_t)
+dev_rw_uhid(bluetooth_t)
 
 domain_use_interactive_fds(bluetooth_t)
 domain_dontaudit_search_all_domains_state(bluetooth_t)