Fixed
Details
Details
Assignee
Matt Ranostay
Matt RanostayReporter
Matt Ranostay
Matt RanostayFix versions
Labels
Contract ID
Components
Priority
MajorCreated July 27, 2019 at 6:28 PM
Updated September 19, 2019 at 12:06 PM
Resolved August 1, 2019 at 7:09 PM
*Jul 27 04:24:58 intel-corei7-64 audit[691]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User::App::agl-service-bluetooth-map" object="System" requested=r pid=691 comm="afbd-agl-servic" name="obex-clientZS7H5Z" dev="tmpfs" ino=267825
Jul 27 04:24:58 intel-corei7-64 audit[691]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f7dd401e5e0 a2=0 a3=0 items=0 ppid=1 pid=691 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="afbd-agl-servic" exe="/usr/bin/afb-daemon" subj=User::App::agl-service-bluetooth-map key=(null)
Jul 27 04:24:58 intel-corei7-64 kernel: audit: type=1400 audit(1564201498.613:10): lsm=SMACK fn=smack_inode_permission action=denied subject="User::App::agl-service-bluetooth-map" object="System" requested=r pid=691 comm="afbd-agl-servic" name="obex-clientZS7H5Z" dev="tmpfs" ino=267825*
agl-service-bluetooth-pbap/map use obexd to get messages/phonebooks which it saves in a temp file which the binding then processes. Issue is obexd created files have the System label which services can't read.
So one possible solution is having another SMACK label like System::Obex but obexd is currently ran from a user systemd unit which doesn't have CAP_MAC_ADMIN.