先看错误:
type=1400 avc: denied { connectto } for pid=6884 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket permissive=0
根据规则正常的修改:
allow untrusted_app bluetooth:unix_stream_socket connectto;
然而修改后发现没生效, 纳尼!
后来发现这么一条规则:
mlsconstrain unix_stream_socket { connectto }
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
这条导致即使上面验证通过, 这一条没通过, 同样不能执行。
这条规则通过的3个条件:
l1 eq l2
-- l1 = s0:c512,c768
and l2 = s0
显然不成立
t1 == mlstrustedsubject
显然不成立
t2 == mlstrustedsubject
显然不成立
如果想使这条生效:
type bluetooth, domain, mlstrustedsubject;
原因分析:
(PS: 5.1 不用加最后一句话, 6.0 需要加最后一句话 )
5.1 : user=_app domain=untrusted_app type=app_data_file
6.0 : user=_app domain=untrusted_app type=app_data_file levelFrom=user
levelFrom=user
导致 Slevel 从 s0
变成 s0:c512,c768
5.1 没有这句话, 所以条件 l1 eq l2
成立。
The levelFrom and level components if present will be used to determine
the level component of the security context as follows:
a) if levelFrom=none then use current level.
b) else if levelFrom=app then compute a category pair based on a
derived app id with a starting base of c512,c768 base.
c) else if levelFrom=user then compute a category pair based on a
derived user id with a starting base of c0,c256 base.
d) else if levelFrom=all then compute a category pair based on a
derived app id with a starting base of c512,c768 base, and also
compute another category pair based on a derived user id with a
starting base of c0,c256 base.
e) else if level has a value use this as the context level.
The overall objective is that the computed levels should never be the same for
different apps, users, or a combination of both. By encoding each ID as a
category pair, up to 2^16 app IDs and up to 2^16 user IDs within the 1024
categories can be represented, including the levelFrom=all or mixed
usage of levelFrom=app and levelFrom=user without concern.