SELinux 添加一个权限

先看错误：
type=1400 avc: denied { connectto } for pid=6884 scontext=u:r:​untrusted_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket permissive=0

根据规则正常的修改：
allow ​untrusted_app bluetooth:unix_stream_socket connectto;

然而修改后发现没生效， 纳尼！

后来发现这么一条规则：

mlsconstrain unix_stream_socket { connectto }
              (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);

这条导致即使上面验证通过， 这一条没通过， 同样不能执行。
这条规则通过的3个条件:
l1 eq l2 -- l1 = s0:c512,c768 and l2 = s0 显然不成立
t1 == mlstrustedsubject 显然不成立
t2 == mlstrustedsubject 显然不成立

如果想使这条生效：
type bluetooth, domain, mlstrustedsubject;

原因分析：
（PS: 5.1 不用加最后一句话, 6.0 需要加最后一句话 ）
5.1 : user=_app domain=untrusted_app type=app_data_file
6.0 : user=_app domain=untrusted_app type=app_data_file levelFrom=user

levelFrom=user 导致 Slevel 从 s0 变成 s0:c512,c768
5.1 没有这句话， 所以条件 l1 eq l2 成立。

The levelFrom and level components if present will be used to determine
the level component of the security context as follows:
a) if levelFrom=none then use current level.
b) else if levelFrom=app then compute a category pair based on a
derived app id with a starting base of c512,c768 base.
c) else if levelFrom=user then compute a category pair based on a
derived user id with a starting base of c0,c256 base.
d) else if levelFrom=all then compute a category pair based on a
derived app id with a starting base of c512,c768 base, and also
compute another category pair based on a derived user id with a
starting base of c0,c256 base.
e) else if level has a value use this as the context level.
The overall objective is that the computed levels should never be the same for
different apps, users, or a combination of both. By encoding each ID as a
category pair, up to 2^16 app IDs and up to 2^16 user IDs within the 1024
categories can be represented, including the levelFrom=all or mixed
usage of levelFrom=app and levelFrom=user without concern.