Received: by 2002:a05:7208:13c3:b0:82:bbfa:f723 with SMTP id r3csp1147951rbe;
        Tue, 14 May 2024 13:08:00 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVHAv4XCYgCJSslf8X/lu+nO9Ktm1k6elhbODc/dCyrCC1x93alH3uTJ0E4BCwasmo575+HQy3CE3jRGgO7znHoeaeZDvGwrZDGCQ1xtw==
X-Google-Smtp-Source: AGHT+IHltXBFuSF46UXdO+ggQEG4tWyN36uFhSbupud+KTHWSXRpsfrdUG50pjOBM7q/yqFjJltg
X-Received: by 2002:a05:6214:5681:b0:69c:8709:1f6a with SMTP id 6a1803df08f44-6a16824bb4emr160402596d6.50.1715717280110;
        Tue, 14 May 2024 13:08:00 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715717280; cv=pass;
        d=google.com; s=arc-20160816;
        b=spXU9OrYtNNCVJE0uqsagX5hZP0M+A/7gigfRPYpYf5wp7l/7GPNoVfiZxpInbQRo6
         I1AA1IGOdJNe+1rA7bFzUO4ulKVcEezYx+vNgvUCwUKDANVBNWxKMgPq9nwEzjNWuyXa
         qjZs/sFXutPPpNa/iDVqWV+W5pXEfpWOM2WOvF/aTbFX81GUVu83vg2Rq3UMO3TCO9v4
         4B52qWypzvqn6eQPxif1kZPxIKcBoNyUtTUJQ156CA4TJMCyzSwNgOnN2fMOX70zLT75
         9+CilwLIrGOqY/6+TV12x6bqTlHvZfnucCOVlWrhZjkTtk8rYSYS7FFpztwr/dUBX9jR
         qK8A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:message-id:dkim-signature;
        bh=oh1zKPv4WEHeB5DPV3bqN+37yml547QEjXwHP5yVyxo=;
        fh=YQTT0gb1low55CVcvmTN9gn4wPnovETuH3L3tX8ewkk=;
        b=YKDeoxTgqYrWFO+dI78jQpoxrG3Y9Yx/jupi1Spuw4U3pp1s2f3MOZmiidg5VOM/2x
         Vb615OSCliBGiUD7/XzX8b+KV76cH2QMaG72FLa8EVgSnM8r2R9gaJR4fOe3oilfCCeA
         VgCq2KohHBuxkv6J99mXoqlGDq1qF7dGwZLtAF2zL6RGdrA2T7ekEBylXzU8kYAnoU+R
         iY2K+dBjvrgxF7PZgy2dURaD4Vkyjs2ZWq6Wo9N5lgW3khziZpmmnBUpQB8qnv1Q4Run
         lBHPv8tTrLkXjmK05SBUeeWNdKPKf9PXfT8BpUk60d5iZUaG/36EJnf/mmekUaPyVU39
         kURg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=abks7qdm;
       arc=pass (i=1 spf=pass spfdomain=ieee.org dkim=pass dkdomain=ieee.org dmarc=pass fromdomain=ieee.org);
       spf=pass (google.com: domain of selinux-refpolicy+bounces-8-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-8-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org
Return-Path: <selinux-refpolicy+bounces-8-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id 6a1803df08f44-6a15f29a541si124567016d6.256.2024.05.14.13.07.59
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 14 May 2024 13:08:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of selinux-refpolicy+bounces-8-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=abks7qdm;
       arc=pass (i=1 spf=pass spfdomain=ieee.org dkim=pass dkdomain=ieee.org dmarc=pass fromdomain=ieee.org);
       spf=pass (google.com: domain of selinux-refpolicy+bounces-8-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-8-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id C791A1C21A32
	for <linux.lists.archive@gmail.com>; Tue, 14 May 2024 20:07:59 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 7BCEB18131F;
	Tue, 14 May 2024 20:07:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="abks7qdm"
X-Original-To: selinux-refpolicy@vger.kernel.org
Received: from mail-qv1-f52.google.com (mail-qv1-f52.google.com [209.85.219.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 75FEB2AF09
	for <selinux-refpolicy@vger.kernel.org>; Tue, 14 May 2024 20:07:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.52
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715717277; cv=none; b=YF8/4XaJIXmyEotGFuftoVrMEMbtgxQ3MPZ6JrrFgTOD+j8no033qK+/XfPHQuyRzWjs3tLAKUNNSm4LhiA84XciMWO5sbIdjqB3DYWUcZbyC87Awx24bksl/vESIi/LS/0RiD4yEvd/KJ5K2o1RN8NuivtkneLGE+pyLYEuX88=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715717277; c=relaxed/simple;
	bh=G905AEfTOx3KJrtj84Sa+532uUXXjtk1v/r3x6EPrWc=;
	h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:
	 In-Reply-To:Content-Type; b=VgT7M1QRNHoSpZkSHfchYrz4gx0MEcNsGnOJrCFK/SIjGSoLQxqO2gGWM4e/sVb5YAE/qglTb4vdUSdbmplMxuJYxhsOEovYFjhJtzcYU5A5FtjDFN86PYeDdStPc0mF1FoYdVGmM0/xlzxnGsJSppYi2ZYbHmPoWK3Pmkn/CVY=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ieee.org; spf=pass smtp.mailfrom=ieee.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b=abks7qdm; arc=none smtp.client-ip=209.85.219.52
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ieee.org
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ieee.org
Received: by mail-qv1-f52.google.com with SMTP id 6a1803df08f44-6a073f10e8eso23161626d6.2
        for <selinux-refpolicy@vger.kernel.org>; Tue, 14 May 2024 13:07:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google; t=1715717273; x=1716322073; darn=vger.kernel.org;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:date:message-id
         :from:to:cc:subject:date:message-id:reply-to;
        bh=oh1zKPv4WEHeB5DPV3bqN+37yml547QEjXwHP5yVyxo=;
        b=abks7qdmXPRXgRJ8d8D/l6tXcodKOuHVazl/gX6d0MtCG5VWzSk43bEHCRcrbACR2q
         ZMuvY9uB71ACc9UIXwdkApI6JzyfN+aWuLMOgRvlslqm4Q8+N13HHmD9erlea1zqmb0z
         zz8+8BVlkZ+lTvrr5bG2xDpX0hnTysxIQcXNQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1715717273; x=1716322073;
        h=content-transfer-encoding:in-reply-to:from:content-language
         :references:cc:to:subject:user-agent:mime-version:date:message-id
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=oh1zKPv4WEHeB5DPV3bqN+37yml547QEjXwHP5yVyxo=;
        b=EsTj3jzbmMK+Meigf3d2PGdp93Qbb8NVjuDrqMYsYlMOHhE5UhqEUZ4V8/lUBlrm53
         SuhzB6zFHX5NKFPygPAee5tb1+YhOdoCru6ZeGZHo+33hRincdutq0O3xzot8ac79kbS
         RV8WyXSJ7AnPaNhz2FyltOcQUir+mymHMsKJr5iRozlMwwR0VlLBFX2iE4nalj/gYhZx
         nfSeFDEl3JRuPy9Reqn7R7f1sdmRokp20CLcveiQQ2AOV+8/gDvI1v/Aixibxj+ApSCN
         jQGRCW+Ygr38Cu/XhR/6XroZtDq7SQlrq2do4Ri05FPKjiENsCb5CxgW4vU9FygPA33m
         ZJXQ==
X-Forwarded-Encrypted: i=1; AJvYcCXmrJ5lGKDgrgo3jk6sRBL3jJwFEQT+FKT1AKDigDbvzfNuYjjRZCnYcGI8LlyIddHh8146bIyBmfKEEvUDKlXxroDFrrUf7KaimH0Xtwrtxtc=
X-Gm-Message-State: AOJu0YxQaXbLCAugQixtKgoTEKY3IvwfGNXHqq0EGZh4AnUt0OtFpLVI
	MXVrwZf+sZJbq9juM456LpNoE+AupaXtZKgpPXEugew204jp3UI+NuFv4h5LnA==
X-Received: by 2002:a05:6214:4288:b0:6a0:c79f:b5bb with SMTP id 6a1803df08f44-6a16817c457mr188759106d6.24.1715717273328;
        Tue, 14 May 2024 13:07:53 -0700 (PDT)
Received: from ?IPV6:2601:145:c200:2c70:edff:228d:f072:fe07? ([2601:145:c200:2c70:edff:228d:f072:fe07])
        by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6a15f194cddsm57131376d6.64.2024.05.14.13.07.52
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 14 May 2024 13:07:52 -0700 (PDT)
Message-ID: <f72fe764-0b76-43a7-940e-fdd8269fa8fe@ieee.org>
Date: Tue, 14 May 2024 16:07:49 -0400
Precedence: bulk
X-Mailing-List: selinux-refpolicy@vger.kernel.org
List-Id: <selinux-refpolicy.vger.kernel.org>
List-Subscribe: <mailto:selinux-refpolicy+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:selinux-refpolicy+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH v1] Need bluetooth socket permission for pulseaudio.
To: Raghavender Reddy Bujala <quic_rbujala@quicinc.com>,
 selinux-refpolicy@vger.kernel.org
Cc: quic_mohamull@quicinc.com, quic_hbandi@quicinc.com,
 quic_anubhavg@quicinc.com
References: <20240510055019.27778-1-quic_rbujala@quicinc.com>
Content-Language: en-US
From: Chris PeBenito <pebenito@ieee.org>
In-Reply-To: <20240510055019.27778-1-quic_rbujala@quicinc.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote:
> Resolve selinux permission for ofono:
> 
> [pulseaudio] backend-ofono.c: Failed to register as a handsfree audio agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.14" (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023") interface="org.ofono.HandsfreeAudioManager" member="Register" error name="(unset)" requested_reply="0" destination="org.ofono" (uid=0 pid=942 comm="/usr/sbin/ofonod -n" label="system_u:system_r:initrc_t:s0-s15:c0.c1023")

It looks like we need a domain for ofonod.  Your system has it running 
is in the initrc_t domain, which is intended only for init scripts and 
the like.  It's not intended to be used for long-running processes.



> Resolve these AVC denials for native HSP:
> 
> avc:  denied  { create } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> avc:  denied  { bind } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> avc:  denied  { listen } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> avc:  denied  { accept } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> avc:  denied  { getopt } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> avc:  denied  { setopt } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> avc:  denied  { read } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> avc:  denied  { write } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> Signed-off-by: Raghavender Reddy Bujala<quic_rbujala@quicinc.com>
> ---
>   policy/modules/apps/pulseaudio.te |  4 ++++
>   policy/modules/services/dbus.te   |  1 +
>   policy/modules/system/init.if     | 18 ++++++++++++++++++
>   3 files changed, 23 insertions(+)
> 
> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> index 65b9a7428..a2ff85c8a 100644
> --- a/policy/modules/apps/pulseaudio.te
> +++ b/policy/modules/apps/pulseaudio.te
> @@ -318,3 +318,7 @@ optional_policy(`
>   optional_policy(`
>   	unconfined_signull(pulseaudio_client)
>   ')
> +
> +init_dbus_chat_script(pulseaudio_t)
> +init_bt_socket_manage(pulseaudio_t)
> +allow pulseaudio_t self:bluetooth_socket { create accept bind getopt listen read setopt write };
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 2d1d09d71..9e1288b77 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -391,3 +391,4 @@ optional_policy(`
>   
>   allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
>   allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
> +init_bt_socket_manage(system_dbusd_t)
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 4891301ad..3ae6bced3 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -3920,3 +3920,21 @@ interface(`init_search_keys',`
>   
>   	allow $1 init_t:key search;
>   ')
> +
> +########################################
> +## <summary>
> +##    Read, Write and manage options for bluetooth socket
> +## </summary>
> +## <param name="domain">
> +##    <summary>
> +##    Domain allowed access.
> +##    </summary>
> +## </param>
> +#
> +
> +interface(`init_bt_socket_manage',`
> +        gen_require(`
> +                type initrc_t;
> +        ')
> +        allow $1 initrc_t:bluetooth_socket { getopt read setopt write };
> +')

-- 
Chris PeBenito