Received: by 2002:a05:7208:13c3:b0:82:bbfa:f723 with SMTP id r3csp1147951rbe; Tue, 14 May 2024 13:08:00 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVHAv4XCYgCJSslf8X/lu+nO9Ktm1k6elhbODc/dCyrCC1x93alH3uTJ0E4BCwasmo575+HQy3CE3jRGgO7znHoeaeZDvGwrZDGCQ1xtw== X-Google-Smtp-Source: AGHT+IHltXBFuSF46UXdO+ggQEG4tWyN36uFhSbupud+KTHWSXRpsfrdUG50pjOBM7q/yqFjJltg X-Received: by 2002:a05:6214:5681:b0:69c:8709:1f6a with SMTP id 6a1803df08f44-6a16824bb4emr160402596d6.50.1715717280110; Tue, 14 May 2024 13:08:00 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715717280; cv=pass; d=google.com; s=arc-20160816; b=spXU9OrYtNNCVJE0uqsagX5hZP0M+A/7gigfRPYpYf5wp7l/7GPNoVfiZxpInbQRo6 I1AA1IGOdJNe+1rA7bFzUO4ulKVcEezYx+vNgvUCwUKDANVBNWxKMgPq9nwEzjNWuyXa qjZs/sFXutPPpNa/iDVqWV+W5pXEfpWOM2WOvF/aTbFX81GUVu83vg2Rq3UMO3TCO9v4 4B52qWypzvqn6eQPxif1kZPxIKcBoNyUtTUJQ156CA4TJMCyzSwNgOnN2fMOX70zLT75 9+CilwLIrGOqY/6+TV12x6bqTlHvZfnucCOVlWrhZjkTtk8rYSYS7FFpztwr/dUBX9jR qK8A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=oh1zKPv4WEHeB5DPV3bqN+37yml547QEjXwHP5yVyxo=; fh=YQTT0gb1low55CVcvmTN9gn4wPnovETuH3L3tX8ewkk=; b=YKDeoxTgqYrWFO+dI78jQpoxrG3Y9Yx/jupi1Spuw4U3pp1s2f3MOZmiidg5VOM/2x Vb615OSCliBGiUD7/XzX8b+KV76cH2QMaG72FLa8EVgSnM8r2R9gaJR4fOe3oilfCCeA VgCq2KohHBuxkv6J99mXoqlGDq1qF7dGwZLtAF2zL6RGdrA2T7ekEBylXzU8kYAnoU+R iY2K+dBjvrgxF7PZgy2dURaD4Vkyjs2ZWq6Wo9N5lgW3khziZpmmnBUpQB8qnv1Q4Run lBHPv8tTrLkXjmK05SBUeeWNdKPKf9PXfT8BpUk60d5iZUaG/36EJnf/mmekUaPyVU39 kURg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=abks7qdm; arc=pass (i=1 spf=pass spfdomain=ieee.org dkim=pass dkdomain=ieee.org dmarc=pass fromdomain=ieee.org); spf=pass (google.com: domain of selinux-refpolicy+bounces-8-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-8-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id 6a1803df08f44-6a15f29a541si124567016d6.256.2024.05.14.13.07.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 May 2024 13:08:00 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy+bounces-8-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=abks7qdm; arc=pass (i=1 spf=pass spfdomain=ieee.org dkim=pass dkdomain=ieee.org dmarc=pass fromdomain=ieee.org); spf=pass (google.com: domain of selinux-refpolicy+bounces-8-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-8-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id C791A1C21A32 for ; Tue, 14 May 2024 20:07:59 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7BCEB18131F; Tue, 14 May 2024 20:07:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="abks7qdm" X-Original-To: selinux-refpolicy@vger.kernel.org Received: from mail-qv1-f52.google.com (mail-qv1-f52.google.com [209.85.219.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 75FEB2AF09 for ; Tue, 14 May 2024 20:07:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.52 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715717277; cv=none; b=YF8/4XaJIXmyEotGFuftoVrMEMbtgxQ3MPZ6JrrFgTOD+j8no033qK+/XfPHQuyRzWjs3tLAKUNNSm4LhiA84XciMWO5sbIdjqB3DYWUcZbyC87Awx24bksl/vESIi/LS/0RiD4yEvd/KJ5K2o1RN8NuivtkneLGE+pyLYEuX88= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715717277; c=relaxed/simple; bh=G905AEfTOx3KJrtj84Sa+532uUXXjtk1v/r3x6EPrWc=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=VgT7M1QRNHoSpZkSHfchYrz4gx0MEcNsGnOJrCFK/SIjGSoLQxqO2gGWM4e/sVb5YAE/qglTb4vdUSdbmplMxuJYxhsOEovYFjhJtzcYU5A5FtjDFN86PYeDdStPc0mF1FoYdVGmM0/xlzxnGsJSppYi2ZYbHmPoWK3Pmkn/CVY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ieee.org; spf=pass smtp.mailfrom=ieee.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b=abks7qdm; arc=none smtp.client-ip=209.85.219.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ieee.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ieee.org Received: by mail-qv1-f52.google.com with SMTP id 6a1803df08f44-6a073f10e8eso23161626d6.2 for ; Tue, 14 May 2024 13:07:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; t=1715717273; x=1716322073; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=oh1zKPv4WEHeB5DPV3bqN+37yml547QEjXwHP5yVyxo=; b=abks7qdmXPRXgRJ8d8D/l6tXcodKOuHVazl/gX6d0MtCG5VWzSk43bEHCRcrbACR2q ZMuvY9uB71ACc9UIXwdkApI6JzyfN+aWuLMOgRvlslqm4Q8+N13HHmD9erlea1zqmb0z zz8+8BVlkZ+lTvrr5bG2xDpX0hnTysxIQcXNQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715717273; x=1716322073; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=oh1zKPv4WEHeB5DPV3bqN+37yml547QEjXwHP5yVyxo=; b=EsTj3jzbmMK+Meigf3d2PGdp93Qbb8NVjuDrqMYsYlMOHhE5UhqEUZ4V8/lUBlrm53 SuhzB6zFHX5NKFPygPAee5tb1+YhOdoCru6ZeGZHo+33hRincdutq0O3xzot8ac79kbS RV8WyXSJ7AnPaNhz2FyltOcQUir+mymHMsKJr5iRozlMwwR0VlLBFX2iE4nalj/gYhZx nfSeFDEl3JRuPy9Reqn7R7f1sdmRokp20CLcveiQQ2AOV+8/gDvI1v/Aixibxj+ApSCN jQGRCW+Ygr38Cu/XhR/6XroZtDq7SQlrq2do4Ri05FPKjiENsCb5CxgW4vU9FygPA33m ZJXQ== X-Forwarded-Encrypted: i=1; AJvYcCXmrJ5lGKDgrgo3jk6sRBL3jJwFEQT+FKT1AKDigDbvzfNuYjjRZCnYcGI8LlyIddHh8146bIyBmfKEEvUDKlXxroDFrrUf7KaimH0Xtwrtxtc= X-Gm-Message-State: AOJu0YxQaXbLCAugQixtKgoTEKY3IvwfGNXHqq0EGZh4AnUt0OtFpLVI MXVrwZf+sZJbq9juM456LpNoE+AupaXtZKgpPXEugew204jp3UI+NuFv4h5LnA== X-Received: by 2002:a05:6214:4288:b0:6a0:c79f:b5bb with SMTP id 6a1803df08f44-6a16817c457mr188759106d6.24.1715717273328; Tue, 14 May 2024 13:07:53 -0700 (PDT) Received: from ?IPV6:2601:145:c200:2c70:edff:228d:f072:fe07? ([2601:145:c200:2c70:edff:228d:f072:fe07]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6a15f194cddsm57131376d6.64.2024.05.14.13.07.52 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 14 May 2024 13:07:52 -0700 (PDT) Message-ID: Date: Tue, 14 May 2024 16:07:49 -0400 Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v1] Need bluetooth socket permission for pulseaudio. To: Raghavender Reddy Bujala , selinux-refpolicy@vger.kernel.org Cc: quic_mohamull@quicinc.com, quic_hbandi@quicinc.com, quic_anubhavg@quicinc.com References: <20240510055019.27778-1-quic_rbujala@quicinc.com> Content-Language: en-US From: Chris PeBenito In-Reply-To: <20240510055019.27778-1-quic_rbujala@quicinc.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote: > Resolve selinux permission for ofono: > > [pulseaudio] backend-ofono.c: Failed to register as a handsfree audio agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.14" (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023") interface="org.ofono.HandsfreeAudioManager" member="Register" error name="(unset)" requested_reply="0" destination="org.ofono" (uid=0 pid=942 comm="/usr/sbin/ofonod -n" label="system_u:system_r:initrc_t:s0-s15:c0.c1023") It looks like we need a domain for ofonod. Your system has it running is in the initrc_t domain, which is intended only for init scripts and the like. It's not intended to be used for long-running processes. > Resolve these AVC denials for native HSP: > > avc: denied { create } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 > > avc: denied { bind } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 > > avc: denied { listen } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 > > avc: denied { accept } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 > > avc: denied { getopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 > > avc: denied { setopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 > > avc: denied { read } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 > > avc: denied { write } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 > > Signed-off-by: Raghavender Reddy Bujala > --- > policy/modules/apps/pulseaudio.te | 4 ++++ > policy/modules/services/dbus.te | 1 + > policy/modules/system/init.if | 18 ++++++++++++++++++ > 3 files changed, 23 insertions(+) > > diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te > index 65b9a7428..a2ff85c8a 100644 > --- a/policy/modules/apps/pulseaudio.te > +++ b/policy/modules/apps/pulseaudio.te > @@ -318,3 +318,7 @@ optional_policy(` > optional_policy(` > unconfined_signull(pulseaudio_client) > ') > + > +init_dbus_chat_script(pulseaudio_t) > +init_bt_socket_manage(pulseaudio_t) > +allow pulseaudio_t self:bluetooth_socket { create accept bind getopt listen read setopt write }; > diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te > index 2d1d09d71..9e1288b77 100644 > --- a/policy/modules/services/dbus.te > +++ b/policy/modules/services/dbus.te > @@ -391,3 +391,4 @@ optional_policy(` > > allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg; > allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms; > +init_bt_socket_manage(system_dbusd_t) > diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if > index 4891301ad..3ae6bced3 100644 > --- a/policy/modules/system/init.if > +++ b/policy/modules/system/init.if > @@ -3920,3 +3920,21 @@ interface(`init_search_keys',` > > allow $1 init_t:key search; > ') > + > +######################################## > +## > +## Read, Write and manage options for bluetooth socket > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > + > +interface(`init_bt_socket_manage',` > + gen_require(` > + type initrc_t; > + ') > + allow $1 initrc_t:bluetooth_socket { getopt read setopt write }; > +') -- Chris PeBenito