Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp48100lqo; Wed, 15 May 2024 20:52:35 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVL5im/7HpwOj8PZx+LBMR75Ffd4D8UYU6EQn5nx94H2L9Pqjk4lWLRb28vCwNb4R4xD8zp8rXJrOPWfxSrKhlJCSO6T+PwgA1D0rkZkQ== X-Google-Smtp-Source: AGHT+IFF9QJ17TmHFcvUkXUCkucVbj7wNPLY2DJMaUB2THDria+41VOhJR/arIe5WkFCw1wTON8W X-Received: by 2002:a05:6214:5789:b0:6a0:b905:97b0 with SMTP id 6a1803df08f44-6a16820d12fmr223808066d6.39.1715831554859; Wed, 15 May 2024 20:52:34 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715831554; cv=pass; d=google.com; s=arc-20160816; b=Ky/lnaJ0RmbWwE7A0w1YUXU+7ppvk/U8DZVmN5FziPMRx/hbbbfYKIboGfaAOIE+AC fBIib/wxJIn7FkMl+GkFHWb+l6ABVtEVVCcqvX4vizeFuit+7fWChueD7NEJcYlxZ/8c CL8V7adKymkOsIM1iNQxYJ2vjDM/umkGd1D/0v/xkCXImpx97q4SITbArG4tjEY9N1Z+ 6h2U86AAId/pkWNtl9IuPODO0/p1w/MDKRVDizjLFmcAxHW+6mPxxAOoquBGlRiWRjX2 cEkNDYe93D5JLODOPPcH7Jl29SlY9cMqGInmuF5BFbsX/P1iSCVqM7j/yd704Eu/QAn0 jZgw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=yoqc2LJPz/CbPN4YWoFzecbLubCplMBBm4oz28iO+R4=; fh=mXCZ4lM97hewFE4UAZZbLzoX/dnYpZKrxZkSNkxW9Q4=; b=f+m+8vaiW5L8Ky6t5Hu+q2kVGvu47/7pBe6nwwBxmUMpsMtAXB0FkpVtmzXl7l9MDx bU4fFsVkM7pu7wsiB0in+5TTdFy7fkQCnjmFomYKbfo8nE6hf5ty0ZtEDFyjtTgwNn6G vMu6RcJy/xcy0sfZ7G9XQrLZcZ+1ItOJEtnF7clQlGarbQm5Gu6D4xJMG5rCUFIKbjh0 gT5sa+Dmq47wMKotwKHTJMUJGAQzglGEK76DhPkREFKNx0XLd93HxO4FAkVvuj7gbcwv 0x6i3/0OIfDq4u4zLusL44gzioxhbx7ZWq9Fu0y+lb+PWOAXlPnFI6TYmxkBFzi8k+cu BmQw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=m6uTZTbx; arc=pass (i=1 spf=pass spfdomain=quicinc.com dkim=pass dkdomain=quicinc.com dmarc=pass fromdomain=quicinc.com); spf=pass (google.com: domain of selinux-refpolicy+bounces-12-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-12-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id 6a1803df08f44-6a15f1d6d53si160262166d6.98.2024.05.15.20.52.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 May 2024 20:52:34 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy+bounces-12-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=m6uTZTbx; arc=pass (i=1 spf=pass spfdomain=quicinc.com dkim=pass dkdomain=quicinc.com dmarc=pass fromdomain=quicinc.com); spf=pass (google.com: domain of selinux-refpolicy+bounces-12-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-12-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 9511D1C20F9E for ; Thu, 16 May 2024 03:52:27 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3FE394411; Thu, 16 May 2024 03:52:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="m6uTZTbx" X-Original-To: selinux-refpolicy@vger.kernel.org Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 618EB259C for ; Thu, 16 May 2024 03:52:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715831545; cv=none; b=ZEXT7pDhLlB1Ot50AoJ+vMm82IKtKcUk7LUx1uTZUg+ahbRqDKkRrOrgnW5vg0Gll9WMRmTnHB0PxkG94O+QiER+wyq3GU7wCLUwMCfwlmpmNAZm64lDlZf5cfHHlfc45XXS3tjrr5YS6MknLLeQgtWEfkSNuf37Uq6DWwltxPU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715831545; c=relaxed/simple; bh=dOHo6AHNlE/SJkTgrvmpt5PzxxoKr7XaTyvB8JGclDw=; h=Message-ID:Date:MIME-Version:Subject:To:CC:References:From: In-Reply-To:Content-Type; b=eGC2m7hYQ61JRa8dWY6L9NWn1YIUdLNkHu1iAMgTeisAVs8Uf9wdZic6OtIqEjAyTCOlcrHPuwr1InkDrFWCzbT7EBMFzIolwroBvYBVUMcRGy7A8Du4LC1ef2D3u0Hf22idy6wZ6eW5wTuzpNm2WblDQuu5Oup6xgEDD+1O0d8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=m6uTZTbx; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Received: from pps.filterd (m0279869.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 44FJ4SER021397; Thu, 16 May 2024 03:52:20 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= message-id:date:mime-version:subject:to:cc:references:from :in-reply-to:content-type:content-transfer-encoding; s= qcppdkim1; bh=yoqc2LJPz/CbPN4YWoFzecbLubCplMBBm4oz28iO+R4=; b=m6 uTZTbxRAr7sJnBjoii8oHcB6aG/lWj8T2EGXby7fdZ48JBJYqvpvXVRVilXGrSs1 KJWouf9LNmoKJJVf34SIuzzYQ+1wpdKEIuAnL2Szlp3KaxAPezDBe/7cGqm1HEkb C9Jf4TgD1Ii17770V6TjM11UxqRteV5FYeXRpgt/RbuSkWFxZhYbMQF2MjCkgepK 3TwWLAsyklfplyYYc8OR8TXPgviNehK7dJvxvaQcwDBZJSj3Ewfwd99qrFxeQ3Nm kkRDnX9/jCer9+eCiUQgIGeli6flixxVDC9YAMR1CsN5B5FA5n5KdGB/BLpKbzAz nfWnUffBYnsWViIrlViA== Received: from nalasppmta01.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3y45vbcny9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 16 May 2024 03:52:20 +0000 (GMT) Received: from nalasex01c.na.qualcomm.com (nalasex01c.na.qualcomm.com [10.47.97.35]) by NALASPPMTA01.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 44G3qEJc002517 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 16 May 2024 03:52:14 GMT Received: from [10.216.39.242] (10.80.80.8) by nalasex01c.na.qualcomm.com (10.47.97.35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Wed, 15 May 2024 20:52:12 -0700 Message-ID: <73450767-2bb9-4b49-9a47-5074a31f7190@quicinc.com> Date: Thu, 16 May 2024 09:22:08 +0530 Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v1] Need bluetooth socket permission for pulseaudio. Content-Language: en-GB To: Chris PeBenito , , CC: , , References: <20240510055019.27778-1-quic_rbujala@quicinc.com> From: Raghavender Reddy Bujala In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nalasex01c.na.qualcomm.com (10.47.97.35) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: EMIGdIViiguuYwnpyS-XFp4bARfUfI6V X-Proofpoint-ORIG-GUID: EMIGdIViiguuYwnpyS-XFp4bARfUfI6V X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.11.176.26 definitions=2024-05-16_01,2024-05-15_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 clxscore=1011 mlxscore=0 suspectscore=0 spamscore=0 malwarescore=0 adultscore=0 mlxlogscore=999 phishscore=0 priorityscore=1501 bulkscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2405010000 definitions=main-2405160025 On 5/15/2024 1:37 AM, Chris PeBenito wrote: > On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote: >> Resolve selinux permission for ofono: >> >> [pulseaudio] backend-ofono.c: Failed to register as a handsfree audio >> agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An SELinux >> policy prevents this sender from sending this message to this >> recipient, 0 matched rules; type="method_call", sender=":1.14" >> (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no >> -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023") >> interface="org.ofono.HandsfreeAudioManager" member="Register" error >> name="(unset)" requested_reply="0" destination="org.ofono" (uid=0 >> pid=942 comm="/usr/sbin/ofonod -n" >> label="system_u:system_r:initrc_t:s0-s15:c0.c1023") > > It looks like we need a domain for ofonod.  Your system has it running > is in the initrc_t domain, which is intended only for init scripts and > the like.  It's not intended to be used for long-running processes. > Thanks for suggestion. But we didn't found any particular domain for ofono and no sepolicy files are available for this service. so, we have added these changes to make functionality work properly with ofono. and we haven't observed any sepolicy issue on ubuntu and rpi os for ofono. Because sepolicy is not enabled for these os. output of ps -eZ command on ubuntu machine is: LABEL PID TTY TIME CMD unconfined 11528 ? 00:00:00 ofono So, Is there any plan from upstream to add domain for ofono or add sepolicies for this service. Please let us know, is there any alternative to way proceed further. > > >> Resolve these AVC denials for native HSP: >> >> avc:  denied  { create } for  pid=1271 comm="pulseaudio" >> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tclass=bluetooth_socket permissive=1 >> >> avc:  denied  { bind } for  pid=1271 comm="pulseaudio" >> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tclass=bluetooth_socket permissive=1 >> >> avc:  denied  { listen } for  pid=1271 comm="pulseaudio" >> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tclass=bluetooth_socket permissive=1 >> >> avc:  denied  { accept } for  pid=1271 comm="pulseaudio" >> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tclass=bluetooth_socket permissive=1 >> >> avc:  denied  { getopt } for  pid=1271 comm="bluetooth" >> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tclass=bluetooth_socket permissive=1 >> >> avc:  denied  { setopt } for  pid=1271 comm="bluetooth" >> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tclass=bluetooth_socket permissive=1 >> >> avc:  denied  { read } for  pid=1271 comm="bluetooth" >> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tclass=bluetooth_socket permissive=1 >> >> avc:  denied  { write } for  pid=1271 comm="bluetooth" >> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 >> tclass=bluetooth_socket permissive=1 >> >> Signed-off-by: Raghavender Reddy Bujala >> --- >>   policy/modules/apps/pulseaudio.te |  4 ++++ >>   policy/modules/services/dbus.te   |  1 + >>   policy/modules/system/init.if     | 18 ++++++++++++++++++ >>   3 files changed, 23 insertions(+) >> >> diff --git a/policy/modules/apps/pulseaudio.te >> b/policy/modules/apps/pulseaudio.te >> index 65b9a7428..a2ff85c8a 100644 >> --- a/policy/modules/apps/pulseaudio.te >> +++ b/policy/modules/apps/pulseaudio.te >> @@ -318,3 +318,7 @@ optional_policy(` >>   optional_policy(` >>       unconfined_signull(pulseaudio_client) >>   ') >> + >> +init_dbus_chat_script(pulseaudio_t) >> +init_bt_socket_manage(pulseaudio_t) >> +allow pulseaudio_t self:bluetooth_socket { create accept bind getopt >> listen read setopt write }; >> diff --git a/policy/modules/services/dbus.te >> b/policy/modules/services/dbus.te >> index 2d1d09d71..9e1288b77 100644 >> --- a/policy/modules/services/dbus.te >> +++ b/policy/modules/services/dbus.te >> @@ -391,3 +391,4 @@ optional_policy(` >>   allow dbusd_unconfined { dbusd_session_bus_client >> dbusd_system_bus_client }:dbus send_msg; >>   allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus >> all_dbus_perms; >> +init_bt_socket_manage(system_dbusd_t) >> diff --git a/policy/modules/system/init.if >> b/policy/modules/system/init.if >> index 4891301ad..3ae6bced3 100644 >> --- a/policy/modules/system/init.if >> +++ b/policy/modules/system/init.if >> @@ -3920,3 +3920,21 @@ interface(`init_search_keys',` >>       allow $1 init_t:key search; >>   ') >> + >> +######################################## >> +## >> +##    Read, Write and manage options for bluetooth socket >> +## >> +## >> +##    >> +##    Domain allowed access. >> +##    >> +## >> +# >> + >> +interface(`init_bt_socket_manage',` >> +        gen_require(` >> +                type initrc_t; >> +        ') >> +        allow $1 initrc_t:bluetooth_socket { getopt read setopt write }; >> +') > -- Raghavender Reddy Bujala