Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp1048556lqo; Fri, 17 May 2024 09:09:22 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUM6VOye6UFCwbylTiHx5vK2E6WXWbv2rqA5DLPjpY50NxCc3Ac4LbLzH9a+grw6V1Ncl2vmTW0ovvBvGRRLOsVPWbIXEOS25gVX2C/Lg== X-Google-Smtp-Source: AGHT+IFBBnRHbddlsfRdoNEpB+EAgr3cbeHGYotyKwrALXtKY5mpHVMJ7Vtun7nSWNG8EVI5kmxz X-Received: by 2002:ae9:f203:0:b0:793:f38:c483 with SMTP id af79cd13be357-7930f38d017mr315037685a.2.1715962161965; Fri, 17 May 2024 09:09:21 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715962161; cv=pass; d=google.com; s=arc-20160816; b=xInKyS1mWviRNJQx85UhADIpjEV9odqHJIC9x0/AwaE3A1A8Vkn/Ds5FZasgIyZqOj 1Z+kEQJS3FIlhMcfD/tkSQ987KbSZN0hjBSQS04DdOFlbnwHsO2N5r0bpUOsllnOlSK2 vXfH/2KMPycGmykdP4TB2HNU9gc0CUsDlVVoic4+RsL8CPc0Da1iIaZrcCp18H4KqdIF cMhmyix3aNTWzYV6rpl0bw+n3q5JUsbowIzKoNMFRM5YgpsoPktn7mb5Sfx/f7eyhJFv f7J8OdwbaTzeVPmlbmD6/rlKw5998q0nZnTEy+Bwug2m8DEy4Aai/9P2ya95nnXXQln7 /3JA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=XwCtufbOmAVczMKPpjMngN0AkHobtXFU2x6VfOu2vRM=; fh=uYk1Z+n8BDnlXHKXRfbE+z/29LTR5SlQkke/zWJ1+qg=; b=HCmK90ci6yRW2MsHJ+7234McXnESEb16K8MpkmExZZyp21LVBsbBJFevTQw1XPfv/x qozrJ6AYyut9vHJmOj65YfsZo67jrrrcHqOGGb0f8xNSiRkZ4cOK6MMqGuTi07DvlmjU zQ2iUTUJLpcXYU/lbkaAnJFT8x2U2wsUcPffxXJjhxp6ADaXoew/dw4TVNH6QxqfbcGx rVMW4atahE/oZW/4VAWcUwM6RTEfOA4eX+srtfv+Uz4fh8w1QUDyRKbJtG4zD5fw/wK4 wP3D3EULHn7kDgKFt5X5FV4t3WRN+2b/WAK2pannu5gZDt5ty0CU17i9K0PBZcv7i1SV yvaQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b="N1Q/pgHj"; arc=pass (i=1 spf=pass spfdomain=ieee.org dkim=pass dkdomain=ieee.org dmarc=pass fromdomain=ieee.org); spf=pass (google.com: domain of selinux-refpolicy+bounces-13-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-13-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id af79cd13be357-792bf3651f7si300442685a.644.2024.05.17.09.09.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 May 2024 09:09:21 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy+bounces-13-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b="N1Q/pgHj"; arc=pass (i=1 spf=pass spfdomain=ieee.org dkim=pass dkdomain=ieee.org dmarc=pass fromdomain=ieee.org); spf=pass (google.com: domain of selinux-refpolicy+bounces-13-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-13-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 829DE1C21443 for ; Fri, 17 May 2024 16:09:21 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B9D6712F584; Fri, 17 May 2024 16:09:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="N1Q/pgHj" X-Original-To: selinux-refpolicy@vger.kernel.org Received: from mail-qv1-f47.google.com (mail-qv1-f47.google.com [209.85.219.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EEA312EAE1 for ; Fri, 17 May 2024 16:09:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715962158; cv=none; b=UY34ToNSMzaccwml75MDL3ktROvosi8utR8SI1VfEHeWmGUfQYFcU8wQy/AkUHA6UxkijMn8PjLgO9VdVduffxvqboFTkzaekSA1YZx+VExoBbCTqXcQqmdbgXIhvD+kQfTfirD5tTLathmPALHn00LzSDyVIPJM5Pdaumwyo7o= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715962158; c=relaxed/simple; bh=dNnDiZJWchtHqdwCcKZr+b14KvlaVeU4GlB0fwemmC8=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=JnYiOr/UHMzFAG7b0llFdH6IRwVjrGEwRQzb2qpEPRULKzHDnq1Wgnyje76iWU8HwVIi3T4KNvfeoM1NFVauMoIwbvMpoGvHbfQQvmABpiiZ3sFc9uH5f7GDletNP/b8li1kWkX1/XMSTsW/2oag8qgvVFun3NKUsw0+gcB7zAk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ieee.org; spf=pass smtp.mailfrom=ieee.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b=N1Q/pgHj; arc=none smtp.client-ip=209.85.219.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ieee.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ieee.org Received: by mail-qv1-f47.google.com with SMTP id 6a1803df08f44-6a3652a74f9so4349896d6.2 for ; Fri, 17 May 2024 09:09:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; t=1715962155; x=1716566955; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=XwCtufbOmAVczMKPpjMngN0AkHobtXFU2x6VfOu2vRM=; b=N1Q/pgHjafok5CLJ2nXoWGpUoGGCtzjaKEaU4OHFmDw5c7wXX+SWPtVF2pqm+94dtw LtlKauHnrYnMz7MQ2eAHniF3oKaVXcvPLkqYxlGMlXbM6U3i/GgjDGCVblIULt/5U+Df 8audL9p8KLUAbD3DmqR5iBbDsvrq65NzC0Nig= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715962155; x=1716566955; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=XwCtufbOmAVczMKPpjMngN0AkHobtXFU2x6VfOu2vRM=; b=bx16GA3tAnL5jIVtNo9nb9HtHW96kKmMQLDZSIyVYAdf+pYvO9uhz24DmeN6GZ25PD rvK/y0rP0KFqyrPWPk5/GFakfi5rjlCCZwaBu2DbabtHU6t8Gp2PCVrAhVhi2FeDCmzk mbcg39gdwT9GaLKO6FXQA4LOpkSgTBQTr+3hQPdAlIJwSSFL2iBcAvIv1LwbaUdoWhRA okTDxjZLQHI8F3dOl9VUY7PRiVRAeSFOEIrjj+ksutavPuQBsFsc5/tv54FjXUDIJC/X /gheyU0yxYxHAF45Fd+BlpIIGGkRy53MgnYbQytMbBUMpxDds62u9+zw4GLvRhvO5OtE TMMA== X-Forwarded-Encrypted: i=1; AJvYcCXdUwNyLkB6VGHQI6a0q7qRuY/t6XgOR17UBcBSd6r9x29AP9/LzkRDGAotrINphjbk1I9PmTfLTiI6QWpbrRD9j/Wr7uGjWD1aYeh+LG20s9o= X-Gm-Message-State: AOJu0YzW2DLJ7oT15lqCZXepkHmkVVelZ/3jm32DsdSDyhW5G+sqHckp xDVgQwUJEpcMLPxZfhjBQF0Zz8TJDp6x8NyZ4nmFUQIm6Td5Ngf26vOjcjjsUw== X-Received: by 2002:a05:6214:5885:b0:6a0:7d91:8752 with SMTP id 6a1803df08f44-6a16825d75bmr257732936d6.58.1715962154746; Fri, 17 May 2024 09:09:14 -0700 (PDT) Received: from ?IPV6:2601:145:c200:2c70:196e:b9f8:60bb:98de? ([2601:145:c200:2c70:196e:b9f8:60bb:98de]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6a15f1ce896sm87085846d6.92.2024.05.17.09.09.13 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 May 2024 09:09:14 -0700 (PDT) Message-ID: Date: Fri, 17 May 2024 12:09:11 -0400 Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v1] Need bluetooth socket permission for pulseaudio. To: Raghavender Reddy Bujala , selinux-refpolicy@vger.kernel.org, ofono@ofono.org Cc: quic_mohamull@quicinc.com, quic_hbandi@quicinc.com, quic_anubhavg@quicinc.com References: <20240510055019.27778-1-quic_rbujala@quicinc.com> <73450767-2bb9-4b49-9a47-5074a31f7190@quicinc.com> Content-Language: en-US From: Chris PeBenito In-Reply-To: <73450767-2bb9-4b49-9a47-5074a31f7190@quicinc.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 5/15/2024 11:52 PM, Raghavender Reddy Bujala wrote: > > > On 5/15/2024 1:37 AM, Chris PeBenito wrote: >> On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote: >>> Resolve selinux permission for ofono: >>> >>> [pulseaudio] backend-ofono.c: Failed to register as a handsfree audio >>> agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An SELinux >>> policy prevents this sender from sending this message to this >>> recipient, 0 matched rules; type="method_call", sender=":1.14" >>> (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no >>> -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023") >>> interface="org.ofono.HandsfreeAudioManager" member="Register" error >>> name="(unset)" requested_reply="0" destination="org.ofono" (uid=0 >>> pid=942 comm="/usr/sbin/ofonod -n" >>> label="system_u:system_r:initrc_t:s0-s15:c0.c1023") >> >> It looks like we need a domain for ofonod.  Your system has it running >> is in the initrc_t domain, which is intended only for init scripts and >> the like.  It's not intended to be used for long-running processes. >> > > Thanks for suggestion. > But we didn't found any particular domain for ofono and no sepolicy > files are available for this service. > so, we have added these changes to make functionality work properly with > ofono. > > and we haven't observed any sepolicy issue on ubuntu and rpi os for > ofono. Because sepolicy is not enabled for these os. > output of ps -eZ command on ubuntu machine is: > LABEL                               PID TTY          TIME CMD > unconfined                        11528 ?        00:00:00 ofono > > So, Is there any plan from upstream to add domain for ofono or add > sepolicies for this service. > > Please let us know, is there any alternative to way proceed further. I'm not aware of anyone creating an ofono domain for the SELinux policy. Unfortunately your patch cannot be upstreamed in its current form, so it'll have to remain your local fix. I'd expect an ofono domain to fix this access, since a telephony service would need audio output from pulseaudio or similar type service. -- Chris PeBenito