Received-SPF: pass (google.com: domain of selinux-refpolicy+bounces-15-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Message-ID: <ad876cc6-1aca-451b-a60c-4eb12a9856e4@ieee.org>
Date: Mon, 20 May 2024 10:53:55 -0400
Precedence: bulk
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH v1] Need bluetooth socket permission for pulseaudio.
To: Raghavender Reddy Bujala <quic_rbujala@quicinc.com>,
 selinux-refpolicy@vger.kernel.org
Cc: quic_mohamull@quicinc.com, quic_hbandi@quicinc.com,
 quic_anubhavg@quicinc.com
References: <20240510055019.27778-1-quic_rbujala@quicinc.com>
 <f72fe764-0b76-43a7-940e-fdd8269fa8fe@ieee.org>
 <73450767-2bb9-4b49-9a47-5074a31f7190@quicinc.com>
 <c96cd6ea-eba5-4844-a2e0-ee2f69a2c46d@ieee.org>
 <b107e878-9339-41d1-b681-456f89c8269c@quicinc.com>
Content-Language: en-US
From: Chris PeBenito <pebenito@ieee.org>
In-Reply-To: <b107e878-9339-41d1-b681-456f89c8269c@quicinc.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

On 5/20/2024 3:10 AM, Raghavender Reddy Bujala wrote:
> 
> 
> On 5/17/2024 9:39 PM, Chris PeBenito wrote:
>> On 5/15/2024 11:52 PM, Raghavender Reddy Bujala wrote:
>>>
>>>
>>> On 5/15/2024 1:37 AM, Chris PeBenito wrote:
>>>> On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote:
>>>>> Resolve selinux permission for ofono:
>>>>>
>>>>> [pulseaudio] backend-ofono.c: Failed to register as a handsfree 
>>>>> audio agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An 
>>>>> SELinux policy prevents this sender from sending this message to 
>>>>> this recipient, 0 matched rules; type="method_call", sender=":1.14" 
>>>>> (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no 
>>>>> -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023") 
>>>>> interface="org.ofono.HandsfreeAudioManager" member="Register" error 
>>>>> name="(unset)" requested_reply="0" destination="org.ofono" (uid=0 
>>>>> pid=942 comm="/usr/sbin/ofonod -n" 
>>>>> label="system_u:system_r:initrc_t:s0-s15:c0.c1023")
>>>>
>>>> It looks like we need a domain for ofonod.  Your system has it 
>>>> running is in the initrc_t domain, which is intended only for init 
>>>> scripts and the like.  It's not intended to be used for long-running 
>>>> processes.
>>>>
>>>
>>> Thanks for suggestion.
>>> But we didn't found any particular domain for ofono and no sepolicy 
>>> files are available for this service.
>>> so, we have added these changes to make functionality work properly 
>>> with ofono.
>>>
>>> and we haven't observed any sepolicy issue on ubuntu and rpi os for 
>>> ofono. Because sepolicy is not enabled for these os.
>>> output of ps -eZ command on ubuntu machine is:
>>> LABEL                               PID TTY          TIME CMD
>>> unconfined                        11528 ?        00:00:00 ofono
>>>
>>> So, Is there any plan from upstream to add domain for ofono or add 
>>> sepolicies for this service.
>>>
>>> Please let us know, is there any alternative to way proceed further.
>>
>> I'm not aware of anyone creating an ofono domain for the SELinux 
>> policy.   Unfortunately your patch cannot be upstreamed in its current 
>> form, so it'll have to remain your local fix.  I'd expect an ofono 
>> domain to fix this access, since a telephony service would need audio 
>> output from pulseaudio or similar type service.
>>
>>
> Sure, will try to maintain it as local fix for ofono.
> could you please review other part of the patch which is "Resolve these 
> AVC denials for native HSP".

If you're referring to other hunks in this patch, the answer is the same 
as I've already given.  If you're referring to another email thread, I 
cannot find an email with that subject; please resend.


-- 
Chris PeBenito