Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp2503968lqo; Mon, 20 May 2024 07:54:08 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXNlsNUfV81xGbh47DBFozR8n3pUSal29JFOdjFr0vbpV+r5IlffwkXvCWtPVlCefZxqEvCeEAqTRKqO506UhWodzDs8u9RX7/mwBR7/g== X-Google-Smtp-Source: AGHT+IF0t4DsdIs4bElPlKwkJrpA7BlLgSYB8llQbrL6vQzD8ANQ3qEAUXfZqQR+jvlTdazdszOf X-Received: by 2002:a05:6214:3bc8:b0:6aa:7d1c:fbb6 with SMTP id 6a1803df08f44-6aa7d1cfc9bmr39770636d6.43.1716216848566; Mon, 20 May 2024 07:54:08 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716216848; cv=pass; d=google.com; s=arc-20160816; b=JrW39tzxQl0H323qWLdt5PH6nUcJ04LY6VF3wcj/4C8AtfwXLdqQWr2769EWltLWBc RQhP++hR4J0COix4oAD7elu8mi9gN4+IN5qlmhvRaVv0y/H+IrtDOBbXbNccSZSljk94 3mZ123JabzQdfwVMl32bUYvHLfQdIbkMEC9y317Lnyx15maTKFJvOcdVncHqj2+OTffR HNZSV147WHzVPz+pZBWstjQy2nMRItsaqcb16IGW4XWw2gEhVz8v35M16O2j0gd4SRXt om6vwOkIG45mv8NIwZdBu5qVWJPtcdVKEfRCzK4El/6dq/8ElBqPmdQlrOsnf+BTFSlO GBCQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=8gBsNqv6OsoUAroK5eqYzAnSIjTh2OetJE7ZHNUhSgY=; fh=FjN6k5xvJ468lXuSA2ktWUn+q4/H5OGNRgUXl0iZ6og=; b=gwOKFddu8V6O0pohlJr6OmUuweXHUjhM8ZWRgn2w+Wl4smXy2hZm0w2CTTcrfVF33U Q0RxqnhgePuXG4Oj8A0Tpv9aP4bKX0M8DvC+pWK+s+4NnZzzJTvhF7HUsBGkFQ1X93oG qeYnj5D1aTbhEGVz8mvBOwdygKyJ9voMHDqrmjZeDZD3DB9WpYJFTZaS6U8tQNvcgOol SfhVmVuS+l6BKfjnv2ExtP7xeD+Q/ENVUai9AJGM8DltHAJs8yotXHkm4rWLWGOEuL0I AyrnjH0+KCNBcqPiBi/E//xYhbPPLKy62fs4cOIjH+IZD4ucoGlwvCYXWaItDK021Nzp CvhA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=aPDeJCPM; arc=pass (i=1 spf=pass spfdomain=ieee.org dkim=pass dkdomain=ieee.org dmarc=pass fromdomain=ieee.org); spf=pass (google.com: domain of selinux-refpolicy+bounces-15-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-15-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id 6a1803df08f44-6a15f29aa05si56061566d6.233.2024.05.20.07.54.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 May 2024 07:54:08 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy+bounces-15-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=aPDeJCPM; arc=pass (i=1 spf=pass spfdomain=ieee.org dkim=pass dkdomain=ieee.org dmarc=pass fromdomain=ieee.org); spf=pass (google.com: domain of selinux-refpolicy+bounces-15-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="selinux-refpolicy+bounces-15-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 3A4851C21C0C for ; Mon, 20 May 2024 14:54:08 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 17E0D1E878; Mon, 20 May 2024 14:54:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="aPDeJCPM" X-Original-To: selinux-refpolicy@vger.kernel.org Received: from mail-qt1-f180.google.com (mail-qt1-f180.google.com [209.85.160.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3905F1369B9 for ; Mon, 20 May 2024 14:53:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716216842; cv=none; b=B6TS9uwySNE9Gd2ifNQ7vwlQFXVlSweGVW7FpLCbQyTcyL5Y0B6Cg4Ufd6pixEZMgx/CyGoOF8lRjiy5nyGcMHIvHmwFpF0VQLG92OUdrT/z7hzWJa20pWZvvxj5ZXJVv6j4JT5AGloewJP6M6BSlX4spny5RTFBlrgIK5hIFJI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716216842; c=relaxed/simple; bh=DxAoQDR6MCA3xX5Wffqhy5sQKP+wUXS8yVocPdLrRJE=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=Eep4Ksy8ovXyibpZfc8mrVqoSMSTWaW+L0tHDeXlMOIKTTeHqRbmFoXcq/iLJvjAs/BsRI5mZJS+UD3CLGddCWY1fu5VuVV+4ec1NzoWWUHtRdpGOaG13e+Cfmm8pKn3eITXmXM+Cb5FJ6xyhYRYnH7lgRL8v6ChNZKuxroVqYI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ieee.org; spf=pass smtp.mailfrom=ieee.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b=aPDeJCPM; arc=none smtp.client-ip=209.85.160.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=ieee.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ieee.org Received: by mail-qt1-f180.google.com with SMTP id d75a77b69052e-43df3b00becso11496101cf.2 for ; Mon, 20 May 2024 07:53:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; t=1716216838; x=1716821638; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=8gBsNqv6OsoUAroK5eqYzAnSIjTh2OetJE7ZHNUhSgY=; b=aPDeJCPMoSEXvoVS1N+yzL8mpCR/cTJgRw00vZT2e23WFvjUOpXC9ctX7a1S5zt0Yi NULpLd+Ep0Y+hh3GO/ZjMkdQjSAJbLYL5K/MvIBmkiYwNAZLtP83W7P+41CzMtP2Hq69 GG7XSLW1jaGBefoHw2uvtZveUk+ckXSJS03A8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716216838; x=1716821638; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=8gBsNqv6OsoUAroK5eqYzAnSIjTh2OetJE7ZHNUhSgY=; b=mWZLD23UHPhkSJAMRMVOS5KXBMqk0JXFLxTpy2PnLdiuhBsWOaOJwVjd59jnhPfD9t JA/sd/ug808WDh8dHOqa9O9+JS3XOQoWfPBP6Z8fjeOVObsAj7yJXiExJaMQU7cnnAxn H4G90UhpqwCwwcPhCOS/PVIeFDX0IbXzSboPbrQxdyk+XgGpzy00kkYPXK3LZ69nqvaL WvJ6jFYsLpTCHCyQQu/Q9cwGUQSc4zEYDf6G/gLjIGhI7DubKB4v3seKlny90AT8J9U0 ptT10Fa1l/wlf7Lqt6AJrZpGwgvlTR9pqVBaNd0cFI7quxogDt99i7oisayQN2FlAC3l hCPw== X-Forwarded-Encrypted: i=1; AJvYcCUfCyi+kp8XIyNi31ppefI2Ue1fd+AuK4S+I5G47JlrEKh1oZQMaQdQe9Dnto40luYDloU+N1eH6bp+VB0ZSlxzgUB893f125WLKeQY/GP9Zos= X-Gm-Message-State: AOJu0YzkpV497vDK9otWEOX16e/6wL4+teBerJqOsa2Q5rhU/zWXgEQj ShdVP3edSYKLDDz3ZVF3VxzA85uTsDllm3b+/nz0USN/bAraUA7uPtqPaWFggw== X-Received: by 2002:a05:622a:5298:b0:436:f25c:f14d with SMTP id d75a77b69052e-43dfdb22300mr315923241cf.19.1716216837901; Mon, 20 May 2024 07:53:57 -0700 (PDT) Received: from ?IPV6:2601:145:c200:2c70:e58a:2899:f1dc:e82? ([2601:145:c200:2c70:e58a:2899:f1dc:e82]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-43df550c10fsm148823291cf.43.2024.05.20.07.53.57 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 20 May 2024 07:53:57 -0700 (PDT) Message-ID: Date: Mon, 20 May 2024 10:53:55 -0400 Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v1] Need bluetooth socket permission for pulseaudio. To: Raghavender Reddy Bujala , selinux-refpolicy@vger.kernel.org Cc: quic_mohamull@quicinc.com, quic_hbandi@quicinc.com, quic_anubhavg@quicinc.com References: <20240510055019.27778-1-quic_rbujala@quicinc.com> <73450767-2bb9-4b49-9a47-5074a31f7190@quicinc.com> Content-Language: en-US From: Chris PeBenito In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 5/20/2024 3:10 AM, Raghavender Reddy Bujala wrote: > > > On 5/17/2024 9:39 PM, Chris PeBenito wrote: >> On 5/15/2024 11:52 PM, Raghavender Reddy Bujala wrote: >>> >>> >>> On 5/15/2024 1:37 AM, Chris PeBenito wrote: >>>> On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote: >>>>> Resolve selinux permission for ofono: >>>>> >>>>> [pulseaudio] backend-ofono.c: Failed to register as a handsfree >>>>> audio agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An >>>>> SELinux policy prevents this sender from sending this message to >>>>> this recipient, 0 matched rules; type="method_call", sender=":1.14" >>>>> (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no >>>>> -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023") >>>>> interface="org.ofono.HandsfreeAudioManager" member="Register" error >>>>> name="(unset)" requested_reply="0" destination="org.ofono" (uid=0 >>>>> pid=942 comm="/usr/sbin/ofonod -n" >>>>> label="system_u:system_r:initrc_t:s0-s15:c0.c1023") >>>> >>>> It looks like we need a domain for ofonod.  Your system has it >>>> running is in the initrc_t domain, which is intended only for init >>>> scripts and the like.  It's not intended to be used for long-running >>>> processes. >>>> >>> >>> Thanks for suggestion. >>> But we didn't found any particular domain for ofono and no sepolicy >>> files are available for this service. >>> so, we have added these changes to make functionality work properly >>> with ofono. >>> >>> and we haven't observed any sepolicy issue on ubuntu and rpi os for >>> ofono. Because sepolicy is not enabled for these os. >>> output of ps -eZ command on ubuntu machine is: >>> LABEL                               PID TTY          TIME CMD >>> unconfined                        11528 ?        00:00:00 ofono >>> >>> So, Is there any plan from upstream to add domain for ofono or add >>> sepolicies for this service. >>> >>> Please let us know, is there any alternative to way proceed further. >> >> I'm not aware of anyone creating an ofono domain for the SELinux >> policy.   Unfortunately your patch cannot be upstreamed in its current >> form, so it'll have to remain your local fix.  I'd expect an ofono >> domain to fix this access, since a telephony service would need audio >> output from pulseaudio or similar type service. >> >> > Sure, will try to maintain it as local fix for ofono. > could you please review other part of the patch which is "Resolve these > AVC denials for native HSP". If you're referring to other hunks in this patch, the answer is the same as I've already given. If you're referring to another email thread, I cannot find an email with that subject; please resend. -- Chris PeBenito