From: Chris PeBenito <pebenito@ieee.org>
To: Raghavender Reddy Bujala <quic_rbujala@quicinc.com>,
selinux-refpolicy@vger.kernel.org
Cc: quic_mohamull@quicinc.com, quic_hbandi@quicinc.com,
quic_anubhavg@quicinc.com
Subject: Re: [PATCH v1] Need bluetooth socket permission for pulseaudio.
Date: Tue, 14 May 2024 16:07:49 -0400 [thread overview]
Message-ID: <f72fe764-0b76-43a7-940e-fdd8269fa8fe@ieee.org> (raw)
In-Reply-To: <20240510055019.27778-1-quic_rbujala@quicinc.com>
On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote:
> Resolve selinux permission for ofono:
>
> [pulseaudio] backend-ofono.c: Failed to register as a handsfree audio agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.14" (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023") interface="org.ofono.HandsfreeAudioManager" member="Register" error name="(unset)" requested_reply="0" destination="org.ofono" (uid=0 pid=942 comm="/usr/sbin/ofonod -n" label="system_u:system_r:initrc_t:s0-s15:c0.c1023")
It looks like we need a domain for ofonod. Your system has it running
is in the initrc_t domain, which is intended only for init scripts and
the like. It's not intended to be used for long-running processes.
> Resolve these AVC denials for native HSP:
>
> avc: denied { create } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> avc: denied { bind } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> avc: denied { listen } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> avc: denied { accept } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> avc: denied { getopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> avc: denied { setopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> avc: denied { read } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> avc: denied { write } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> Signed-off-by: Raghavender Reddy Bujala<quic_rbujala@quicinc.com>
> ---
> policy/modules/apps/pulseaudio.te | 4 ++++
> policy/modules/services/dbus.te | 1 +
> policy/modules/system/init.if | 18 ++++++++++++++++++
> 3 files changed, 23 insertions(+)
>
> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> index 65b9a7428..a2ff85c8a 100644
> --- a/policy/modules/apps/pulseaudio.te
> +++ b/policy/modules/apps/pulseaudio.te
> @@ -318,3 +318,7 @@ optional_policy(`
> optional_policy(`
> unconfined_signull(pulseaudio_client)
> ')
> +
> +init_dbus_chat_script(pulseaudio_t)
> +init_bt_socket_manage(pulseaudio_t)
> +allow pulseaudio_t self:bluetooth_socket { create accept bind getopt listen read setopt write };
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 2d1d09d71..9e1288b77 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -391,3 +391,4 @@ optional_policy(`
>
> allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
> allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
> +init_bt_socket_manage(system_dbusd_t)
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 4891301ad..3ae6bced3 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -3920,3 +3920,21 @@ interface(`init_search_keys',`
>
> allow $1 init_t:key search;
> ')
> +
> +########################################
> +## <summary>
> +## Read, Write and manage options for bluetooth socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +
> +interface(`init_bt_socket_manage',`
> + gen_require(`
> + type initrc_t;
> + ')
> + allow $1 initrc_t:bluetooth_socket { getopt read setopt write };
> +')
--
Chris PeBenito
next prev parent reply other threads:[~2024-05-14 20:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-10 5:50 [PATCH v1] Need bluetooth socket permission for pulseaudio Raghavender Reddy Bujala
2024-05-14 20:07 ` Chris PeBenito [this message]
2024-05-16 3:52 ` Raghavender Reddy Bujala
2024-05-17 16:09 ` Chris PeBenito
2024-05-20 7:10 ` Raghavender Reddy Bujala
2024-05-20 14:53 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f72fe764-0b76-43a7-940e-fdd8269fa8fe@ieee.org \
--to=pebenito@ieee.org \
--cc=quic_anubhavg@quicinc.com \
--cc=quic_hbandi@quicinc.com \
--cc=quic_mohamull@quicinc.com \
--cc=quic_rbujala@quicinc.com \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).