Re: [PATCH v1] Need bluetooth socket permission for pulseaudio.

SELinux-Refpolicy Archive mirror
 help / color / mirror / Atom feed

From: Chris PeBenito <pebenito@ieee.org>
To: Raghavender Reddy Bujala <quic_rbujala@quicinc.com>,
	selinux-refpolicy@vger.kernel.org
Cc: quic_mohamull@quicinc.com, quic_hbandi@quicinc.com,
	quic_anubhavg@quicinc.com
Subject: Re: [PATCH v1] Need bluetooth socket permission for pulseaudio.
Date: Tue, 14 May 2024 16:07:49 -0400	[thread overview]
Message-ID: <f72fe764-0b76-43a7-940e-fdd8269fa8fe@ieee.org> (raw)
In-Reply-To: <20240510055019.27778-1-quic_rbujala@quicinc.com>

On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote:
> Resolve selinux permission for ofono:
> 
> [pulseaudio] backend-ofono.c: Failed to register as a handsfree audio agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.14" (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023") interface="org.ofono.HandsfreeAudioManager" member="Register" error name="(unset)" requested_reply="0" destination="org.ofono" (uid=0 pid=942 comm="/usr/sbin/ofonod -n" label="system_u:system_r:initrc_t:s0-s15:c0.c1023")

It looks like we need a domain for ofonod.  Your system has it running 
is in the initrc_t domain, which is intended only for init scripts and 
the like.  It's not intended to be used for long-running processes.



> Resolve these AVC denials for native HSP:
> 
> avc:  denied  { create } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> avc:  denied  { bind } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> avc:  denied  { listen } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> avc:  denied  { accept } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> avc:  denied  { getopt } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> avc:  denied  { setopt } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> avc:  denied  { read } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> avc:  denied  { write } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
> 
> Signed-off-by: Raghavender Reddy Bujala<quic_rbujala@quicinc.com>
> ---
>   policy/modules/apps/pulseaudio.te |  4 ++++
>   policy/modules/services/dbus.te   |  1 +
>   policy/modules/system/init.if     | 18 ++++++++++++++++++
>   3 files changed, 23 insertions(+)
> 
> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> index 65b9a7428..a2ff85c8a 100644
> --- a/policy/modules/apps/pulseaudio.te
> +++ b/policy/modules/apps/pulseaudio.te
> @@ -318,3 +318,7 @@ optional_policy(`
>   optional_policy(`
>   	unconfined_signull(pulseaudio_client)
>   ')
> +
> +init_dbus_chat_script(pulseaudio_t)
> +init_bt_socket_manage(pulseaudio_t)
> +allow pulseaudio_t self:bluetooth_socket { create accept bind getopt listen read setopt write };
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 2d1d09d71..9e1288b77 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -391,3 +391,4 @@ optional_policy(`
>   
>   allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
>   allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
> +init_bt_socket_manage(system_dbusd_t)
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 4891301ad..3ae6bced3 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -3920,3 +3920,21 @@ interface(`init_search_keys',`
>   
>   	allow $1 init_t:key search;
>   ')
> +
> +########################################
> +## <summary>
> +##    Read, Write and manage options for bluetooth socket
> +## </summary>
> +## <param name="domain">
> +##    <summary>
> +##    Domain allowed access.
> +##    </summary>
> +## </param>
> +#
> +
> +interface(`init_bt_socket_manage',`
> +        gen_require(`
> +                type initrc_t;
> +        ')
> +        allow $1 initrc_t:bluetooth_socket { getopt read setopt write };
> +')

-- 
Chris PeBenito

next prev parent reply	other threads:[~2024-05-14 20:07 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-05-10  5:50 [PATCH v1] Need bluetooth socket permission for pulseaudio Raghavender Reddy Bujala
2024-05-14 20:07 ` Chris PeBenito [this message]
2024-05-16  3:52   ` Raghavender Reddy Bujala
2024-05-17 16:09     ` Chris PeBenito
2024-05-20  7:10       ` Raghavender Reddy Bujala
2024-05-20 14:53         ` Chris PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f72fe764-0b76-43a7-940e-fdd8269fa8fe@ieee.org \
    --to=pebenito@ieee.org \
    --cc=quic_anubhavg@quicinc.com \
    --cc=quic_hbandi@quicinc.com \
    --cc=quic_mohamull@quicinc.com \
    --cc=quic_rbujala@quicinc.com \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).