* [PATCH v1] Need bluetooth socket permission for pulseaudio.
@ 2024-05-10 5:50 Raghavender Reddy Bujala
2024-05-14 20:07 ` Chris PeBenito
0 siblings, 1 reply; 6+ messages in thread
From: Raghavender Reddy Bujala @ 2024-05-10 5:50 UTC (permalink / raw
To: selinux-refpolicy
Cc: quic_mohamull, quic_hbandi, quic_anubhavg,
Raghavender Reddy Bujala
Resolve selinux permission for ofono:
[pulseaudio] backend-ofono.c: Failed to register as a handsfree audio agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.14" (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023") interface="org.ofono.HandsfreeAudioManager" member="Register" error name="(unset)" requested_reply="0" destination="org.ofono" (uid=0 pid=942 comm="/usr/sbin/ofonod -n" label="system_u:system_r:initrc_t:s0-s15:c0.c1023")
Resolve these AVC denials for native HSP:
avc: denied { create } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { bind } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { listen } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { accept } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { getopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { setopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { read } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { write } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
Signed-off-by: Raghavender Reddy Bujala<quic_rbujala@quicinc.com>
---
policy/modules/apps/pulseaudio.te | 4 ++++
policy/modules/services/dbus.te | 1 +
policy/modules/system/init.if | 18 ++++++++++++++++++
3 files changed, 23 insertions(+)
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 65b9a7428..a2ff85c8a 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -318,3 +318,7 @@ optional_policy(`
optional_policy(`
unconfined_signull(pulseaudio_client)
')
+
+init_dbus_chat_script(pulseaudio_t)
+init_bt_socket_manage(pulseaudio_t)
+allow pulseaudio_t self:bluetooth_socket { create accept bind getopt listen read setopt write };
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 2d1d09d71..9e1288b77 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -391,3 +391,4 @@ optional_policy(`
allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
+init_bt_socket_manage(system_dbusd_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4891301ad..3ae6bced3 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3920,3 +3920,21 @@ interface(`init_search_keys',`
allow $1 init_t:key search;
')
+
+########################################
+## <summary>
+## Read, Write and manage options for bluetooth socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+
+interface(`init_bt_socket_manage',`
+ gen_require(`
+ type initrc_t;
+ ')
+ allow $1 initrc_t:bluetooth_socket { getopt read setopt write };
+')
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v1] Need bluetooth socket permission for pulseaudio.
2024-05-10 5:50 [PATCH v1] Need bluetooth socket permission for pulseaudio Raghavender Reddy Bujala
@ 2024-05-14 20:07 ` Chris PeBenito
2024-05-16 3:52 ` Raghavender Reddy Bujala
0 siblings, 1 reply; 6+ messages in thread
From: Chris PeBenito @ 2024-05-14 20:07 UTC (permalink / raw
To: Raghavender Reddy Bujala, selinux-refpolicy
Cc: quic_mohamull, quic_hbandi, quic_anubhavg
On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote:
> Resolve selinux permission for ofono:
>
> [pulseaudio] backend-ofono.c: Failed to register as a handsfree audio agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.14" (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023") interface="org.ofono.HandsfreeAudioManager" member="Register" error name="(unset)" requested_reply="0" destination="org.ofono" (uid=0 pid=942 comm="/usr/sbin/ofonod -n" label="system_u:system_r:initrc_t:s0-s15:c0.c1023")
It looks like we need a domain for ofonod. Your system has it running
is in the initrc_t domain, which is intended only for init scripts and
the like. It's not intended to be used for long-running processes.
> Resolve these AVC denials for native HSP:
>
> avc: denied { create } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> avc: denied { bind } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> avc: denied { listen } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> avc: denied { accept } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> avc: denied { getopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> avc: denied { setopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> avc: denied { read } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> avc: denied { write } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
>
> Signed-off-by: Raghavender Reddy Bujala<quic_rbujala@quicinc.com>
> ---
> policy/modules/apps/pulseaudio.te | 4 ++++
> policy/modules/services/dbus.te | 1 +
> policy/modules/system/init.if | 18 ++++++++++++++++++
> 3 files changed, 23 insertions(+)
>
> diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
> index 65b9a7428..a2ff85c8a 100644
> --- a/policy/modules/apps/pulseaudio.te
> +++ b/policy/modules/apps/pulseaudio.te
> @@ -318,3 +318,7 @@ optional_policy(`
> optional_policy(`
> unconfined_signull(pulseaudio_client)
> ')
> +
> +init_dbus_chat_script(pulseaudio_t)
> +init_bt_socket_manage(pulseaudio_t)
> +allow pulseaudio_t self:bluetooth_socket { create accept bind getopt listen read setopt write };
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 2d1d09d71..9e1288b77 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -391,3 +391,4 @@ optional_policy(`
>
> allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
> allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
> +init_bt_socket_manage(system_dbusd_t)
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 4891301ad..3ae6bced3 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -3920,3 +3920,21 @@ interface(`init_search_keys',`
>
> allow $1 init_t:key search;
> ')
> +
> +########################################
> +## <summary>
> +## Read, Write and manage options for bluetooth socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +
> +interface(`init_bt_socket_manage',`
> + gen_require(`
> + type initrc_t;
> + ')
> + allow $1 initrc_t:bluetooth_socket { getopt read setopt write };
> +')
--
Chris PeBenito
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v1] Need bluetooth socket permission for pulseaudio.
2024-05-14 20:07 ` Chris PeBenito
@ 2024-05-16 3:52 ` Raghavender Reddy Bujala
2024-05-17 16:09 ` Chris PeBenito
0 siblings, 1 reply; 6+ messages in thread
From: Raghavender Reddy Bujala @ 2024-05-16 3:52 UTC (permalink / raw
To: Chris PeBenito, selinux-refpolicy, ofono
Cc: quic_mohamull, quic_hbandi, quic_anubhavg
On 5/15/2024 1:37 AM, Chris PeBenito wrote:
> On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote:
>> Resolve selinux permission for ofono:
>>
>> [pulseaudio] backend-ofono.c: Failed to register as a handsfree audio
>> agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An SELinux
>> policy prevents this sender from sending this message to this
>> recipient, 0 matched rules; type="method_call", sender=":1.14"
>> (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no
>> -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023")
>> interface="org.ofono.HandsfreeAudioManager" member="Register" error
>> name="(unset)" requested_reply="0" destination="org.ofono" (uid=0
>> pid=942 comm="/usr/sbin/ofonod -n"
>> label="system_u:system_r:initrc_t:s0-s15:c0.c1023")
>
> It looks like we need a domain for ofonod. Your system has it running
> is in the initrc_t domain, which is intended only for init scripts and
> the like. It's not intended to be used for long-running processes.
>
Thanks for suggestion.
But we didn't found any particular domain for ofono and no sepolicy
files are available for this service.
so, we have added these changes to make functionality work properly with
ofono.
and we haven't observed any sepolicy issue on ubuntu and rpi os for
ofono. Because sepolicy is not enabled for these os.
output of ps -eZ command on ubuntu machine is:
LABEL PID TTY TIME CMD
unconfined 11528 ? 00:00:00 ofono
So, Is there any plan from upstream to add domain for ofono or add
sepolicies for this service.
Please let us know, is there any alternative to way proceed further.
>
>
>> Resolve these AVC denials for native HSP:
>>
>> avc: denied { create } for pid=1271 comm="pulseaudio"
>> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tclass=bluetooth_socket permissive=1
>>
>> avc: denied { bind } for pid=1271 comm="pulseaudio"
>> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tclass=bluetooth_socket permissive=1
>>
>> avc: denied { listen } for pid=1271 comm="pulseaudio"
>> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tclass=bluetooth_socket permissive=1
>>
>> avc: denied { accept } for pid=1271 comm="pulseaudio"
>> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tclass=bluetooth_socket permissive=1
>>
>> avc: denied { getopt } for pid=1271 comm="bluetooth"
>> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tclass=bluetooth_socket permissive=1
>>
>> avc: denied { setopt } for pid=1271 comm="bluetooth"
>> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tclass=bluetooth_socket permissive=1
>>
>> avc: denied { read } for pid=1271 comm="bluetooth"
>> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tclass=bluetooth_socket permissive=1
>>
>> avc: denied { write } for pid=1271 comm="bluetooth"
>> scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023
>> tclass=bluetooth_socket permissive=1
>>
>> Signed-off-by: Raghavender Reddy Bujala<quic_rbujala@quicinc.com>
>> ---
>> policy/modules/apps/pulseaudio.te | 4 ++++
>> policy/modules/services/dbus.te | 1 +
>> policy/modules/system/init.if | 18 ++++++++++++++++++
>> 3 files changed, 23 insertions(+)
>>
>> diff --git a/policy/modules/apps/pulseaudio.te
>> b/policy/modules/apps/pulseaudio.te
>> index 65b9a7428..a2ff85c8a 100644
>> --- a/policy/modules/apps/pulseaudio.te
>> +++ b/policy/modules/apps/pulseaudio.te
>> @@ -318,3 +318,7 @@ optional_policy(`
>> optional_policy(`
>> unconfined_signull(pulseaudio_client)
>> ')
>> +
>> +init_dbus_chat_script(pulseaudio_t)
>> +init_bt_socket_manage(pulseaudio_t)
>> +allow pulseaudio_t self:bluetooth_socket { create accept bind getopt
>> listen read setopt write };
>> diff --git a/policy/modules/services/dbus.te
>> b/policy/modules/services/dbus.te
>> index 2d1d09d71..9e1288b77 100644
>> --- a/policy/modules/services/dbus.te
>> +++ b/policy/modules/services/dbus.te
>> @@ -391,3 +391,4 @@ optional_policy(`
>> allow dbusd_unconfined { dbusd_session_bus_client
>> dbusd_system_bus_client }:dbus send_msg;
>> allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus
>> all_dbus_perms;
>> +init_bt_socket_manage(system_dbusd_t)
>> diff --git a/policy/modules/system/init.if
>> b/policy/modules/system/init.if
>> index 4891301ad..3ae6bced3 100644
>> --- a/policy/modules/system/init.if
>> +++ b/policy/modules/system/init.if
>> @@ -3920,3 +3920,21 @@ interface(`init_search_keys',`
>> allow $1 init_t:key search;
>> ')
>> +
>> +########################################
>> +## <summary>
>> +## Read, Write and manage options for bluetooth socket
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +
>> +interface(`init_bt_socket_manage',`
>> + gen_require(`
>> + type initrc_t;
>> + ')
>> + allow $1 initrc_t:bluetooth_socket { getopt read setopt write };
>> +')
>
--
Raghavender Reddy Bujala
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v1] Need bluetooth socket permission for pulseaudio.
2024-05-16 3:52 ` Raghavender Reddy Bujala
@ 2024-05-17 16:09 ` Chris PeBenito
2024-05-20 7:10 ` Raghavender Reddy Bujala
0 siblings, 1 reply; 6+ messages in thread
From: Chris PeBenito @ 2024-05-17 16:09 UTC (permalink / raw
To: Raghavender Reddy Bujala, selinux-refpolicy, ofono
Cc: quic_mohamull, quic_hbandi, quic_anubhavg
On 5/15/2024 11:52 PM, Raghavender Reddy Bujala wrote:
>
>
> On 5/15/2024 1:37 AM, Chris PeBenito wrote:
>> On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote:
>>> Resolve selinux permission for ofono:
>>>
>>> [pulseaudio] backend-ofono.c: Failed to register as a handsfree audio
>>> agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An SELinux
>>> policy prevents this sender from sending this message to this
>>> recipient, 0 matched rules; type="method_call", sender=":1.14"
>>> (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no
>>> -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023")
>>> interface="org.ofono.HandsfreeAudioManager" member="Register" error
>>> name="(unset)" requested_reply="0" destination="org.ofono" (uid=0
>>> pid=942 comm="/usr/sbin/ofonod -n"
>>> label="system_u:system_r:initrc_t:s0-s15:c0.c1023")
>>
>> It looks like we need a domain for ofonod. Your system has it running
>> is in the initrc_t domain, which is intended only for init scripts and
>> the like. It's not intended to be used for long-running processes.
>>
>
> Thanks for suggestion.
> But we didn't found any particular domain for ofono and no sepolicy
> files are available for this service.
> so, we have added these changes to make functionality work properly with
> ofono.
>
> and we haven't observed any sepolicy issue on ubuntu and rpi os for
> ofono. Because sepolicy is not enabled for these os.
> output of ps -eZ command on ubuntu machine is:
> LABEL PID TTY TIME CMD
> unconfined 11528 ? 00:00:00 ofono
>
> So, Is there any plan from upstream to add domain for ofono or add
> sepolicies for this service.
>
> Please let us know, is there any alternative to way proceed further.
I'm not aware of anyone creating an ofono domain for the SELinux policy.
Unfortunately your patch cannot be upstreamed in its current form, so
it'll have to remain your local fix. I'd expect an ofono domain to fix
this access, since a telephony service would need audio output from
pulseaudio or similar type service.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v1] Need bluetooth socket permission for pulseaudio.
2024-05-17 16:09 ` Chris PeBenito
@ 2024-05-20 7:10 ` Raghavender Reddy Bujala
2024-05-20 14:53 ` Chris PeBenito
0 siblings, 1 reply; 6+ messages in thread
From: Raghavender Reddy Bujala @ 2024-05-20 7:10 UTC (permalink / raw
To: Chris PeBenito, selinux-refpolicy
Cc: quic_mohamull, quic_hbandi, quic_anubhavg
On 5/17/2024 9:39 PM, Chris PeBenito wrote:
> On 5/15/2024 11:52 PM, Raghavender Reddy Bujala wrote:
>>
>>
>> On 5/15/2024 1:37 AM, Chris PeBenito wrote:
>>> On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote:
>>>> Resolve selinux permission for ofono:
>>>>
>>>> [pulseaudio] backend-ofono.c: Failed to register as a handsfree
>>>> audio agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An
>>>> SELinux policy prevents this sender from sending this message to
>>>> this recipient, 0 matched rules; type="method_call", sender=":1.14"
>>>> (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no
>>>> -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023")
>>>> interface="org.ofono.HandsfreeAudioManager" member="Register" error
>>>> name="(unset)" requested_reply="0" destination="org.ofono" (uid=0
>>>> pid=942 comm="/usr/sbin/ofonod -n"
>>>> label="system_u:system_r:initrc_t:s0-s15:c0.c1023")
>>>
>>> It looks like we need a domain for ofonod. Your system has it
>>> running is in the initrc_t domain, which is intended only for init
>>> scripts and the like. It's not intended to be used for long-running
>>> processes.
>>>
>>
>> Thanks for suggestion.
>> But we didn't found any particular domain for ofono and no sepolicy
>> files are available for this service.
>> so, we have added these changes to make functionality work properly
>> with ofono.
>>
>> and we haven't observed any sepolicy issue on ubuntu and rpi os for
>> ofono. Because sepolicy is not enabled for these os.
>> output of ps -eZ command on ubuntu machine is:
>> LABEL PID TTY TIME CMD
>> unconfined 11528 ? 00:00:00 ofono
>>
>> So, Is there any plan from upstream to add domain for ofono or add
>> sepolicies for this service.
>>
>> Please let us know, is there any alternative to way proceed further.
>
> I'm not aware of anyone creating an ofono domain for the SELinux policy.
> Unfortunately your patch cannot be upstreamed in its current form, so
> it'll have to remain your local fix. I'd expect an ofono domain to fix
> this access, since a telephony service would need audio output from
> pulseaudio or similar type service.
>
>
Sure, will try to maintain it as local fix for ofono.
could you please review other part of the patch which is "Resolve these
AVC denials for native HSP".
--
Raghavender Reddy Bujala
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v1] Need bluetooth socket permission for pulseaudio.
2024-05-20 7:10 ` Raghavender Reddy Bujala
@ 2024-05-20 14:53 ` Chris PeBenito
0 siblings, 0 replies; 6+ messages in thread
From: Chris PeBenito @ 2024-05-20 14:53 UTC (permalink / raw
To: Raghavender Reddy Bujala, selinux-refpolicy
Cc: quic_mohamull, quic_hbandi, quic_anubhavg
On 5/20/2024 3:10 AM, Raghavender Reddy Bujala wrote:
>
>
> On 5/17/2024 9:39 PM, Chris PeBenito wrote:
>> On 5/15/2024 11:52 PM, Raghavender Reddy Bujala wrote:
>>>
>>>
>>> On 5/15/2024 1:37 AM, Chris PeBenito wrote:
>>>> On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote:
>>>>> Resolve selinux permission for ofono:
>>>>>
>>>>> [pulseaudio] backend-ofono.c: Failed to register as a handsfree
>>>>> audio agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An
>>>>> SELinux policy prevents this sender from sending this message to
>>>>> this recipient, 0 matched rules; type="method_call", sender=":1.14"
>>>>> (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no
>>>>> -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023")
>>>>> interface="org.ofono.HandsfreeAudioManager" member="Register" error
>>>>> name="(unset)" requested_reply="0" destination="org.ofono" (uid=0
>>>>> pid=942 comm="/usr/sbin/ofonod -n"
>>>>> label="system_u:system_r:initrc_t:s0-s15:c0.c1023")
>>>>
>>>> It looks like we need a domain for ofonod. Your system has it
>>>> running is in the initrc_t domain, which is intended only for init
>>>> scripts and the like. It's not intended to be used for long-running
>>>> processes.
>>>>
>>>
>>> Thanks for suggestion.
>>> But we didn't found any particular domain for ofono and no sepolicy
>>> files are available for this service.
>>> so, we have added these changes to make functionality work properly
>>> with ofono.
>>>
>>> and we haven't observed any sepolicy issue on ubuntu and rpi os for
>>> ofono. Because sepolicy is not enabled for these os.
>>> output of ps -eZ command on ubuntu machine is:
>>> LABEL PID TTY TIME CMD
>>> unconfined 11528 ? 00:00:00 ofono
>>>
>>> So, Is there any plan from upstream to add domain for ofono or add
>>> sepolicies for this service.
>>>
>>> Please let us know, is there any alternative to way proceed further.
>>
>> I'm not aware of anyone creating an ofono domain for the SELinux
>> policy. Unfortunately your patch cannot be upstreamed in its current
>> form, so it'll have to remain your local fix. I'd expect an ofono
>> domain to fix this access, since a telephony service would need audio
>> output from pulseaudio or similar type service.
>>
>>
> Sure, will try to maintain it as local fix for ofono.
> could you please review other part of the patch which is "Resolve these
> AVC denials for native HSP".
If you're referring to other hunks in this patch, the answer is the same
as I've already given. If you're referring to another email thread, I
cannot find an email with that subject; please resend.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-05-20 14:53 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-10 5:50 [PATCH v1] Need bluetooth socket permission for pulseaudio Raghavender Reddy Bujala
2024-05-14 20:07 ` Chris PeBenito
2024-05-16 3:52 ` Raghavender Reddy Bujala
2024-05-17 16:09 ` Chris PeBenito
2024-05-20 7:10 ` Raghavender Reddy Bujala
2024-05-20 14:53 ` Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.