Re: [PATCH v1] Need bluetooth socket permission for pulseaudio.

Chris PeBenito <pebenito@xxxxxxxx> · Tue, 14 May 2024 16:07:49 -0400

On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote:
Resolve selinux permission for ofono:

[pulseaudio] backend-ofono.c: Failed to register as a handsfree audio agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.14" (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023") interface="org.ofono.HandsfreeAudioManager" member="Register" error name="(unset)" requested_reply="0" destination="org.ofono" (uid=0 pid=942 comm="/usr/sbin/ofonod -n" label="system_u:system_r:initrc_t:s0-s15:c0.c1023")

It looks like we need a domain for ofonod.  Your system has it running 
is in the initrc_t domain, which is intended only for init scripts and 
the like.  It's not intended to be used for long-running processes.



Resolve these AVC denials for native HSP:

avc:  denied  { create } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { bind } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { listen } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { accept } for  pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { getopt } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { setopt } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { read } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

avc:  denied  { write } for  pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1

Signed-off-by: Raghavender Reddy Bujala<quic_rbujala@xxxxxxxxxxx>
---
  policy/modules/apps/pulseaudio.te |  4 ++++
  policy/modules/services/dbus.te   |  1 +
  policy/modules/system/init.if     | 18 ++++++++++++++++++
  3 files changed, 23 insertions(+)

diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 65b9a7428..a2ff85c8a 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -318,3 +318,7 @@ optional_policy(`
  optional_policy(`
  	unconfined_signull(pulseaudio_client)
  ')
+
+init_dbus_chat_script(pulseaudio_t)
+init_bt_socket_manage(pulseaudio_t)
+allow pulseaudio_t self:bluetooth_socket { create accept bind getopt listen read setopt write };
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 2d1d09d71..9e1288b77 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -391,3 +391,4 @@ optional_policy(`
  
  allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
  allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
+init_bt_socket_manage(system_dbusd_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4891301ad..3ae6bced3 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3920,3 +3920,21 @@ interface(`init_search_keys',`
  
  	allow $1 init_t:key search;
  ')
+
+########################################
+## <summary>
+##    Read, Write and manage options for bluetooth socket
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed access.
+##    </summary>
+## </param>
+#
+
+interface(`init_bt_socket_manage',`
+        gen_require(`
+                type initrc_t;
+        ')
+        allow $1 initrc_t:bluetooth_socket { getopt read setopt write };
+')

--
Chris PeBenito








