Re: [PATCH v1] Need bluetooth socket permission for pulseaudio.

[Raghavender Reddy Bujala <quic_rbujala@xxxxxxxxxxx>]

On 5/15/2024 1:37 AM, Chris PeBenito wrote:
> On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote:
> > Resolve selinux permission for ofono:
> >
> > [pulseaudio] backend-ofono.c: Failed to register as a handsfree audio 
> > agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An SELinux 
> > policy prevents this sender from sending this message to this 
> > recipient, 0 matched rules; type="method_call", sender=":1.14" 
> > (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no 
> > -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023") 
> > interface="org.ofono.HandsfreeAudioManager" member="Register" error 
> > name="(unset)" requested_reply="0" destination="org.ofono" (uid=0 
> > pid=942 comm="/usr/sbin/ofonod -n" 
> > label="system_u:system_r:initrc_t:s0-s15:c0.c1023")
>
> It looks like we need a domain for ofonod.  Your system has it running 
> is in the initrc_t domain, which is intended only for init scripts and 
> the like.  It's not intended to be used for long-running processes.

Thanks for suggestion.
But we didn't found any particular domain for ofono and no sepolicy 
files are available for this service.
so, we have added these changes to make functionality work properly with 
ofono.

and we haven't observed any sepolicy issue on ubuntu and rpi os for 
ofono. Because sepolicy is not enabled for these os.
output of ps -eZ command on ubuntu machine is:
LABEL                               PID TTY          TIME CMD
unconfined                        11528 ?        00:00:00 ofono

So, Is there any plan from upstream to add domain for ofono or add 
sepolicies for this service.

Please let us know, is there any alternative to way proceed further.

> > Resolve these AVC denials for native HSP:
> >
> > avc:  denied  { create } for  pid=1271 comm="pulseaudio" 
> > scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tclass=bluetooth_socket permissive=1
> >
> > avc:  denied  { bind } for  pid=1271 comm="pulseaudio" 
> > scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tclass=bluetooth_socket permissive=1
> >
> > avc:  denied  { listen } for  pid=1271 comm="pulseaudio" 
> > scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tclass=bluetooth_socket permissive=1
> >
> > avc:  denied  { accept } for  pid=1271 comm="pulseaudio" 
> > scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tclass=bluetooth_socket permissive=1
> >
> > avc:  denied  { getopt } for  pid=1271 comm="bluetooth" 
> > scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tclass=bluetooth_socket permissive=1
> >
> > avc:  denied  { setopt } for  pid=1271 comm="bluetooth" 
> > scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tclass=bluetooth_socket permissive=1
> >
> > avc:  denied  { read } for  pid=1271 comm="bluetooth" 
> > scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tclass=bluetooth_socket permissive=1
> >
> > avc:  denied  { write } for  pid=1271 comm="bluetooth" 
> > scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 
> > tclass=bluetooth_socket permissive=1
> >
> > Signed-off-by: Raghavender Reddy Bujala<quic_rbujala@xxxxxxxxxxx>
> > ---
> >   policy/modules/apps/pulseaudio.te |  4 ++++
> >   policy/modules/services/dbus.te   |  1 +
> >   policy/modules/system/init.if     | 18 ++++++++++++++++++
> >   3 files changed, 23 insertions(+)
> >
> > diff --git a/policy/modules/apps/pulseaudio.te 
> > b/policy/modules/apps/pulseaudio.te
> > index 65b9a7428..a2ff85c8a 100644
> > --- a/policy/modules/apps/pulseaudio.te
> > +++ b/policy/modules/apps/pulseaudio.te
> > @@ -318,3 +318,7 @@ optional_policy(`
> >   optional_policy(`
> >       unconfined_signull(pulseaudio_client)
> >   ')
> > +
> > +init_dbus_chat_script(pulseaudio_t)
> > +init_bt_socket_manage(pulseaudio_t)
> > +allow pulseaudio_t self:bluetooth_socket { create accept bind getopt 
> > listen read setopt write };
> > diff --git a/policy/modules/services/dbus.te 
> > b/policy/modules/services/dbus.te
> > index 2d1d09d71..9e1288b77 100644
> > --- a/policy/modules/services/dbus.te
> > +++ b/policy/modules/services/dbus.te
> > @@ -391,3 +391,4 @@ optional_policy(`
> >   allow dbusd_unconfined { dbusd_session_bus_client 
> > dbusd_system_bus_client }:dbus send_msg;
> >   allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus 
> > all_dbus_perms;
> > +init_bt_socket_manage(system_dbusd_t)
> > diff --git a/policy/modules/system/init.if 
> > b/policy/modules/system/init.if
> > index 4891301ad..3ae6bced3 100644
> > --- a/policy/modules/system/init.if
> > +++ b/policy/modules/system/init.if
> > @@ -3920,3 +3920,21 @@ interface(`init_search_keys',`
> >       allow $1 init_t:key search;
> >   ')
> > +
> > +########################################
> > +## <summary>
> > +##    Read, Write and manage options for bluetooth socket
> > +## </summary>
> > +## <param name="domain">
> > +##    <summary>
> > +##    Domain allowed access.
> > +##    </summary>
> > +## </param>
> > +#
> > +
> > +interface(`init_bt_socket_manage',`
> > +        gen_require(`
> > +                type initrc_t;
> > +        ')
> > +        allow $1 initrc_t:bluetooth_socket { getopt read setopt write };
> > +')

--
Raghavender Reddy Bujala