Re: [PATCH v1] Need bluetooth socket permission for pulseaudio.

[Raghavender Reddy Bujala <quic_rbujala@xxxxxxxxxxx>]

On 5/17/2024 9:39 PM, Chris PeBenito wrote:
> On 5/15/2024 11:52 PM, Raghavender Reddy Bujala wrote:
> > On 5/15/2024 1:37 AM, Chris PeBenito wrote:
> > > On 5/10/2024 1:50 AM, Raghavender Reddy Bujala wrote:
> > > > Resolve selinux permission for ofono:
> > > >
> > > > [pulseaudio] backend-ofono.c: Failed to register as a handsfree 
> > > > audio agent with ofono: org.freedesktop.DBus.Error.AccessDenied: An 
> > > > SELinux policy prevents this sender from sending this message to 
> > > > this recipient, 0 matched rules; type="method_call", sender=":1.14" 
> > > > (uid=989 pid=1937 comm="/usr/bin/pulseaudio --system --daemonize=no 
> > > > -v" label="system_u:system_r:pulseaudio_t:s0-s15:c0.c1023") 
> > > > interface="org.ofono.HandsfreeAudioManager" member="Register" error 
> > > > name="(unset)" requested_reply="0" destination="org.ofono" (uid=0 
> > > > pid=942 comm="/usr/sbin/ofonod -n" 
> > > > label="system_u:system_r:initrc_t:s0-s15:c0.c1023")
> > >
> > > It looks like we need a domain for ofonod.  Your system has it 
> > > running is in the initrc_t domain, which is intended only for init 
> > > scripts and the like.  It's not intended to be used for long-running 
> > > processes.
> >
> > Thanks for suggestion.
> > But we didn't found any particular domain for ofono and no sepolicy 
> > files are available for this service.
> > so, we have added these changes to make functionality work properly 
> > with ofono.
> >
> > and we haven't observed any sepolicy issue on ubuntu and rpi os for 
> > ofono. Because sepolicy is not enabled for these os.
> > output of ps -eZ command on ubuntu machine is:
> > LABEL                               PID TTY          TIME CMD
> > unconfined                        11528 ?        00:00:00 ofono
> >
> > So, Is there any plan from upstream to add domain for ofono or add 
> > sepolicies for this service.
> >
> > Please let us know, is there any alternative to way proceed further.
>
> I'm not aware of anyone creating an ofono domain for the SELinux policy. 
>   Unfortunately your patch cannot be upstreamed in its current form, so 
> it'll have to remain your local fix.  I'd expect an ofono domain to fix 
> this access, since a telephony service would need audio output from 
> pulseaudio or similar type service.
Sure, will try to maintain it as local fix for ofono.
could you please review other part of the patch which is "Resolve these 
AVC denials for native HSP".

--
Raghavender Reddy Bujala