#DESC Bluetooth 
#
# Authors:  Dan Walsh
# RH-Packages: Bluetooth
#

#################################
#
# Rules for the bluetooth_t domain.
#
daemon_domain(bluetooth)

file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)

tmp_domain(bluetooth)
var_lib_domain(bluetooth)

# Use capabilities.
allow bluetooth_t self:file read;
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
allow bluetooth_t self:process getsched;
allow bluetooth_t proc_t:file { getattr read };

allow bluetooth_t self:shm create_shm_perms;

lock_domain(bluetooth)

# Use the network.
can_network(bluetooth_t)
can_ypbind(bluetooth_t)
ifdef(`dbusd.te', `
dbusd_client(system, bluetooth)
allow bluetooth_t system_dbusd_t:dbus send_msg;
')
allow bluetooth_t self:socket create_stream_socket_perms;

allow bluetooth_t self:unix_dgram_socket create_socket_perms;
allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;

dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write };

# bluetooth_conf_t is the type of the /etc/bluetooth dir.
type bluetooth_conf_t, file_type, sysadmfile;
type bluetooth_conf_rw_t, file_type, sysadmfile;

# Read /etc/bluetooth
allow bluetooth_t bluetooth_conf_t:dir search;
allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
#/usr/sbin/hid2hci causes the following
allow initrc_t usbfs_t:file { getattr read };
allow bluetooth_t usbfs_t:dir r_dir_perms;
allow bluetooth_t usbfs_t:file rw_file_perms; 
allow bluetooth_t bin_t:dir search;
can_exec(bluetooth_t, { bin_t shell_exec_t })
allow bluetooth_t bin_t:lnk_file read;

#Handle bluetooth serial devices
allow bluetooth_t tty_device_t:chr_file rw_file_perms;
allow bluetooth_t self:fifo_file rw_file_perms;
allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read };
r_dir_file(bluetooth_t, fonts_t)
allow bluetooth_t urandom_device_t:chr_file r_file_perms;
allow bluetooth_t usr_t:file { getattr read };

application_domain(bluetooth_helper, `, nscd_client_domain')
domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
role system_r types bluetooth_helper_t;
read_locale(bluetooth_helper_t) 
typeattribute bluetooth_helper_t unrestricted;
r_dir_file(bluetooth_helper_t, domain)
allow bluetooth_helper_t bin_t:dir { getattr search };
can_exec(bluetooth_helper_t, { bin_t shell_exec_t })
allow bluetooth_helper_t bin_t:lnk_file read;
allow bluetooth_helper_t self:capability sys_nice;
allow bluetooth_helper_t self:fifo_file rw_file_perms;
allow bluetooth_helper_t self:process { fork getsched sigchld };
allow bluetooth_helper_t self:shm create_shm_perms;
allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read };
r_dir_file(bluetooth_helper_t, fonts_t)
r_dir_file(bluetooth_helper_t, proc_t)
read_sysctl(bluetooth_helper_t)
allow bluetooth_helper_t tmp_t:dir search;
allow bluetooth_helper_t usr_t:file { getattr read };
allow bluetooth_helper_t home_dir_type:dir search;
ifdef(`xserver.te', `
allow bluetooth_helper_t xserver_log_t:dir search;
allow bluetooth_helper_t xserver_log_t:file { getattr read };
')
ifdef(`targeted_policy', `
allow bluetooth_helper_t tmp_t:sock_file { read write };
allow bluetooth_helper_t tmpfs_t:file { read write };
allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
allow bluetooth_t unconfined_t:dbus send_msg;
allow unconfined_t bluetooth_t:dbus send_msg;
', `
ifdef(`xdm.te', `
allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
')
allow bluetooth_t unpriv_userdomain:dbus send_msg;
allow unpriv_userdomain bluetooth_t:dbus send_msg;
')
allow bluetooth_helper_t bluetooth_t:socket { read write };
allow bluetooth_helper_t self:unix_dgram_socket create_socket_perms;
allow bluetooth_helper_t self:unix_stream_socket connectto;
tmp_domain(bluetooth_helper)
allow bluetooth_helper_t urandom_device_t:chr_file r_file_perms;

dontaudit bluetooth_helper_t default_t:dir { read search };
dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write };
dontaudit bluetooth_helper_t home_dir_type:dir r_dir_perms;
ifdef(`xserver.te', `
allow bluetooth_helper_t xserver_log_t:dir search;
allow bluetooth_helper_t xserver_log_t:file { getattr read };
')