## Bluetooth tools and system services. ######################################## ## ## Role access for bluetooth. ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## User domain for the role. ## ## ## ## ## User exec domain for execute and transition access. ## ## ## ## ## Role allowed access ## ## # template(`bluetooth_role',` gen_require(` attribute_role bluetooth_helper_roles; type bluetooth_t, bluetooth_helper_t, bluetooth_helper_exec_t; type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_runtime_t; ') ######################################## # # Declarations # roleattribute $4 bluetooth_helper_roles; ######################################## # # Policy # domtrans_pattern($3, bluetooth_helper_exec_t, bluetooth_helper_t) ps_process_pattern($3, bluetooth_helper_t) allow $3 bluetooth_helper_t:process { ptrace signal_perms }; allow $3 bluetooth_t:socket rw_socket_perms; allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms }; allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; stream_connect_pattern($3, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t) files_search_runtime($3) optional_policy(` systemd_user_app_status($1, bluetooth_helper_t) ') ') ##################################### ## ## Connect to bluetooth over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`bluetooth_stream_connect',` gen_require(` type bluetooth_t, bluetooth_runtime_t; ') files_search_runtime($1) allow $1 bluetooth_t:socket rw_socket_perms; stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t) ') ######################################## ## ## Execute bluetooth in the bluetooth domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`bluetooth_domtrans',` gen_require(` type bluetooth_t, bluetooth_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, bluetooth_exec_t, bluetooth_t) ') ######################################## ## ## Read bluetooth configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`bluetooth_read_config',` gen_require(` type bluetooth_conf_t; ') allow $1 bluetooth_conf_t:file read_file_perms; ') ######################################## ## ## Send and receive messages from ## bluetooth over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`bluetooth_dbus_chat',` gen_require(` type bluetooth_t; class dbus send_msg; ') allow $1 bluetooth_t:dbus send_msg; allow bluetooth_t $1:dbus send_msg; ') ######################################## ## ## Do not audit attempts to read ## bluetooth process state files. ## ## ## ## Domain to not audit. ## ## # interface(`bluetooth_dontaudit_read_helper_state',` gen_require(` type bluetooth_helper_t; ') dontaudit $1 bluetooth_helper_t:dir search_dir_perms; dontaudit $1 bluetooth_helper_t:file read_file_perms; ') ######################################## ## ## All of the rules required to ## administrate an bluetooth environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`bluetooth_admin',` gen_require(` type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; type bluetooth_var_lib_t, bluetooth_runtime_t; type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t; type bluetooth_initrc_exec_t; ') allow $1 bluetooth_t:process { ptrace signal_perms }; ps_process_pattern($1, bluetooth_t) init_startstop_service($1, $2, bluetooth_t, bluetooth_initrc_exec_t) files_list_tmp($1) admin_pattern($1, bluetooth_tmp_t) files_list_var($1) admin_pattern($1, bluetooth_lock_t) files_list_etc($1) admin_pattern($1, { bluetooth_conf_t bluetooth_conf_rw_t }) files_list_var_lib($1) admin_pattern($1, bluetooth_var_lib_t) files_list_runtime($1) admin_pattern($1, bluetooth_runtime_t) ')