## Bluetooth tools and system services.
########################################
##
## Role access for bluetooth.
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
##
## User domain for the role.
##
##
##
##
## User exec domain for execute and transition access.
##
##
##
##
## Role allowed access
##
##
#
template(`bluetooth_role',`
gen_require(`
attribute_role bluetooth_helper_roles;
type bluetooth_t, bluetooth_helper_t, bluetooth_helper_exec_t;
type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_runtime_t;
')
########################################
#
# Declarations
#
roleattribute $4 bluetooth_helper_roles;
########################################
#
# Policy
#
domtrans_pattern($3, bluetooth_helper_exec_t, bluetooth_helper_t)
ps_process_pattern($3, bluetooth_helper_t)
allow $3 bluetooth_helper_t:process { ptrace signal_perms };
allow $3 bluetooth_t:socket rw_socket_perms;
allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms };
allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
stream_connect_pattern($3, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
files_search_runtime($3)
optional_policy(`
systemd_user_app_status($1, bluetooth_helper_t)
')
')
#####################################
##
## Connect to bluetooth over a unix domain
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
interface(`bluetooth_stream_connect',`
gen_require(`
type bluetooth_t, bluetooth_runtime_t;
')
files_search_runtime($1)
allow $1 bluetooth_t:socket rw_socket_perms;
stream_connect_pattern($1, bluetooth_runtime_t, bluetooth_runtime_t, bluetooth_t)
')
########################################
##
## Execute bluetooth in the bluetooth domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`bluetooth_domtrans',`
gen_require(`
type bluetooth_t, bluetooth_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, bluetooth_exec_t, bluetooth_t)
')
########################################
##
## Read bluetooth configuration files.
##
##
##
## Domain allowed access.
##
##
#
interface(`bluetooth_read_config',`
gen_require(`
type bluetooth_conf_t;
')
allow $1 bluetooth_conf_t:file read_file_perms;
')
########################################
##
## Send and receive messages from
## bluetooth over dbus.
##
##
##
## Domain allowed access.
##
##
#
interface(`bluetooth_dbus_chat',`
gen_require(`
type bluetooth_t;
class dbus send_msg;
')
allow $1 bluetooth_t:dbus send_msg;
allow bluetooth_t $1:dbus send_msg;
')
########################################
##
## Do not audit attempts to read
## bluetooth process state files.
##
##
##
## Domain to not audit.
##
##
#
interface(`bluetooth_dontaudit_read_helper_state',`
gen_require(`
type bluetooth_helper_t;
')
dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
dontaudit $1 bluetooth_helper_t:file read_file_perms;
')
########################################
##
## All of the rules required to
## administrate an bluetooth environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
interface(`bluetooth_admin',`
gen_require(`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
type bluetooth_var_lib_t, bluetooth_runtime_t;
type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
type bluetooth_initrc_exec_t;
')
allow $1 bluetooth_t:process { ptrace signal_perms };
ps_process_pattern($1, bluetooth_t)
init_startstop_service($1, $2, bluetooth_t, bluetooth_initrc_exec_t)
files_list_tmp($1)
admin_pattern($1, bluetooth_tmp_t)
files_list_var($1)
admin_pattern($1, bluetooth_lock_t)
files_list_etc($1)
admin_pattern($1, { bluetooth_conf_t bluetooth_conf_rw_t })
files_list_var_lib($1)
admin_pattern($1, bluetooth_var_lib_t)
files_list_runtime($1)
admin_pattern($1, bluetooth_runtime_t)
')