[people/stevee/selinux-policy.git] / policy / modules / services / bluetooth.if

## <summary>Bluetooth tools and system services.</summary>

########################################
## <summary>
##	Role access for bluetooth
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role
##	</summary>
## </param>
## <rolecap/>
#
interface(`bluetooth_role',`
	gen_require(`
		type bluetooth_helper_t, bluetooth_helper_exec_t;
		type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t;
	')

	role $1 types bluetooth_helper_t;

	domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)

	# allow ps to show cdrecord and allow the user to kill it
	ps_process_pattern($2, bluetooth_helper_t)
	allow $2 bluetooth_helper_t:process signal_perms;

	tunable_policy(`deny_ptrace',`',`
		allow $2 bluetooth_helper_t:process ptrace;
	')

	manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
	manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
	manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)

	manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
	manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)

	bluetooth_stream_connect($2)
')

#####################################
## <summary>
##	Connect to bluetooth over a unix domain
##	stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`bluetooth_stream_connect',`
	gen_require(`
		type bluetooth_t, bluetooth_var_run_t;
	')

	files_search_pids($1)
	allow $1 bluetooth_t:socket rw_socket_perms;
	stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
')

########################################
## <summary>
##	Execute bluetooth in the bluetooth domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`bluetooth_domtrans',`
	gen_require(`
		type bluetooth_t, bluetooth_exec_t;
	')

	domtrans_pattern($1, bluetooth_exec_t, bluetooth_t)
')

########################################
## <summary>
##	Read bluetooth daemon configuration.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`bluetooth_read_config',`
	gen_require(`
		type bluetooth_conf_t;
	')

	allow $1 bluetooth_conf_t:file read_file_perms;
')

########################################
## <summary>
##	Send and receive messages from
##	bluetooth over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`bluetooth_dbus_chat',`
	gen_require(`
		type bluetooth_t;
		class dbus send_msg;
	')

	allow $1 bluetooth_t:dbus send_msg;
	allow bluetooth_t $1:dbus send_msg;
')

########################################
## <summary>
##	dontaudit Send and receive messages from
##	bluetooth over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`bluetooth_dontaudit_dbus_chat',`
	gen_require(`
		type bluetooth_t;
		class dbus send_msg;
	')

	dontaudit $1 bluetooth_t:dbus send_msg;
	dontaudit bluetooth_t $1:dbus send_msg;
')

########################################
## <summary>
##	Execute bluetooth_helper in the bluetooth_helper domain.  (Deprecated)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`bluetooth_domtrans_helper',`
	refpolicywarn(`$0($*) has been deprecated.')
')

########################################
## <summary>
##	Execute bluetooth_helper in the bluetooth_helper domain, and
##	allow the specified role the bluetooth_helper domain.  (Deprecated)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the bluetooth_helper domain to use.
##	</summary>
## </param>
## <rolecap/>
#
interface(`bluetooth_run_helper',`
	refpolicywarn(`$0($*) has been deprecated.')
')

########################################
## <summary>
##	Do not audit attempts to read bluetooth helper state files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`bluetooth_dontaudit_read_helper_state',`
	gen_require(`
		type bluetooth_helper_t;
	')

	dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
	dontaudit $1 bluetooth_helper_t:file read_file_perms;
')

########################################
## <summary>
##	All of the rules required to administrate
##	an bluetooth environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed to manage the bluetooth domain.
##	</summary>
## </param>
## <rolecap/>
#
interface(`bluetooth_admin',`
	gen_require(`
		type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
		type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
		type bluetooth_conf_t, bluetooth_conf_rw_t;
	')

	allow $1 bluetooth_t:process signal_perms;
	ps_process_pattern($1, bluetooth_t)

	tunable_policy(`deny_ptrace',`',`
		allow $1 bluetooth_t:process ptrace;
	')

	init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 bluetooth_initrc_exec_t system_r;
	allow $2 system_r;

	files_list_tmp($1)
	admin_pattern($1, bluetooth_tmp_t)

	files_list_var($1)
	admin_pattern($1, bluetooth_lock_t)

	files_list_etc($1)
	admin_pattern($1, bluetooth_conf_t)
	admin_pattern($1, bluetooth_conf_rw_t)

	files_list_var_lib($1)
	admin_pattern($1, bluetooth_var_lib_t)

	files_list_pids($1)
	admin_pattern($1, bluetooth_var_run_t)
')
Commit	Line	Data
d4dca585	1	## <summary>Bluetooth tools and system services.</summary>
9c4fcf66	2
296273a7	3	########################################
350b6ab7	4	## <summary>
296273a7	5	## Role access for bluetooth
350b6ab7	6	## </summary>
296273a7	7	## <param name="role">
350b6ab7	8	## <summary>
296273a7	9	## Role allowed access
350b6ab7 CP	10	## </summary>
350b6ab7 CP	11	## </param>
296273a7	12	## <param name="domain">
350b6ab7	13	## <summary>
296273a7	14	## User domain for the role
350b6ab7 CP	15	## </summary>
350b6ab7 CP	16	## </param>
25e284d7	17	## <rolecap/>
350b6ab7	18	#
296273a7	19	interface(`bluetooth_role',`
350b6ab7	20	gen_require(`
296273a7 CP	21	type bluetooth_helper_t, bluetooth_helper_exec_t;
296273a7 CP	22	type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t;
350b6ab7 CP	23	')
350b6ab7 CP	24
296273a7	25	role $1 types bluetooth_helper_t;
350b6ab7	26
296273a7	27	domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
350b6ab7	28
c5155ac0	29	# allow ps to show cdrecord and allow the user to kill it
296273a7	30	ps_process_pattern($2, bluetooth_helper_t)
995bdbb1	31	allow $2 bluetooth_helper_t:process signal_perms;
	32
	33	tunable_policy(`deny_ptrace',`',`
	34	allow $2 bluetooth_helper_t:process ptrace;
	35	')
350b6ab7	36
296273a7 CP	37	manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
	38	manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
	39	manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
350b6ab7	40
296273a7 CP	41	manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
296273a7 CP	42	manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
0b544ffb DW	43
0b544ffb DW	44	bluetooth_stream_connect($2)
350b6ab7 CP	45	')
350b6ab7 CP	46
c5155ac0 CP	47	#####################################
	48	## <summary>
	49	## Connect to bluetooth over a unix domain
	50	## stream socket.
	51	## </summary>
	52	## <param name="domain">
	53	## <summary>
	54	## Domain allowed access.
	55	## </summary>
	56	## </param>
	57	#
	58	interface(`bluetooth_stream_connect',`
	59	gen_require(`
	60	type bluetooth_t, bluetooth_var_run_t;
	61	')
	62
	63	files_search_pids($1)
	64	allow $1 bluetooth_t:socket rw_socket_perms;
	65	stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
	66	')
	67
46551033 CP	68	########################################
	69	## <summary>
	70	## Execute bluetooth in the bluetooth domain.
	71	## </summary>
	72	## <param name="domain">
	73	## <summary>
288845a6	74	## Domain allowed to transition.
46551033 CP	75	## </summary>
	76	## </param>
	77	#
	78	interface(`bluetooth_domtrans',`
	79	gen_require(`
	80	type bluetooth_t, bluetooth_exec_t;
	81	')
	82
0bfccda4	83	domtrans_pattern($1, bluetooth_exec_t, bluetooth_t)
46551033 CP	84	')
46551033 CP	85
bf080a46 CP	86	########################################
	87	## <summary>
	88	## Read bluetooth daemon configuration.
	89	## </summary>
	90	## <param name="domain">
885b83ec	91	## <summary>
bf080a46	92	## Domain allowed access.
885b83ec	93	## </summary>
bf080a46 CP	94	## </param>
	95	#
	96	interface(`bluetooth_read_config',`
	97	gen_require(`
	98	type bluetooth_conf_t;
	99	')
	100
9fa4defb	101	allow $1 bluetooth_conf_t:file read_file_perms;
bf080a46 CP	102	')
bf080a46 CP	103
08c22f4d CP	104	########################################
08c22f4d CP	105	## <summary>
350b6ab7 CP	106	## Send and receive messages from
350b6ab7 CP	107	## bluetooth over dbus.
08c22f4d CP	108	## </summary>
08c22f4d CP	109	## <param name="domain">
885b83ec	110	## <summary>
350b6ab7	111	## Domain allowed access.
885b83ec	112	## </summary>
08c22f4d CP	113	## </param>
08c22f4d CP	114	#
350b6ab7	115	interface(`bluetooth_dbus_chat',`
08c22f4d	116	gen_require(`
350b6ab7 CP	117	type bluetooth_t;
350b6ab7 CP	118	class dbus send_msg;
08c22f4d CP	119	')
08c22f4d CP	120
350b6ab7 CP	121	allow $1 bluetooth_t:dbus send_msg;
350b6ab7 CP	122	allow bluetooth_t $1:dbus send_msg;
08c22f4d CP	123	')
08c22f4d CP	124
3eaa9939 DW	125	########################################
	126	## <summary>
	127	## dontaudit Send and receive messages from
	128	## bluetooth over dbus.
	129	## </summary>
	130	## <param name="domain">
	131	## <summary>
1434371c	132	## Domain to not audit.
3eaa9939 DW	133	## </summary>
	134	## </param>
	135	#
	136	interface(`bluetooth_dontaudit_dbus_chat',`
	137	gen_require(`
	138	type bluetooth_t;
	139	class dbus send_msg;
	140	')
	141
	142	dontaudit $1 bluetooth_t:dbus send_msg;
	143	dontaudit bluetooth_t $1:dbus send_msg;
	144	')
	145
08c22f4d	146	########################################
6f81e1d3	147	## <summary>
350b6ab7	148	## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
6f81e1d3 CP	149	## </summary>
6f81e1d3 CP	150	## <param name="domain">
885b83ec	151	## <summary>
288845a6	152	## Domain allowed to transition.
885b83ec	153	## </summary>
6f81e1d3 CP	154	## </param>
6f81e1d3 CP	155	#
350b6ab7 CP	156	interface(`bluetooth_domtrans_helper',`
350b6ab7 CP	157	refpolicywarn(`$0($*) has been deprecated.')
6f81e1d3 CP	158	')
	159
	160	########################################
08c22f4d CP	161	## <summary>
08c22f4d CP	162	## Execute bluetooth_helper in the bluetooth_helper domain, and
350b6ab7	163	## allow the specified role the bluetooth_helper domain. (Deprecated)
08c22f4d CP	164	## </summary>
08c22f4d CP	165	## <param name="domain">
885b83ec	166	## <summary>
288845a6	167	## Domain allowed to transition.
885b83ec	168	## </summary>
08c22f4d CP	169	## </param>
08c22f4d CP	170	## <param name="role">
885b83ec	171	## <summary>
a7ee7f81	172	## Role allowed access.
885b83ec	173	## </summary>
08c22f4d CP	174	## </param>
08c22f4d CP	175	## <param name="terminal">
885b83ec	176	## <summary>
08c22f4d	177	## The type of the terminal allow the bluetooth_helper domain to use.
885b83ec	178	## </summary>
08c22f4d	179	## </param>
bbcd3c97	180	## <rolecap/>
08c22f4d CP	181	#
08c22f4d CP	182	interface(`bluetooth_run_helper',`
350b6ab7	183	refpolicywarn(`$0($*) has been deprecated.')
08c22f4d CP	184	')
08c22f4d CP	185
9c4fcf66 DM	186	########################################
9c4fcf66 DM	187	## <summary>
3c484f5b	188	## Do not audit attempts to read bluetooth helper state files.
9c4fcf66 DM	189	## </summary>
9c4fcf66 DM	190	## <param name="domain">
885b83ec	191	## <summary>
288845a6	192	## Domain to not audit.
885b83ec	193	## </summary>
9c4fcf66 DM	194	## </param>
9c4fcf66 DM	195	#
296273a7	196	interface(`bluetooth_dontaudit_read_helper_state',`
9c4fcf66	197	gen_require(`
296273a7	198	type bluetooth_helper_t;
9c4fcf66 DM	199	')
9c4fcf66 DM	200
9fa4defb DG	201	dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
9fa4defb DG	202	dontaudit $1 bluetooth_helper_t:file read_file_perms;
9c4fcf66	203	')
fcee22ad CP	204
	205	########################################
	206	## <summary>
c5155ac0	207	## All of the rules required to administrate
fcee22ad CP	208	## an bluetooth environment
	209	## </summary>
	210	## <param name="domain">
	211	## <summary>
	212	## Domain allowed access.
	213	## </summary>
	214	## </param>
	215	## <param name="role">
	216	## <summary>
	217	## The role to be allowed to manage the bluetooth domain.
	218	## </summary>
	219	## </param>
	220	## <rolecap/>
	221	#
	222	interface(`bluetooth_admin',`
	223	gen_require(`
	224	type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
6bb4d401	225	type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
fcee22ad	226	type bluetooth_conf_t, bluetooth_conf_rw_t;
fcee22ad CP	227	')
fcee22ad CP	228
995bdbb1	229	allow $1 bluetooth_t:process signal_perms;
fcee22ad CP	230	ps_process_pattern($1, bluetooth_t)
fcee22ad CP	231
995bdbb1	232	tunable_policy(`deny_ptrace',`',`
	233	allow $1 bluetooth_t:process ptrace;
	234	')
	235
fcee22ad CP	236	init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
	237	domain_system_change_exemption($1)
	238	role_transition $2 bluetooth_initrc_exec_t system_r;
	239	allow $2 system_r;
	240
	241	files_list_tmp($1)
	242	admin_pattern($1, bluetooth_tmp_t)
	243
	244	files_list_var($1)
	245	admin_pattern($1, bluetooth_lock_t)
	246
	247	files_list_etc($1)
	248	admin_pattern($1, bluetooth_conf_t)
	249	admin_pattern($1, bluetooth_conf_rw_t)
	250
fcee22ad CP	251	files_list_var_lib($1)
	252	admin_pattern($1, bluetooth_var_lib_t)
	253
	254	files_list_pids($1)
	255	admin_pattern($1, bluetooth_var_run_t)
	256	')