]>
Commit | Line | Data |
---|---|---|
d4dca585 | 1 | ## <summary>Bluetooth tools and system services.</summary> |
9c4fcf66 | 2 | |
296273a7 | 3 | ######################################## |
350b6ab7 | 4 | ## <summary> |
296273a7 | 5 | ## Role access for bluetooth |
350b6ab7 | 6 | ## </summary> |
296273a7 | 7 | ## <param name="role"> |
350b6ab7 | 8 | ## <summary> |
296273a7 | 9 | ## Role allowed access |
350b6ab7 CP |
10 | ## </summary> |
11 | ## </param> | |
296273a7 | 12 | ## <param name="domain"> |
350b6ab7 | 13 | ## <summary> |
296273a7 | 14 | ## User domain for the role |
350b6ab7 CP |
15 | ## </summary> |
16 | ## </param> | |
25e284d7 | 17 | ## <rolecap/> |
350b6ab7 | 18 | # |
296273a7 | 19 | interface(`bluetooth_role',` |
350b6ab7 | 20 | gen_require(` |
296273a7 CP |
21 | type bluetooth_helper_t, bluetooth_helper_exec_t; |
22 | type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t; | |
350b6ab7 CP |
23 | ') |
24 | ||
296273a7 | 25 | role $1 types bluetooth_helper_t; |
350b6ab7 | 26 | |
296273a7 | 27 | domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t) |
350b6ab7 | 28 | |
c5155ac0 | 29 | # allow ps to show cdrecord and allow the user to kill it |
296273a7 | 30 | ps_process_pattern($2, bluetooth_helper_t) |
995bdbb1 | 31 | allow $2 bluetooth_helper_t:process signal_perms; |
32 | ||
33 | tunable_policy(`deny_ptrace',`',` | |
34 | allow $2 bluetooth_helper_t:process ptrace; | |
35 | ') | |
350b6ab7 | 36 | |
296273a7 CP |
37 | manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) |
38 | manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) | |
39 | manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) | |
350b6ab7 | 40 | |
296273a7 CP |
41 | manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) |
42 | manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) | |
0b544ffb DW |
43 | |
44 | bluetooth_stream_connect($2) | |
350b6ab7 CP |
45 | ') |
46 | ||
c5155ac0 CP |
47 | ##################################### |
48 | ## <summary> | |
49 | ## Connect to bluetooth over a unix domain | |
50 | ## stream socket. | |
51 | ## </summary> | |
52 | ## <param name="domain"> | |
53 | ## <summary> | |
54 | ## Domain allowed access. | |
55 | ## </summary> | |
56 | ## </param> | |
57 | # | |
58 | interface(`bluetooth_stream_connect',` | |
59 | gen_require(` | |
60 | type bluetooth_t, bluetooth_var_run_t; | |
61 | ') | |
62 | ||
63 | files_search_pids($1) | |
64 | allow $1 bluetooth_t:socket rw_socket_perms; | |
65 | stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) | |
66 | ') | |
67 | ||
46551033 CP |
68 | ######################################## |
69 | ## <summary> | |
70 | ## Execute bluetooth in the bluetooth domain. | |
71 | ## </summary> | |
72 | ## <param name="domain"> | |
73 | ## <summary> | |
288845a6 | 74 | ## Domain allowed to transition. |
46551033 CP |
75 | ## </summary> |
76 | ## </param> | |
77 | # | |
78 | interface(`bluetooth_domtrans',` | |
79 | gen_require(` | |
80 | type bluetooth_t, bluetooth_exec_t; | |
81 | ') | |
82 | ||
0bfccda4 | 83 | domtrans_pattern($1, bluetooth_exec_t, bluetooth_t) |
46551033 CP |
84 | ') |
85 | ||
bf080a46 CP |
86 | ######################################## |
87 | ## <summary> | |
88 | ## Read bluetooth daemon configuration. | |
89 | ## </summary> | |
90 | ## <param name="domain"> | |
885b83ec | 91 | ## <summary> |
bf080a46 | 92 | ## Domain allowed access. |
885b83ec | 93 | ## </summary> |
bf080a46 CP |
94 | ## </param> |
95 | # | |
96 | interface(`bluetooth_read_config',` | |
97 | gen_require(` | |
98 | type bluetooth_conf_t; | |
99 | ') | |
100 | ||
9fa4defb | 101 | allow $1 bluetooth_conf_t:file read_file_perms; |
bf080a46 CP |
102 | ') |
103 | ||
08c22f4d CP |
104 | ######################################## |
105 | ## <summary> | |
350b6ab7 CP |
106 | ## Send and receive messages from |
107 | ## bluetooth over dbus. | |
08c22f4d CP |
108 | ## </summary> |
109 | ## <param name="domain"> | |
885b83ec | 110 | ## <summary> |
350b6ab7 | 111 | ## Domain allowed access. |
885b83ec | 112 | ## </summary> |
08c22f4d CP |
113 | ## </param> |
114 | # | |
350b6ab7 | 115 | interface(`bluetooth_dbus_chat',` |
08c22f4d | 116 | gen_require(` |
350b6ab7 CP |
117 | type bluetooth_t; |
118 | class dbus send_msg; | |
08c22f4d CP |
119 | ') |
120 | ||
350b6ab7 CP |
121 | allow $1 bluetooth_t:dbus send_msg; |
122 | allow bluetooth_t $1:dbus send_msg; | |
08c22f4d CP |
123 | ') |
124 | ||
3eaa9939 DW |
125 | ######################################## |
126 | ## <summary> | |
127 | ## dontaudit Send and receive messages from | |
128 | ## bluetooth over dbus. | |
129 | ## </summary> | |
130 | ## <param name="domain"> | |
131 | ## <summary> | |
1434371c | 132 | ## Domain to not audit. |
3eaa9939 DW |
133 | ## </summary> |
134 | ## </param> | |
135 | # | |
136 | interface(`bluetooth_dontaudit_dbus_chat',` | |
137 | gen_require(` | |
138 | type bluetooth_t; | |
139 | class dbus send_msg; | |
140 | ') | |
141 | ||
142 | dontaudit $1 bluetooth_t:dbus send_msg; | |
143 | dontaudit bluetooth_t $1:dbus send_msg; | |
144 | ') | |
145 | ||
08c22f4d | 146 | ######################################## |
6f81e1d3 | 147 | ## <summary> |
350b6ab7 | 148 | ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) |
6f81e1d3 CP |
149 | ## </summary> |
150 | ## <param name="domain"> | |
885b83ec | 151 | ## <summary> |
288845a6 | 152 | ## Domain allowed to transition. |
885b83ec | 153 | ## </summary> |
6f81e1d3 CP |
154 | ## </param> |
155 | # | |
350b6ab7 CP |
156 | interface(`bluetooth_domtrans_helper',` |
157 | refpolicywarn(`$0($*) has been deprecated.') | |
6f81e1d3 CP |
158 | ') |
159 | ||
160 | ######################################## | |
08c22f4d CP |
161 | ## <summary> |
162 | ## Execute bluetooth_helper in the bluetooth_helper domain, and | |
350b6ab7 | 163 | ## allow the specified role the bluetooth_helper domain. (Deprecated) |
08c22f4d CP |
164 | ## </summary> |
165 | ## <param name="domain"> | |
885b83ec | 166 | ## <summary> |
288845a6 | 167 | ## Domain allowed to transition. |
885b83ec | 168 | ## </summary> |
08c22f4d CP |
169 | ## </param> |
170 | ## <param name="role"> | |
885b83ec | 171 | ## <summary> |
a7ee7f81 | 172 | ## Role allowed access. |
885b83ec | 173 | ## </summary> |
08c22f4d CP |
174 | ## </param> |
175 | ## <param name="terminal"> | |
885b83ec | 176 | ## <summary> |
08c22f4d | 177 | ## The type of the terminal allow the bluetooth_helper domain to use. |
885b83ec | 178 | ## </summary> |
08c22f4d | 179 | ## </param> |
bbcd3c97 | 180 | ## <rolecap/> |
08c22f4d CP |
181 | # |
182 | interface(`bluetooth_run_helper',` | |
350b6ab7 | 183 | refpolicywarn(`$0($*) has been deprecated.') |
08c22f4d CP |
184 | ') |
185 | ||
9c4fcf66 DM |
186 | ######################################## |
187 | ## <summary> | |
3c484f5b | 188 | ## Do not audit attempts to read bluetooth helper state files. |
9c4fcf66 DM |
189 | ## </summary> |
190 | ## <param name="domain"> | |
885b83ec | 191 | ## <summary> |
288845a6 | 192 | ## Domain to not audit. |
885b83ec | 193 | ## </summary> |
9c4fcf66 DM |
194 | ## </param> |
195 | # | |
296273a7 | 196 | interface(`bluetooth_dontaudit_read_helper_state',` |
9c4fcf66 | 197 | gen_require(` |
296273a7 | 198 | type bluetooth_helper_t; |
9c4fcf66 DM |
199 | ') |
200 | ||
9fa4defb DG |
201 | dontaudit $1 bluetooth_helper_t:dir search_dir_perms; |
202 | dontaudit $1 bluetooth_helper_t:file read_file_perms; | |
9c4fcf66 | 203 | ') |
fcee22ad CP |
204 | |
205 | ######################################## | |
206 | ## <summary> | |
c5155ac0 | 207 | ## All of the rules required to administrate |
fcee22ad CP |
208 | ## an bluetooth environment |
209 | ## </summary> | |
210 | ## <param name="domain"> | |
211 | ## <summary> | |
212 | ## Domain allowed access. | |
213 | ## </summary> | |
214 | ## </param> | |
215 | ## <param name="role"> | |
216 | ## <summary> | |
217 | ## The role to be allowed to manage the bluetooth domain. | |
218 | ## </summary> | |
219 | ## </param> | |
220 | ## <rolecap/> | |
221 | # | |
222 | interface(`bluetooth_admin',` | |
223 | gen_require(` | |
224 | type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; | |
6bb4d401 | 225 | type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t; |
fcee22ad | 226 | type bluetooth_conf_t, bluetooth_conf_rw_t; |
fcee22ad CP |
227 | ') |
228 | ||
995bdbb1 | 229 | allow $1 bluetooth_t:process signal_perms; |
fcee22ad CP |
230 | ps_process_pattern($1, bluetooth_t) |
231 | ||
995bdbb1 | 232 | tunable_policy(`deny_ptrace',`',` |
233 | allow $1 bluetooth_t:process ptrace; | |
234 | ') | |
235 | ||
fcee22ad CP |
236 | init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) |
237 | domain_system_change_exemption($1) | |
238 | role_transition $2 bluetooth_initrc_exec_t system_r; | |
239 | allow $2 system_r; | |
240 | ||
241 | files_list_tmp($1) | |
242 | admin_pattern($1, bluetooth_tmp_t) | |
243 | ||
244 | files_list_var($1) | |
245 | admin_pattern($1, bluetooth_lock_t) | |
246 | ||
247 | files_list_etc($1) | |
248 | admin_pattern($1, bluetooth_conf_t) | |
249 | admin_pattern($1, bluetooth_conf_rw_t) | |
250 | ||
fcee22ad CP |
251 | files_list_var_lib($1) |
252 | admin_pattern($1, bluetooth_var_lib_t) | |
253 | ||
254 | files_list_pids($1) | |
255 | admin_pattern($1, bluetooth_var_run_t) | |
256 | ') |