policy/modules/services/bluetooth.if

   1 ## <summary>Bluetooth tools and system services.</summary>
   2
   3 ########################################
   4 ## <summary>
   5 ##      Role access for bluetooth
   6 ## </summary>
   7 ## <param name="role">
   8 ##      <summary>
   9 ##      Role allowed access
  10 ##      </summary>
  11 ## </param>
  12 ## <param name="domain">
  13 ##      <summary>
  14 ##      User domain for the role
  15 ##      </summary>
  16 ## </param>
  17 ## <rolecap/>
  18 #
  19 interface(`bluetooth_role',`
  20         gen_require(`
  21                 type bluetooth_helper_t, bluetooth_helper_exec_t;
  22                 type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t;
  23         ')
  24
  25         role $1 types bluetooth_helper_t;
  26
  27         domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
  28
  29         # allow ps to show cdrecord and allow the user to kill it
  30         ps_process_pattern($2, bluetooth_helper_t)
  31         allow $2 bluetooth_helper_t:process signal_perms;
  32
  33         tunable_policy(`deny_ptrace',`',`
  34                 allow $2 bluetooth_helper_t:process ptrace;
  35         ')
  36
  37         manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
  38         manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
  39         manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
  40
  41         manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
  42         manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
  43
  44         bluetooth_stream_connect($2)
  45 ')
  46
  47 #####################################
  48 ## <summary>
  49 ##      Connect to bluetooth over a unix domain
  50 ##      stream socket.
  51 ## </summary>
  52 ## <param name="domain">
  53 ##      <summary>
  54 ##      Domain allowed access.
  55 ##      </summary>
  56 ## </param>
  57 #
  58 interface(`bluetooth_stream_connect',`
  59         gen_require(`
  60                 type bluetooth_t, bluetooth_var_run_t;
  61         ')
  62
  63         files_search_pids($1)
  64         allow $1 bluetooth_t:socket rw_socket_perms;
  65         stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
  66 ')
  67
  68 ########################################
  69 ## <summary>
  70 ##      Execute bluetooth in the bluetooth domain.
  71 ## </summary>
  72 ## <param name="domain">
  73 ##      <summary>
  74 ##      Domain allowed to transition.
  75 ##      </summary>
  76 ## </param>
  77 #
  78 interface(`bluetooth_domtrans',`
  79         gen_require(`
  80                 type bluetooth_t, bluetooth_exec_t;
  81         ')
  82
  83         domtrans_pattern($1, bluetooth_exec_t, bluetooth_t)
  84 ')
  85
  86 ########################################
  87 ## <summary>
  88 ##      Read bluetooth daemon configuration.
  89 ## </summary>
  90 ## <param name="domain">
  91 ##      <summary>
  92 ##      Domain allowed access.
  93 ##      </summary>
  94 ## </param>
  95 #
  96 interface(`bluetooth_read_config',`
  97         gen_require(`
  98                 type bluetooth_conf_t;
  99         ')
 100
 101         allow $1 bluetooth_conf_t:file read_file_perms;
 102 ')
 103
 104 ########################################
 105 ## <summary>
 106 ##      Send and receive messages from
 107 ##      bluetooth over dbus.
 108 ## </summary>
 109 ## <param name="domain">
 110 ##      <summary>
 111 ##      Domain allowed access.
 112 ##      </summary>
 113 ## </param>
 114 #
 115 interface(`bluetooth_dbus_chat',`
 116         gen_require(`
 117                 type bluetooth_t;
 118                 class dbus send_msg;
 119         ')
 120
 121         allow $1 bluetooth_t:dbus send_msg;
 122         allow bluetooth_t $1:dbus send_msg;
 123 ')
 124
 125 ########################################
 126 ## <summary>
 127 ##      dontaudit Send and receive messages from
 128 ##      bluetooth over dbus.
 129 ## </summary>
 130 ## <param name="domain">
 131 ##      <summary>
 132 ##      Domain to not audit.
 133 ##      </summary>
 134 ## </param>
 135 #
 136 interface(`bluetooth_dontaudit_dbus_chat',`
 137         gen_require(`
 138                 type bluetooth_t;
 139                 class dbus send_msg;
 140         ')
 141
 142         dontaudit $1 bluetooth_t:dbus send_msg;
 143         dontaudit bluetooth_t $1:dbus send_msg;
 144 ')
 145
 146 ########################################
 147 ## <summary>
 148 ##      Execute bluetooth_helper in the bluetooth_helper domain.  (Deprecated)
 149 ## </summary>
 150 ## <param name="domain">
 151 ##      <summary>
 152 ##      Domain allowed to transition.
 153 ##      </summary>
 154 ## </param>
 155 #
 156 interface(`bluetooth_domtrans_helper',`
 157         refpolicywarn(`$0($*) has been deprecated.')
 158 ')
 159
 160 ########################################
 161 ## <summary>
 162 ##      Execute bluetooth_helper in the bluetooth_helper domain, and
 163 ##      allow the specified role the bluetooth_helper domain.  (Deprecated)
 164 ## </summary>
 165 ## <param name="domain">
 166 ##      <summary>
 167 ##      Domain allowed to transition.
 168 ##      </summary>
 169 ## </param>
 170 ## <param name="role">
 171 ##      <summary>
 172 ##      Role allowed access.
 173 ##      </summary>
 174 ## </param>
 175 ## <param name="terminal">
 176 ##      <summary>
 177 ##      The type of the terminal allow the bluetooth_helper domain to use.
 178 ##      </summary>
 179 ## </param>
 180 ## <rolecap/>
 181 #
 182 interface(`bluetooth_run_helper',`
 183         refpolicywarn(`$0($*) has been deprecated.')
 184 ')
 185
 186 ########################################
 187 ## <summary>
 188 ##      Do not audit attempts to read bluetooth helper state files.
 189 ## </summary>
 190 ## <param name="domain">
 191 ##      <summary>
 192 ##      Domain to not audit.
 193 ##      </summary>
 194 ## </param>
 195 #
 196 interface(`bluetooth_dontaudit_read_helper_state',`
 197         gen_require(`
 198                 type bluetooth_helper_t;
 199         ')
 200
 201         dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
 202         dontaudit $1 bluetooth_helper_t:file read_file_perms;
 203 ')
 204
 205 ########################################
 206 ## <summary>
 207 ##      All of the rules required to administrate
 208 ##      an bluetooth environment
 209 ## </summary>
 210 ## <param name="domain">
 211 ##      <summary>
 212 ##      Domain allowed access.
 213 ##      </summary>
 214 ## </param>
 215 ## <param name="role">
 216 ##      <summary>
 217 ##      The role to be allowed to manage the bluetooth domain.
 218 ##      </summary>
 219 ## </param>
 220 ## <rolecap/>
 221 #
 222 interface(`bluetooth_admin',`
 223         gen_require(`
 224                 type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
 225                 type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
 226                 type bluetooth_conf_t, bluetooth_conf_rw_t;
 227         ')
 228
 229         allow $1 bluetooth_t:process signal_perms;
 230         ps_process_pattern($1, bluetooth_t)
 231
 232         tunable_policy(`deny_ptrace',`',`
 233                 allow $1 bluetooth_t:process ptrace;
 234         ')
 235
 236         init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
 237         domain_system_change_exemption($1)
 238         role_transition $2 bluetooth_initrc_exec_t system_r;
 239         allow $2 system_r;
 240
 241         files_list_tmp($1)
 242         admin_pattern($1, bluetooth_tmp_t)
 243
 244         files_list_var($1)
 245         admin_pattern($1, bluetooth_lock_t)
 246
 247         files_list_etc($1)
 248         admin_pattern($1, bluetooth_conf_t)
 249         admin_pattern($1, bluetooth_conf_rw_t)
 250
 251         files_list_var_lib($1)
 252         admin_pattern($1, bluetooth_var_lib_t)
 253
 254         files_list_pids($1)
 255         admin_pattern($1, bluetooth_var_run_t)
 256 ')