refpolicy/policy/modules/services/bluetooth.te

   1
   2 policy_module(bluetooth,1.2.4)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8 type bluetooth_t;
   9 type bluetooth_exec_t;
  10 init_daemon_domain(bluetooth_t,bluetooth_exec_t)
  11
  12 type bluetooth_conf_t;
  13 files_type(bluetooth_conf_t)
  14
  15 type bluetooth_conf_rw_t;
  16 files_type(bluetooth_conf_rw_t)
  17
  18 type bluetooth_helper_t;
  19 type bluetooth_helper_exec_t;
  20 domain_type(bluetooth_helper_t)
  21 domain_entry_file(bluetooth_helper_t,bluetooth_helper_exec_t)
  22 role system_r types bluetooth_helper_t;
  23
  24 type bluetooth_helper_tmp_t;
  25 files_tmp_file(bluetooth_helper_tmp_t)
  26
  27 type bluetooth_lock_t;
  28 files_lock_file(bluetooth_lock_t)
  29
  30 type bluetooth_tmp_t;
  31 files_tmp_file(bluetooth_tmp_t)
  32
  33 type bluetooth_var_lib_t;
  34 files_type(bluetooth_var_lib_t)
  35
  36 type bluetooth_var_run_t;
  37 files_pid_file(bluetooth_var_run_t)
  38
  39 ########################################
  40 #
  41 # Bluetooth services local policy
  42 #
  43
  44 allow bluetooth_t self:capability { net_admin net_raw sys_tty_config ipc_lock };
  45 dontaudit bluetooth_t self:capability sys_tty_config;
  46 allow bluetooth_t self:process { getsched signal_perms };
  47 allow bluetooth_t self:fifo_file rw_file_perms;
  48 allow bluetooth_t self:shm create_shm_perms;
  49 allow bluetooth_t self:socket create_stream_socket_perms;
  50 allow bluetooth_t self:unix_dgram_socket create_socket_perms;
  51 allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
  52 allow bluetooth_t self:tcp_socket { create_stream_socket_perms connect };
  53 allow bluetooth_t self:udp_socket create_socket_perms;
  54
  55 allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms;
  56 allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
  57
  58 allow bluetooth_t bluetooth_conf_rw_t:dir create_dir_perms;
  59 allow bluetooth_t bluetooth_conf_rw_t:file create_file_perms;
  60 allow bluetooth_t bluetooth_conf_rw_t:lnk_file create_lnk_perms;
  61 allow bluetooth_t bluetooth_conf_rw_t:sock_file create_file_perms;
  62 allow bluetooth_t bluetooth_conf_rw_t:fifo_file create_file_perms;
  63 type_transition bluetooth_t bluetooth_conf_t:{ dir file lnk_file sock_file fifo_file } bluetooth_conf_rw_t;
  64
  65 domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
  66 allow bluetooth_t bluetooth_helper_t:fd use;
  67 allow bluetooth_helper_t bluetooth_t:fd use;
  68 allow bluetooth_helper_t bluetooth_t:fifo_file rw_file_perms;
  69 allow bluetooth_helper_t bluetooth_t:process sigchld;
  70
  71 allow bluetooth_t bluetooth_lock_t:file create_file_perms;
  72 files_lock_filetrans(bluetooth_t,bluetooth_lock_t,file)
  73
  74 allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms;
  75 allow bluetooth_t bluetooth_tmp_t:file create_file_perms;
  76 files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { file dir })
  77
  78 allow bluetooth_t bluetooth_var_lib_t:file create_file_perms;
  79 allow bluetooth_t bluetooth_var_lib_t:dir create_dir_perms;
  80 files_var_lib_filetrans(bluetooth_t,bluetooth_var_lib_t,file)
  81
  82 allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
  83 allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
  84 allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms;
  85 files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
  86
  87 kernel_read_kernel_sysctls(bluetooth_t)
  88 kernel_read_system_state(bluetooth_t)
  89
  90 corenet_tcp_sendrecv_all_if(bluetooth_t)
  91 corenet_udp_sendrecv_all_if(bluetooth_t)
  92 corenet_raw_sendrecv_all_if(bluetooth_t)
  93 corenet_tcp_sendrecv_all_nodes(bluetooth_t)
  94 corenet_udp_sendrecv_all_nodes(bluetooth_t)
  95 corenet_raw_sendrecv_all_nodes(bluetooth_t)
  96 corenet_tcp_sendrecv_all_ports(bluetooth_t)
  97 corenet_udp_sendrecv_all_ports(bluetooth_t)
  98 corenet_non_ipsec_sendrecv(bluetooth_t)
  99 corenet_tcp_bind_all_nodes(bluetooth_t)
 100 corenet_udp_bind_all_nodes(bluetooth_t)
 101
 102 dev_read_sysfs(bluetooth_t)
 103 dev_rw_usbfs(bluetooth_t)
 104 dev_rw_generic_usb_dev(bluetooth_t)
 105 dev_read_urand(bluetooth_t)
 106
 107 fs_getattr_all_fs(bluetooth_t)
 108 fs_search_auto_mountpoints(bluetooth_t)
 109
 110 term_dontaudit_use_console(bluetooth_t)
 111 #Handle bluetooth serial devices
 112 term_use_unallocated_ttys(bluetooth_t)
 113
 114 corecmd_exec_bin(bluetooth_t)
 115 corecmd_exec_shell(bluetooth_t)
 116
 117 domain_use_interactive_fds(bluetooth_t)
 118 domain_dontaudit_search_all_domains_state(bluetooth_t)
 119
 120 files_read_etc_files(bluetooth_t)
 121 files_read_etc_runtime_files(bluetooth_t)
 122 files_read_usr_files(bluetooth_t)
 123
 124 init_use_fds(bluetooth_t)
 125 init_use_script_ptys(bluetooth_t)
 126
 127 libs_use_ld_so(bluetooth_t)
 128 libs_use_shared_libs(bluetooth_t)
 129
 130 logging_send_syslog_msg(bluetooth_t)
 131
 132 miscfiles_read_localization(bluetooth_t)
 133 miscfiles_read_fonts(bluetooth_t)
 134
 135 sysnet_read_config(bluetooth_t)
 136
 137 userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
 138 userdom_dontaudit_use_sysadm_ptys(bluetooth_t)
 139 userdom_dontaudit_search_sysadm_home_dirs(bluetooth_t)
 140
 141 ifdef(`targeted_policy',`
 142         term_dontaudit_use_unallocated_ttys(bluetooth_t)
 143         term_dontaudit_use_generic_ptys(bluetooth_t)
 144         files_dontaudit_read_root_files(bluetooth_t)
 145 ')
 146
 147 optional_policy(`
 148         dbus_system_bus_client_template(bluetooth,bluetooth_t)
 149         dbus_connect_system_bus(bluetooth_t)
 150         dbus_send_system_bus(bluetooth_t)
 151 ')
 152
 153 optional_policy(`
 154         nis_use_ypbind(bluetooth_t)
 155 ')
 156
 157 optional_policy(`
 158         seutil_sigchld_newrole(bluetooth_t)
 159 ')
 160
 161 optional_policy(`
 162         udev_read_db(bluetooth_t)
 163 ')
 164
 165 ########################################
 166 #
 167 # Bluetooth helper local policy
 168 #
 169
 170 allow bluetooth_helper_t self:capability sys_nice;
 171 allow bluetooth_helper_t self:process getsched;
 172 allow bluetooth_helper_t self:fifo_file rw_file_perms;
 173 allow bluetooth_helper_t self:shm create_shm_perms;
 174 allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
 175 allow bluetooth_helper_t self:tcp_socket create_socket_perms;
 176
 177 allow bluetooth_helper_t bluetooth_t:socket { read write };
 178
 179 allow bluetooth_helper_t bluetooth_helper_tmp_t:dir manage_dir_perms;
 180 allow bluetooth_helper_t bluetooth_helper_tmp_t:file manage_file_perms;
 181 allow bluetooth_helper_t bluetooth_helper_tmp_t:sock_file manage_file_perms;
 182 files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
 183
 184 kernel_read_system_state(bluetooth_helper_t)
 185 kernel_read_kernel_sysctls(bluetooth_helper_t)
 186
 187 dev_read_urand(bluetooth_helper_t)
 188
 189 term_dontaudit_use_all_user_ttys(bluetooth_helper_t)
 190
 191 corecmd_exec_bin(bluetooth_helper_t)
 192 corecmd_exec_shell(bluetooth_helper_t)
 193
 194 domain_read_all_domains_state(bluetooth_helper_t)
 195
 196 files_read_etc_files(bluetooth_helper_t)
 197 files_read_etc_runtime_files(bluetooth_helper_t)
 198 files_read_usr_files(bluetooth_helper_t)
 199 files_search_tmp(bluetooth_helper_t)
 200 files_dontaudit_list_default(bluetooth_helper_t)
 201
 202 libs_use_ld_so(bluetooth_helper_t)
 203 libs_use_shared_libs(bluetooth_helper_t)
 204
 205 logging_send_syslog_msg(bluetooth_helper_t)
 206
 207 miscfiles_read_localization(bluetooth_helper_t)
 208 miscfiles_read_fonts(bluetooth_helper_t)
 209
 210 sysnet_read_config(bluetooth_helper_t)
 211
 212 ifdef(`targeted_policy',`
 213         files_rw_generic_tmp_sockets(bluetooth_helper_t)
 214
 215         fs_rw_tmpfs_files(bluetooth_helper_t)
 216
 217         term_dontaudit_use_generic_ptys(bluetooth_helper_t)
 218
 219         unconfined_stream_connect(bluetooth_helper_t)
 220
 221         userdom_read_all_users_home_content_files(bluetooth_helper_t)
 222
 223         optional_policy(`
 224                 xserver_stream_connect_xdm(bluetooth_helper_t)
 225         ')
 226 ')
 227
 228 optional_policy(`
 229         bluetooth_dbus_chat(bluetooth_helper_t)
 230         dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
 231         dbus_connect_system_bus(bluetooth_helper_t)
 232         dbus_send_system_bus(bluetooth_helper_t)
 233 ')
 234
 235 optional_policy(`
 236         nscd_socket_use(bluetooth_helper_t)
 237 ')
 238
 239 optional_policy(`
 240         xserver_stream_connect_xdm(bluetooth_helper_t)
 241 ')