Add blueman policy

author Dan Walsh <dwalsh@redhat.com>

Thu, 10 Nov 2011 23:29:47 +0000 (18:29 -0500)

committer Dan Walsh <dwalsh@redhat.com>

Thu, 10 Nov 2011 23:29:47 +0000 (18:29 -0500)
author Dan Walsh <dwalsh@redhat.com>
Thu, 10 Nov 2011 23:29:47 +0000 (18:29 -0500)
committer Dan Walsh <dwalsh@redhat.com>
Thu, 10 Nov 2011 23:29:47 +0000 (18:29 -0500)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te

index e47e0f02af529b9424f72d1719a7dbf4d3f6d5bf..cfea862ae3af9353ac0f14a3416d5013790a4083 100644 (file)
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -233,6 +233,10 @@ ifndef(`distro_redhat',`
                 auth_role(staff_r, staff_t)
         ')
  
+       optional_policy(`
+               blueman_dbus_chat(staff_t)
+       ')
+
         optional_policy(`
                 bluetooth_role(staff_r, staff_t)
         ')
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te

index f0e8a6c3353c5ce4e472dc9986b4b064500de90a..4ce26858d8042e452497d80d81bce053946c14b8 100644 (file)
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -145,6 +145,10 @@ optional_policy(`
                 avahi_dbus_chat(unconfined_usertype)
         ')
  
+       optional_policy(`
+               blueman_dbus_chat(unconfined_usertype)
+       ')
+
         optional_policy(`
                 certmonger_dbus_chat(unconfined_usertype)
         ')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te

index cd87e469839ea638e12e6256f9644c19e2eaafbd..9db5ebda190eca7110848cc3d25d1629e4fc0b84 100644 (file)
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -115,6 +115,10 @@ ifndef(`distro_redhat',`
                 auth_role(user_r, user_t)
         ')
  
+       optional_policy(`
+               blueman_dbus_chat(staff_t)
+       ')
+
         optional_policy(`
                 bluetooth_role(user_r, user_t)
         ')
diff --git a/policy/modules/services/blueman.fc b/policy/modules/services/blueman.fc

new file mode 100644 (file)

index 0000000..69f2b36
--- /dev/null
+++ b/policy/modules/services/blueman.fc
@@ -0,0 +1,2 @@
+
+/usr/libexec/blueman-mechanism         --      gen_context(system_u:object_r:blueman_exec_t,s0)
diff --git a/policy/modules/services/blueman.if b/policy/modules/services/blueman.if

new file mode 100644 (file)

index 0000000..d694c0a
--- /dev/null
+++ b/policy/modules/services/blueman.if
@@ -0,0 +1,41 @@
+## <summary>policy for blueman</summary>
+
+########################################
+## <summary>
+##     Transition to blueman.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`blueman_domtrans',`
+       gen_require(`
+               type blueman_t, blueman_exec_t;
+       ')
+
+       corecmd_search_bin($1)
+       domtrans_pattern($1, blueman_exec_t, blueman_t)
+')
+
+########################################
+## <summary>
+##     Send and receive messages from
+##     blueman over dbus.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`blueman_dbus_chat',`
+       gen_require(`
+               type blueman_t;
+               class dbus send_msg;
+       ')
+
+       allow $1 blueman_t:dbus send_msg;
+       allow blueman_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te

new file mode 100644 (file)

index 0000000..1b48c00
--- /dev/null
+++ b/policy/modules/services/blueman.te
@@ -0,0 +1,39 @@
+policy_module(blueman, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type blueman_t;
+type blueman_exec_t;
+dbus_system_domain(blueman_t, blueman_exec_t)
+
+permissive blueman_t;
+
+########################################
+#
+# blueman local policy
+#
+allow blueman_t self:fifo_file rw_fifo_file_perms;
+
+kernel_read_system_state(blueman_t)
+
+corecmd_exec_bin(blueman_t)
+
+dev_rw_wireless(blueman_t)
+
+domain_use_interactive_fds(blueman_t)
+
+files_read_etc_files(blueman_t)
+files_read_usr_files(blueman_t)
+
+auth_read_passwd(blueman_t)
+
+logging_send_syslog_msg(blueman_t)
+
+miscfiles_read_localization(blueman_t)
+
+optional_policy(`
+       avahi_domtrans(blueman_t)
+')
+\ No newline at end of file
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if

index 351354ea85a1556ff0387da5b678203da7e14627..a726c099efb6cb5f26ffa9d66fa2543801d98b78 100644 (file)
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -40,6 +40,8 @@ interface(`bluetooth_role',`
  
         manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
         manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
+
+       bluetooth_stream_connect($2)
  ')
  
  #####################################
author	Dan Walsh <dwalsh@redhat.com>
	Thu, 10 Nov 2011 23:29:47 +0000 (18:29 -0500)
committer	Dan Walsh <dwalsh@redhat.com>
	Thu, 10 Nov 2011 23:29:47 +0000 (18:29 -0500)
policy/modules/roles/staff.te		patch \| blob \| blame \| history
policy/modules/roles/unconfineduser.te		patch \| blob \| blame \| history
policy/modules/roles/unprivuser.te		patch \| blob \| blame \| history
policy/modules/services/blueman.fc	[new file with mode: 0644]	patch \| blob
policy/modules/services/blueman.if	[new file with mode: 0644]	patch \| blob
policy/modules/services/blueman.te	[new file with mode: 0644]	patch \| blob
policy/modules/services/bluetooth.if		patch \| blob \| blame \| history