Chris PeBenito 31b7c0
#DESC Bluetooth 
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Authors:  Dan Walsh
Chris PeBenito 31b7c0
# RH-Packages: Bluetooth
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#################################
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Rules for the bluetooth_t domain.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
daemon_domain(bluetooth)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
Chris PeBenito 31b7c0
file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
tmp_domain(bluetooth)
Chris PeBenito 31b7c0
var_lib_domain(bluetooth)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Use capabilities.
Chris PeBenito 31b7c0
allow bluetooth_t self:file read;
Chris PeBenito 31b7c0
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
Chris PeBenito 31b7c0
allow bluetooth_t self:process getsched;
Chris PeBenito 31b7c0
allow bluetooth_t proc_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow bluetooth_t self:shm create_shm_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
lock_domain(bluetooth)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Use the network.
Chris PeBenito 31b7c0
can_network(bluetooth_t)
Chris PeBenito 31b7c0
can_ypbind(bluetooth_t)
Chris PeBenito 31b7c0
ifdef(`dbusd.te', `
Chris PeBenito 31b7c0
dbusd_client(system, bluetooth)
Chris PeBenito 31b7c0
allow bluetooth_t system_dbusd_t:dbus send_msg;
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
allow bluetooth_t self:socket create_stream_socket_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 31b7c0
allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
dontaudit bluetooth_t sysadm_devpts_t:chr_file { read write };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# bluetooth_conf_t is the type of the /etc/bluetooth dir.
Chris PeBenito 31b7c0
type bluetooth_conf_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
type bluetooth_conf_rw_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Read /etc/bluetooth
Chris PeBenito 31b7c0
allow bluetooth_t bluetooth_conf_t:dir search;
Chris PeBenito 31b7c0
allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
Chris PeBenito 31b7c0
#/usr/sbin/hid2hci causes the following
Chris PeBenito 31b7c0
allow initrc_t usbfs_t:file { getattr read };
Chris PeBenito 31b7c0
allow bluetooth_t usbfs_t:dir r_dir_perms;
Chris PeBenito 31b7c0
allow bluetooth_t usbfs_t:file rw_file_perms; 
Chris PeBenito 31b7c0
allow bluetooth_t bin_t:dir search;
Chris PeBenito 31b7c0
can_exec(bluetooth_t, { bin_t shell_exec_t })
Chris PeBenito 31b7c0
allow bluetooth_t bin_t:lnk_file read;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#Handle bluetooth serial devices
Chris PeBenito 31b7c0
allow bluetooth_t tty_device_t:chr_file rw_file_perms;
Chris PeBenito 31b7c0
allow bluetooth_t self:fifo_file rw_file_perms;
Chris PeBenito 31b7c0
allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read };
Chris PeBenito 31b7c0
r_dir_file(bluetooth_t, fonts_t)
Chris PeBenito 31b7c0
allow bluetooth_t urandom_device_t:chr_file r_file_perms;
Chris PeBenito 31b7c0
allow bluetooth_t usr_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
application_domain(bluetooth_helper, `, nscd_client_domain')
Chris PeBenito 31b7c0
domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
Chris PeBenito 31b7c0
role system_r types bluetooth_helper_t;
Chris PeBenito 31b7c0
read_locale(bluetooth_helper_t) 
Chris PeBenito 31b7c0
typeattribute bluetooth_helper_t unrestricted;
Chris PeBenito 31b7c0
r_dir_file(bluetooth_helper_t, domain)
Chris PeBenito 31b7c0
allow bluetooth_helper_t bin_t:dir { getattr search };
Chris PeBenito 31b7c0
can_exec(bluetooth_helper_t, { bin_t shell_exec_t })
Chris PeBenito 31b7c0
allow bluetooth_helper_t bin_t:lnk_file read;
Chris PeBenito 31b7c0
allow bluetooth_helper_t self:capability sys_nice;
Chris PeBenito 31b7c0
allow bluetooth_helper_t self:fifo_file rw_file_perms;
Chris PeBenito 31b7c0
allow bluetooth_helper_t self:process { fork getsched sigchld };
Chris PeBenito 31b7c0
allow bluetooth_helper_t self:shm create_shm_perms;
Chris PeBenito 31b7c0
allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 31b7c0
allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read };
Chris PeBenito 31b7c0
r_dir_file(bluetooth_helper_t, fonts_t)
Chris PeBenito 31b7c0
r_dir_file(bluetooth_helper_t, proc_t)
Chris PeBenito 31b7c0
read_sysctl(bluetooth_helper_t)
Chris PeBenito 31b7c0
allow bluetooth_helper_t tmp_t:dir search;
Chris PeBenito 31b7c0
allow bluetooth_helper_t usr_t:file { getattr read };
Chris PeBenito 31b7c0
allow bluetooth_helper_t home_dir_type:dir search;
Chris PeBenito 31b7c0
ifdef(`xserver.te', `
Chris PeBenito 31b7c0
allow bluetooth_helper_t xserver_log_t:dir search;
Chris PeBenito 31b7c0
allow bluetooth_helper_t xserver_log_t:file { getattr read };
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
ifdef(`targeted_policy', `
Chris PeBenito 31b7c0
allow bluetooth_helper_t tmp_t:sock_file { read write };
Chris PeBenito 31b7c0
allow bluetooth_helper_t tmpfs_t:file { read write };
Chris PeBenito 31b7c0
allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
Chris PeBenito 31b7c0
allow bluetooth_t unconfined_t:dbus send_msg;
Chris PeBenito 31b7c0
allow unconfined_t bluetooth_t:dbus send_msg;
Chris PeBenito 31b7c0
', `
Chris PeBenito 31b7c0
ifdef(`xdm.te', `
Chris PeBenito 31b7c0
allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
allow bluetooth_t unpriv_userdomain:dbus send_msg;
Chris PeBenito 31b7c0
allow unpriv_userdomain bluetooth_t:dbus send_msg;
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
allow bluetooth_helper_t bluetooth_t:socket { read write };
Chris PeBenito 31b7c0
allow bluetooth_helper_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 31b7c0
allow bluetooth_helper_t self:unix_stream_socket connectto;
Chris PeBenito 31b7c0
tmp_domain(bluetooth_helper)
Chris PeBenito 31b7c0
allow bluetooth_helper_t urandom_device_t:chr_file r_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
dontaudit bluetooth_helper_t default_t:dir { read search };
Chris PeBenito 31b7c0
dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write };
Chris PeBenito 31b7c0
dontaudit bluetooth_helper_t home_dir_type:dir r_dir_perms;
Chris PeBenito 31b7c0
ifdef(`xserver.te', `
Chris PeBenito 31b7c0
allow bluetooth_helper_t xserver_log_t:dir search;
Chris PeBenito 31b7c0
allow bluetooth_helper_t xserver_log_t:file { getattr read };
Chris PeBenito 31b7c0
')