diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index f6028fd..fb7b782 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -25,7 +25,7 @@ interface(`bluetooth_role',`
domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
- # allow ps to show cdrecord and allow the user to kill it
+ # allow ps to show cdrecord and allow the user to kill it
ps_process_pattern($2, bluetooth_helper_t)
allow $2 bluetooth_helper_t:process signal;
@@ -37,6 +37,27 @@ interface(`bluetooth_role',`
manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
')
+#####################################
+##
+## Connect to bluetooth over a unix domain
+## stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`bluetooth_stream_connect',`
+ gen_require(`
+ type bluetooth_t, bluetooth_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 bluetooth_t:socket rw_socket_perms;
+ stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
+')
+
########################################
##
## Execute bluetooth in the bluetooth domain.
@@ -155,7 +176,7 @@ interface(`bluetooth_dontaudit_read_helper_state',`
########################################
##
-## All of the rules required to administrate
+## All of the rules required to administrate
## an bluetooth environment
##
##
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 4113606..a04aa7d 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
-policy_module(bluetooth, 3.2.0)
+policy_module(bluetooth, 3.2.1)
########################################
#
@@ -54,9 +54,9 @@ files_pid_file(bluetooth_var_run_t)
# Bluetooth services local policy
#
-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
+allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_tty_config ipc_lock };
dontaudit bluetooth_t self:capability sys_tty_config;
-allow bluetooth_t self:process { getsched signal_perms };
+allow bluetooth_t self:process { getcap setcap getsched signal_perms };
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms;
@@ -64,6 +64,7 @@ allow bluetooth_t self:unix_dgram_socket create_socket_perms;
allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
allow bluetooth_t self:udp_socket create_socket_perms;
+allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
@@ -94,6 +95,7 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
kernel_read_network_state(bluetooth_t)
+kernel_request_load_module(bluetooth_t)
corenet_all_recvfrom_unlabeled(bluetooth_t)
corenet_all_recvfrom_netlabel(bluetooth_t)
@@ -111,6 +113,7 @@ dev_rw_usbfs(bluetooth_t)
dev_rw_generic_usb_dev(bluetooth_t)
dev_read_urand(bluetooth_t)
dev_rw_input_dev(bluetooth_t)
+dev_rw_wireless(bluetooth_t)
fs_getattr_all_fs(bluetooth_t)
fs_search_auto_mountpoints(bluetooth_t)
@@ -154,6 +157,10 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_dbus_chat(bluetooth_t)
+ ')
+
+ optional_policy(`
pulseaudio_dbus_chat(bluetooth_t)
')
')
@@ -215,7 +222,7 @@ locallogin_dontaudit_use_fds(bluetooth_helper_t)
logging_send_syslog_msg(bluetooth_helper_t)
-miscfiles_read_localization(bluetooth_helper_t)
+miscfiles_read_localization(bluetooth_helper_t)
sysnet_read_config(bluetooth_helper_t)