selinux-policy/policy/modules/services/bluetooth.if

229 lines
5.2 KiB
Plaintext

## <summary>Bluetooth tools and system services.</summary>
########################################
## <summary>
## Role access for bluetooth
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`bluetooth_role',`
gen_require(`
type bluetooth_helper_t, bluetooth_helper_exec_t;
type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t;
')
role $1 types bluetooth_helper_t;
domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
# allow ps to show cdrecord and allow the user to kill it
ps_process_pattern($2, bluetooth_helper_t)
allow $2 bluetooth_helper_t:process signal;
manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
')
#####################################
## <summary>
## Connect to bluetooth over a unix domain
## stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bluetooth_stream_connect',`
gen_require(`
type bluetooth_t, bluetooth_var_run_t;
')
files_search_pids($1)
allow $1 bluetooth_t:socket rw_socket_perms;
stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
')
########################################
## <summary>
## Execute bluetooth in the bluetooth domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bluetooth_domtrans',`
gen_require(`
type bluetooth_t, bluetooth_exec_t;
')
domtrans_pattern($1, bluetooth_exec_t, bluetooth_t)
')
########################################
## <summary>
## Read bluetooth daemon configuration.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bluetooth_read_config',`
gen_require(`
type bluetooth_conf_t;
')
allow $1 bluetooth_conf_t:file { getattr read ioctl };
')
########################################
## <summary>
## Send and receive messages from
## bluetooth over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bluetooth_dbus_chat',`
gen_require(`
type bluetooth_t;
class dbus send_msg;
')
allow $1 bluetooth_t:dbus send_msg;
allow bluetooth_t $1:dbus send_msg;
')
########################################
## <summary>
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bluetooth_domtrans_helper',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Execute bluetooth_helper in the bluetooth_helper domain, and
## allow the specified role the bluetooth_helper domain. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the bluetooth_helper domain to use.
## </summary>
## </param>
## <rolecap/>
#
interface(`bluetooth_run_helper',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Read bluetooth helper state files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`bluetooth_dontaudit_read_helper_state',`
gen_require(`
type bluetooth_helper_t;
')
dontaudit $1 bluetooth_helper_t:dir search;
dontaudit $1 bluetooth_helper_t:file { read getattr };
')
########################################
## <summary>
## All of the rules required to administrate
## an bluetooth environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the bluetooth domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`bluetooth_admin',`
gen_require(`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_conf_t, bluetooth_conf_rw_t;
type bluetooth_initrc_exec_t;
')
allow $1 bluetooth_t:process { ptrace signal_perms };
ps_process_pattern($1, bluetooth_t)
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bluetooth_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, bluetooth_tmp_t)
files_list_var($1)
admin_pattern($1, bluetooth_lock_t)
files_list_etc($1)
admin_pattern($1, bluetooth_conf_t)
admin_pattern($1, bluetooth_conf_rw_t)
files_list_spool($1)
admin_pattern($1, bluetooth_spool_t)
files_list_var_lib($1)
admin_pattern($1, bluetooth_var_lib_t)
files_list_pids($1)
admin_pattern($1, bluetooth_var_run_t)
')