9fa4defbd4
Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Squash with 84812bc8dd814709734c2b6d1ef2ff2b84adc35d Syntax error.
247 lines
5.6 KiB
Plaintext
247 lines
5.6 KiB
Plaintext
## <summary>Bluetooth tools and system services.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Role access for bluetooth
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## User domain for the role
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`bluetooth_role',`
|
|
gen_require(`
|
|
type bluetooth_helper_t, bluetooth_helper_exec_t;
|
|
type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t;
|
|
')
|
|
|
|
role $1 types bluetooth_helper_t;
|
|
|
|
domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
|
|
|
|
# allow ps to show cdrecord and allow the user to kill it
|
|
ps_process_pattern($2, bluetooth_helper_t)
|
|
allow $2 bluetooth_helper_t:process { ptrace signal_perms };
|
|
|
|
manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
|
|
manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
|
|
manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
|
|
|
|
manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
|
|
manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
|
|
')
|
|
|
|
#####################################
|
|
## <summary>
|
|
## Connect to bluetooth over a unix domain
|
|
## stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`bluetooth_stream_connect',`
|
|
gen_require(`
|
|
type bluetooth_t, bluetooth_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
allow $1 bluetooth_t:socket rw_socket_perms;
|
|
stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute bluetooth in the bluetooth domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`bluetooth_domtrans',`
|
|
gen_require(`
|
|
type bluetooth_t, bluetooth_exec_t;
|
|
')
|
|
|
|
domtrans_pattern($1, bluetooth_exec_t, bluetooth_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read bluetooth daemon configuration.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`bluetooth_read_config',`
|
|
gen_require(`
|
|
type bluetooth_conf_t;
|
|
')
|
|
|
|
allow $1 bluetooth_conf_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
## bluetooth over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`bluetooth_dbus_chat',`
|
|
gen_require(`
|
|
type bluetooth_t;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
allow $1 bluetooth_t:dbus send_msg;
|
|
allow bluetooth_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## dontaudit Send and receive messages from
|
|
## bluetooth over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`bluetooth_dontaudit_dbus_chat',`
|
|
gen_require(`
|
|
type bluetooth_t;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
dontaudit $1 bluetooth_t:dbus send_msg;
|
|
dontaudit bluetooth_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`bluetooth_domtrans_helper',`
|
|
refpolicywarn(`$0($*) has been deprecated.')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute bluetooth_helper in the bluetooth_helper domain, and
|
|
## allow the specified role the bluetooth_helper domain. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="terminal">
|
|
## <summary>
|
|
## The type of the terminal allow the bluetooth_helper domain to use.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`bluetooth_run_helper',`
|
|
refpolicywarn(`$0($*) has been deprecated.')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read bluetooth helper state files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`bluetooth_dontaudit_read_helper_state',`
|
|
gen_require(`
|
|
type bluetooth_helper_t;
|
|
')
|
|
|
|
dontaudit $1 bluetooth_helper_t:dir search_dir_perms;
|
|
dontaudit $1 bluetooth_helper_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to administrate
|
|
## an bluetooth environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## The role to be allowed to manage the bluetooth domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`bluetooth_admin',`
|
|
gen_require(`
|
|
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
|
|
type bluetooth_var_lib_t, bluetooth_var_run_t, bluetooth_initrc_exec_t;
|
|
type bluetooth_conf_t, bluetooth_conf_rw_t;
|
|
')
|
|
|
|
allow $1 bluetooth_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, bluetooth_t)
|
|
|
|
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 bluetooth_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
files_list_tmp($1)
|
|
admin_pattern($1, bluetooth_tmp_t)
|
|
|
|
files_list_var($1)
|
|
admin_pattern($1, bluetooth_lock_t)
|
|
|
|
files_list_etc($1)
|
|
admin_pattern($1, bluetooth_conf_t)
|
|
admin_pattern($1, bluetooth_conf_rw_t)
|
|
|
|
files_list_var_lib($1)
|
|
admin_pattern($1, bluetooth_var_lib_t)
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, bluetooth_var_run_t)
|
|
')
|