dd0d453cdf
Allow users to prtrace and send any signal to their cron job. Allow users to prtrace and send any signal to their cron job. Allow users to prtrace and send any signal to their cron job. Allow users to ps, ptrace and send any signal to their session bus.
247 lines
5.6 KiB
Plaintext
247 lines
5.6 KiB
Plaintext
## <summary>Bluetooth tools and system services.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Role access for bluetooth
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## User domain for the role
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`bluetooth_role',`
|
|
gen_require(`
|
|
type bluetooth_helper_t, bluetooth_helper_exec_t;
|
|
type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t;
|
|
')
|
|
|
|
role $1 types bluetooth_helper_t;
|
|
|
|
domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
|
|
|
|
# allow ps to show cdrecord and allow the user to kill it
|
|
ps_process_pattern($2, bluetooth_helper_t)
|
|
allow $2 bluetooth_helper_t:process { ptrace signal_perms };
|
|
|
|
manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
|
|
manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
|
|
manage_sock_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
|
|
|
|
manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
|
|
manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
|
|
')
|
|
|
|
#####################################
|
|
## <summary>
|
|
## Connect to bluetooth over a unix domain
|
|
## stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`bluetooth_stream_connect',`
|
|
gen_require(`
|
|
type bluetooth_t, bluetooth_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
allow $1 bluetooth_t:socket rw_socket_perms;
|
|
stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute bluetooth in the bluetooth domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`bluetooth_domtrans',`
|
|
gen_require(`
|
|
type bluetooth_t, bluetooth_exec_t;
|
|
')
|
|
|
|
domtrans_pattern($1, bluetooth_exec_t, bluetooth_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read bluetooth daemon configuration.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`bluetooth_read_config',`
|
|
gen_require(`
|
|
type bluetooth_conf_t;
|
|
')
|
|
|
|
allow $1 bluetooth_conf_t:file { getattr read ioctl };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
## bluetooth over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`bluetooth_dbus_chat',`
|
|
gen_require(`
|
|
type bluetooth_t;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
allow $1 bluetooth_t:dbus send_msg;
|
|
allow bluetooth_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## dontaudit Send and receive messages from
|
|
## bluetooth over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`bluetooth_dontaudit_dbus_chat',`
|
|
gen_require(`
|
|
type bluetooth_t;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
dontaudit $1 bluetooth_t:dbus send_msg;
|
|
dontaudit bluetooth_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`bluetooth_domtrans_helper',`
|
|
refpolicywarn(`$0($*) has been deprecated.')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute bluetooth_helper in the bluetooth_helper domain, and
|
|
## allow the specified role the bluetooth_helper domain. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="terminal">
|
|
## <summary>
|
|
## The type of the terminal allow the bluetooth_helper domain to use.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`bluetooth_run_helper',`
|
|
refpolicywarn(`$0($*) has been deprecated.')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read bluetooth helper state files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`bluetooth_dontaudit_read_helper_state',`
|
|
gen_require(`
|
|
type bluetooth_helper_t;
|
|
')
|
|
|
|
dontaudit $1 bluetooth_helper_t:dir search;
|
|
dontaudit $1 bluetooth_helper_t:file { read getattr };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to administrate
|
|
## an bluetooth environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## The role to be allowed to manage the bluetooth domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`bluetooth_admin',`
|
|
gen_require(`
|
|
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
|
|
type bluetooth_var_lib_t, bluetooth_var_run_t;
|
|
type bluetooth_conf_t, bluetooth_conf_rw_t;
|
|
type bluetooth_initrc_exec_t;
|
|
')
|
|
|
|
allow $1 bluetooth_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, bluetooth_t)
|
|
|
|
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 bluetooth_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
files_list_tmp($1)
|
|
admin_pattern($1, bluetooth_tmp_t)
|
|
|
|
files_list_var($1)
|
|
admin_pattern($1, bluetooth_lock_t)
|
|
|
|
files_list_etc($1)
|
|
admin_pattern($1, bluetooth_conf_t)
|
|
admin_pattern($1, bluetooth_conf_rw_t)
|
|
|
|
files_list_var_lib($1)
|
|
admin_pattern($1, bluetooth_var_lib_t)
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, bluetooth_var_run_t)
|
|
')
|