Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp336566yba; Sat, 4 May 2019 03:30:14 -0700 (PDT) X-Google-Smtp-Source: APXvYqyO9gQVOKEU6WcWmlxBVBLviUpsefoyFA+AwifG8rqMJHD4ZkfwD2JOZnI+Wv/Ov9ZII8GY X-Received: by 2002:a63:4a5a:: with SMTP id j26mr16945039pgl.361.1556965814537; Sat, 04 May 2019 03:30:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556965814; cv=none; d=google.com; s=arc-20160816; b=ik17H+T93zYczSqbMdrgQeTiwpNRy/6cRz9SbqASR9bgk7Uo5IWyNapfmVYhd9FzbN AXc9iTTGBePP9PlgrHn+eGq9+T3NzPud8TL7mWKoBe4pUi9TLHT/PPPbC0L3z2OKkkqk xw/EiTSF+u6baeUKNv3bFrwxLGRPjk4VV//vfVkUkB00S2c8EJTEu425thbdBV/h8odA XXREghw/LtsvCzVDn9sp6P4YJL7T7fFsmAS6BKB08dnY5xpWPWIP/Uu5JI4RVdXg5+7v xnb2g/0TCO2wFG5MuJEhbu/w3LnYBCHfOcFqt4peyRr8ClbmUdUx0HMLzW1DqqXCzfji A7hA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:mime-version:user-agent:date :message-id:organization:autocrypt:openpgp:from:references:to :subject; bh=0NdFG+q+tVL9N9ktLWwpTh1aMm27jEyJw8yz4R/eIxE=; b=eHhcVF544J4qRKPDpMVn3ps68ehX14YJjtdx49FU1Fwh0WNKRpOWLNOWd2QGqJgAXW Mv/NLJ+2nYhnjX9nMhM/d0a/PsUxK2eclPaoXrxzT+55L3djYr9uKzWPbricUe1AC/yj P5Am8KHbeiMKcwQ+EsrfCU2aYcytg1BKimHGdwXjY2rbL+Hmvv2ZE8gagiyNuYik/HCK 5qCFNsHkWwKtLHrCTXlahpHODmaWD6rOkOG5WpdP1wabMrF2lt0BZVjhTR0DaKuh69dn TKjAR7XMKOXa4Tm8IxwJoFJLV5ROgUnHJIejPihYxBqVNBfeiNsdPcz4+Vp8Bs1Jlvh9 fTMw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d12si6918942pla.405.2019.05.04.03.30.09; Sat, 04 May 2019 03:30:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727173AbfEDK32 (ORCPT + 11 others); Sat, 4 May 2019 06:29:28 -0400 Received: from mx1.redhat.com ([209.132.183.28]:59192 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727861AbfEDK0r (ORCPT ); Sat, 4 May 2019 06:26:47 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 26689309174E; Sat, 4 May 2019 10:26:47 +0000 (UTC) Received: from [10.40.204.54] (ovpn-204-54.brq.redhat.com [10.40.204.54]) by smtp.corp.redhat.com (Postfix) with ESMTP id 137925D71A; Sat, 4 May 2019 10:26:44 +0000 (UTC) Subject: Re: [PATCH] Introduce allow_bluetooth boolean To: Chris PeBenito , selinux-refpolicy@vger.kernel.org References: <20190430175329.25335-1-lvrabec@redhat.com> <4438fae1-fa76-27ea-a7dc-509112540e8c@ieee.org> From: Lukas Vrabec Openpgp: preference=signencrypt Autocrypt: addr=lvrabec@redhat.com; keydata= mQINBFqX9fsBEACvMZuLfMn8Fj1XFIir6sXAec5zg1ND0GqmcQM6CnvIPPtD9CDS8W4ppywB w/QoFHLH9XrrqNONXu/MfxerGvRu1SRtxDkQGphtR1saTZ+0WFn6b8JwrQRzn1zL3bEB55AB 5APHcxJ+0MLJSCczbWnZ4DymuPBiEigI5yogYx7XTnbCqgsiECEWId4epatX8fyIEfensCjq Gc613QCppKkCABzjvR0ivu5csHvN3ZZB56h4EXiZupqzJXric4NnyqO2kDnErKzzzpB1ILiR UWbOogO0prR9jgeITWA3baACcjg/+byTCClp19PE5eu6e9LSlJAC0qsTFJC+XbMhDLuieCmB kso3uLV8Icka3IOspTp/jXwJY+jZ4vLvVWbBmNM6vBZ8sZIOXBT9L4SieYyvPb/fy5SukV/0 LzXIKoCNC757AG51TiBLFML87qbys7+5ug5J6lAvYVbmCxSmTPTcB20MJWwUsRlXMG9l55mW kDs5VlPm7brq28FCebh+l5K+IKt+D3PkQlrQKa3YYgL/2QPnd65nUHBL4UfX+1vO3yBqUE7O hz5RZ7e5MlxirTPea9GMTfv6/QWyLF+szlFgbdqF5yICa0sn0kjHFjD5NQlmIEdmXD44RACP VMTnQhJ4trZ7cCiFnDtliAa9Glqedn8nmWQzS+AiMYLnrJ91fQARAQABtCFMdWthcyBWcmFi ZWMgPGx2cmFiZWNAcmVkaGF0LmNvbT6JAk4EEwEIADgWIQTHh3QCUBS0Ag7mUIaM2mOtYz9p VQUCWpf1+wIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCM2mOtYz9pVclWD/9ijfua XSv8CndLbMJWzmOvfjkQPBM9txIK81KgP7pj3bCQg+toQndmsNRp6KSr4hSBz33qqMZ2i7IV 20FWxxSgvNatjs+YGSRBEmrsTmWc2fJkU8tYSL6ksEaFt0Te7N2QhpflSp72oVXM4v05vuGQ P2rMFibDXaP7bUk61+vUkD1N3Rwc/Kmhubk3smYXuA0PEJqs9XFEn4nF4ps4FKmsdGcSrbjJ RO/QMjYGQcWjynnBlneOugTY7dPkxti8yVKVE5O7zd69E6yQoqc1ydEuX78HqtbhiJGZRV1Z sEVBhJQX6mAVPMNyEAW56Tc3TH4w9WPcOyWUpYDfGyzcCcxeh/kcL5qDlf9nIjzeuzM9x75m mZ8Cp2LmN6IFEgeetnoHWmozg6+juZIIxs18fkLqWcnSUO/Eh9Yfk9U5wfQuUy4nb7aLu5f0 vfllo7ViPXxXu6mMHhda4xKAlVbQtZU1tP/mS4H/pNXSzW5stpQzb2Ohw5G+0rslH6hSbm85 WKWYLahSq1kETfAgsv/z+QqrDNEHXa0OSKtS4JGS1A/D4+nAComd2SwlfR34TqcyAPaB/21c zpeE/JoN5jGdA6UHHHXGPk495ke25rjokAK8LvEz00fpNpuaQf8W7YAjc1AJUiZ6EJBOqgpq F/K8WQ+G2So7c6E9J4xO8ZpfDMh+RLkBDQRal/bsAQgAzOxD4ZICqWi+OTf2luLCHk76yShx NRj6+DOJJUo31xoFRhgThqAKrSrVdTZT9ZOPyRWcN0hvzrbywOcSXBQE8B76vJipXtG2sGsl EfwWUmAObYPxLDtbI5FTZ8tdduDfuk8QMbCJptWHTS01tJKnClSdfApL27qSxOLmsRNxhP4h t0Q19bBGHdYaKiZenUc+MmPR/zSLgz4IxzMVBS9VNF069NVDKEOsrDeRNnYAbEf52X/sgDl1 CFmG1GSEVamteKni3i2o4TT6uLVzSpOq45MjIx1ALCxqKZjrpt+Rv7FnBFi3HLHz978DF9vQ iJ0n1jero77zt+3vLVtZ/f97kQARAQABiQNsBBgBCAAgFiEEx4d0AlAUtAIO5lCGjNpjrWM/ aVUFAlqX9uwCGwIBQAkQjNpjrWM/aVXAdCAEGQEIAB0WIQTfCs/cCtejJiABLstHIBrELynO BgUCWpf27AAKCRBHIBrELynOBsUoB/9lookAkdhDRhqv3I2tECBBszKt7Fo1d8vhHC7NGGfm 3yDAUO4hXB4sobrhDPfpv6lL7QtdlhgTRku6TruT1qLtjaV+IrGB1A+Y1B5w6WO0RXi197gh 5TlufeRWFOimK+xV2lJt5HXJRO/6Oh+54kdhE/49mx7oLy8flOvxRNC4RXTUZMKKT5ptsuYf wYXpmCcqEzPhejhyZnmY9+UTMEENjsV72l+B6BGfPY8lUZdRdumqAF5tWkh5vHT+aH+hpPOY YUz7ne7ueyVFoCH9fwNA3o7r5/AGDroMpr+2uu94c/YF04+kZJ/H6dsnekJA9JgeoxyNVTUX BrsOJ8DcINucr64P/09kfT9VePExSWppVLt7zM0yt/35WodBpJayoS6lQ/BFip3u7BZwz4y4 gzTfovKOj1ktwJyxeaPaIbJnCtgDRF8drkfrTTDwFy9RnJz76WKOyGNARVtr9OStI14wGQKo RaAePn8uhkbv7zvzvYkse6Gr2uhoFL0/UeWbT48huZhAlzf81yT46nErrT03h+CDDuWaF/sd qHNeSNNr2OPE22A1mFLtkYaylpv+l8NUy4TDTPKyK2O3yQCqurJx/2jKVSFojnmpYNmAmVci YMiL8dF5wzr2RJUqsVx3X007Tbx4F0x7KD4+9Q9XI2Mw+yHCMZ0HpCZc9QUzE5oSdUCd2N53 qStoziLp3kJlrCeXEKIE7lV6aoN/BOSEN1NFU0jtR8pHpvZoyZA/3Dm1vKqHjBDoGNr33Yk5 37Rx8lnkoF513us3FxtWQDzxteQDq24SqfrOOir6dSLHatCOV8cX2Yw1+PHuIx5utLXaLMXH vbkaa2Qf3sUY0hvGT2quw+fACkQ+4FA0yLP969E4tfenlQVX1wt8QH5VY4KixL4ReDoCS5Y0 7cO0wkzI1EYPS4iS4QTcQLNP7EKh3NreV9/hszggrdXnj5p6T2uK1AMCy6wftJBwUx1XoJjo dxEY08huxMYJtbY8gIK+Tg2/4eDp3bSWzHU8nTumbUbpf5VcMkvYuQENBFqX9wsBCADIMwny vUHLXR+CRcCW93/8zMrtRRNxRVyMuMVWrmBEArSun3sAw+lpmN8FKSkmpD8SO2SYdE0jiAU4 7OJ7mHL4A1YAqXh3EOjf+GaClcjie46Vb61kR4N7tCymk9wVLxNlrPDb2cxQ9xm8t186z/e9 RuUfaH/RIBhWUUBAWxdfTuwqX5RbfoOl8+2I5q+C06r56VvgT/fzC3tNtl/fB4+8Cc0iKXi9 pRGKTEQOfbhxTSogbm4GD4rPs9q4v3CQT3czjSyhrL4uboYGUf82UjQ2ae+XLclDnaUnYfjp VrregsW12c5KPN0uuc3Fepvn0G4eQfNhwqqGA9zZqCVJMkDjABEBAAGJAjYEGAEIACAWIQTH h3QCUBS0Ag7mUIaM2mOtYz9pVQUCWpf3CwIbDAAKCRCM2mOtYz9pVYeoD/sH++dZ8QLMb3JN QiW6mEIKoEmZH5FrOP7t7UWuUmpAlTcUJ87n1221pLcdr/56uFBRIdvpp0YC5rB9ACaqD6gx oiNQmR0MkLzN25GWSeD8+bs2thO2SZecO0r+/dAvwgnU3rs+LdVqLcUGPfFwebRH94ZQiPjg Y/Ci6LkV6CNDP/rg9odtfYQnL5EHs9yWZdi5f/kLewdrYOAen+i5Sw0oZOiM6tSNOTt59yd3 LPi6NKDb3rVnul7UU9KkvV7NxZykvs+hyYmUbwnS5UAvFyC40B/dgK9uYongPlzVb4MQmaB0 rimSlHMMsHRBMnPxNr/F9kpFkYnbIqQwAYIf3FoQ0QuwCn3YljTEJYdbMM3ivl5woclVI6M1 JytwpFGq6VX3sRhctk+Xe3JOk8Rxt6cvjKeoSmaaxg+kVt4a50LYysh0n3VoETg8d1Gq9NnW fhEFtJ0rNy01aZLO28gyDy4sSJiudkSFo17UtabrhcP/hv5ocvaGSzTfXEyYaw4Su23A0RC8 ska1wAtlZpTYmZ6Mumw2vAkc6bOeh7npcrAfduWSaXtHrUxjuxy6sVCl58IOo2+2AMJaFdMq ktne5U1i8Lrrt8r507w4sBasTReQXL5i/AhqOnHt+FkhpVT5J1sE79VM5gwszP3AvBqOREcS fhCmGay+X9lHV3XhGE8GWA== Organization: Red Hat, Inc. Message-ID: <5a75d7e6-c56b-e4f5-653c-b846388cfbb4@redhat.com> Date: Sat, 4 May 2019 12:26:42 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <4438fae1-fa76-27ea-a7dc-509112540e8c@ieee.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="5qpDWHlJAOONSyFBuDO073tFRNJMEDgVP" X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Sat, 04 May 2019 10:26:47 +0000 (UTC) Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --5qpDWHlJAOONSyFBuDO073tFRNJMEDgVP Content-Type: multipart/mixed; boundary="SePj7LcquBKtgWuPlBf2JTpdzYwelt0B8"; protected-headers="v1" From: Lukas Vrabec To: Chris PeBenito , selinux-refpolicy@vger.kernel.org Message-ID: <5a75d7e6-c56b-e4f5-653c-b846388cfbb4@redhat.com> Subject: Re: [PATCH] Introduce allow_bluetooth boolean References: <20190430175329.25335-1-lvrabec@redhat.com> <4438fae1-fa76-27ea-a7dc-509112540e8c@ieee.org> In-Reply-To: <4438fae1-fa76-27ea-a7dc-509112540e8c@ieee.org> --SePj7LcquBKtgWuPlBf2JTpdzYwelt0B8 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 5/1/19 1:37 AM, Chris PeBenito wrote: > On 4/30/19 1:53 PM, Lukas Vrabec wrote: >> Because of new bluetooth_socket which is part of extended_socket_class= >> policy capability, it's possible to control which SELinux domains can >> use bluetooth wireless technology. Default value of the boolean is >> turned off. >> >> Signed-off-by: Lukas Vrabec >> --- >> =C2=A0 policy/global_tunables=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 7 +++++++ >> =C2=A0 policy/modules/admin/netutils.te=C2=A0=C2=A0=C2=A0=C2=A0 | 4 ++= ++ >> =C2=A0 policy/modules/services/arpwatch.te=C2=A0 | 4 ++++ >> =C2=A0 policy/modules/services/bluetooth.if | 4 ++++ >> =C2=A0 policy/modules/services/bluetooth.te | 4 ++++ >> =C2=A0 policy/modules/services/ntop.te=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |= 4 ++++ >> =C2=A0 policy/modules/system/userdomain.if=C2=A0 | 8 ++++++++ >> =C2=A0 7 files changed, 35 insertions(+) >> >> diff --git a/policy/global_tunables b/policy/global_tunables >> index affc020f..69b356e2 100644 >> --- a/policy/global_tunables >> +++ b/policy/global_tunables >> @@ -4,6 +4,13 @@ >> =C2=A0 # file should be used. >> =C2=A0 # >> =C2=A0 +## >> +##

>> +## Allow all system processes and Linux users to use bluetooth >> wireless technology. >> +##

>> +##
>> +gen_tunable(allow_bluetooth,false) >> + >> =C2=A0 ## >> =C2=A0 ##

>> =C2=A0 ## Allow unconfined executables to make their heap memory >> executable.=C2=A0 Doing this is a really bad idea. Probably indicates = a >> badly coded executable, but could indicate an attack. This executable >> should be reported in bugzilla >> diff --git a/policy/modules/admin/netutils.te >> b/policy/modules/admin/netutils.te >> index 46560a09..8821b108 100644 >> --- a/policy/modules/admin/netutils.te >> +++ b/policy/modules/admin/netutils.te >> @@ -99,6 +99,10 @@ optional_policy(` >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xen_append_log(netutils_t) >> =C2=A0 ') >> =C2=A0 +tunable_policy(`allow_bluetooth',` >> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 allow netutils_t self:blue= tooth_socket >> create_stream_socket_perms; >> +') >> + >> =C2=A0 ######################################## >> =C2=A0 # >> =C2=A0 # Ping local policy >> diff --git a/policy/modules/services/arpwatch.te >> b/policy/modules/services/arpwatch.te >> index 87aed96f..6f05441a 100644 >> --- a/policy/modules/services/arpwatch.te >> +++ b/policy/modules/services/arpwatch.te >> @@ -77,6 +77,10 @@ miscfiles_read_localization(arpwatch_t) >> =C2=A0 userdom_dontaudit_search_user_home_dirs(arpwatch_t) >> =C2=A0 userdom_dontaudit_use_unpriv_user_fds(arpwatch_t) >> =C2=A0 +tunable_policy(`allow_bluetooth',` >> +=C2=A0=C2=A0=C2=A0 allow arpwatch_t self:bluetooth_socket create_sock= et_perms; >> +') >> + >> =C2=A0 optional_policy(` >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 mta_send_mail(arpwatch_t) >> =C2=A0 ') >> diff --git a/policy/modules/services/bluetooth.if >> b/policy/modules/services/bluetooth.if >> index dc61988c..9097803f 100644 >> --- a/policy/modules/services/bluetooth.if >> +++ b/policy/modules/services/bluetooth.if >> @@ -68,6 +68,10 @@ interface(`bluetooth_stream_connect',` >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 files_search_pids($1) >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 allow $1 bluetooth_t:socket rw_socket_p= erms; >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 stream_connect_pattern($1, bluetooth_va= r_run_t, >> bluetooth_var_run_t, bluetooth_t) >> + >> +=C2=A0=C2=A0=C2=A0 tunable_policy(`deny_bluetooth',`',` >=20 > Missed a deny_bluetooth. >=20 > I'm also a little uneasy with adding this access here, as this would > seem to be a side effect to a simple stream socket connection.=C2=A0 Pe= rhaps > there should be a new interface like bluetooth_client().=C2=A0 It might= also > make sense in bluetooth_role(), as there is a generic socket class rule= > in there too. >=20 Hi Chris, I'll update deny_bluetooth() to allow_bluetooth(). So, you're suggesting create new interface bluetooth_client() but all bluetooth related stuff there, and use this interface in tunable_policy block instead of just allowing using bluetooth socket? bluetooth_role() should be fixed to use only bluetooth_socket, not the general one. I'll create PR also for it. Thanks, Lukas. >=20 >=20 >> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 allow $1 bluetooth_t:bluet= ooth_socket rw_socket_perms; >> +=C2=A0=C2=A0=C2=A0 ') >> =C2=A0 ') >> =C2=A0 =C2=A0 ######################################## >> diff --git a/policy/modules/services/bluetooth.te >> b/policy/modules/services/bluetooth.te >> index 45e5a361..39af72d5 100644 >> --- a/policy/modules/services/bluetooth.te >> +++ b/policy/modules/services/bluetooth.te >> @@ -133,6 +133,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t= ) >> =C2=A0 userdom_dontaudit_use_user_terminals(bluetooth_t) >> =C2=A0 userdom_dontaudit_search_user_home_dirs(bluetooth_t) >> =C2=A0 +tunable_policy(`allow_bluetooth',` >> +=C2=A0=C2=A0=C2=A0 allow bluetooth_t self:bluetooth_socket create_str= eam_socket_perms; >> +') >> + >> =C2=A0 optional_policy(` >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 dbus_system_bus_client(bluetooth_t) >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 dbus_connect_system_bus(bluetooth_t) >> diff --git a/policy/modules/services/ntop.te >> b/policy/modules/services/ntop.te >> index 178bbb1d..537d9323 100644 >> --- a/policy/modules/services/ntop.te >> +++ b/policy/modules/services/ntop.te >> @@ -96,6 +96,10 @@ miscfiles_read_localization(ntop_t) >> =C2=A0 userdom_dontaudit_use_unpriv_user_fds(ntop_t) >> =C2=A0 userdom_dontaudit_search_user_home_dirs(ntop_t) >> =C2=A0 +tunable_policy(`allow_bluetooth',` >> +=C2=A0=C2=A0=C2=A0 allow ntop_t self:bluetooth_socket create_socket_p= erms; >> +') >> + >> =C2=A0 optional_policy(` >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 apache_read_sys_content(ntop_t) >> =C2=A0 ') >> diff --git a/policy/modules/system/userdomain.if >> b/policy/modules/system/userdomain.if >> index 5221bd13..5654de6e 100644 >> --- a/policy/modules/system/userdomain.if >> +++ b/policy/modules/system/userdomain.if >> @@ -1189,6 +1189,10 @@ template(`userdom_unpriv_user_template', ` >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 corenet_udp_bin= d_generic_port($1_t) >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ') >> =C2=A0 +=C2=A0=C2=A0=C2=A0 tunable_policy(`allow_bluetooth',` >> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 allow $1_t self:bluetooth_= socket create_socket_perms; >> +=C2=A0=C2=A0=C2=A0 ') >> + >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 optional_policy(` >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 netutils_run_pi= ng_cond($1_t, $1_r) >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 netutils_run_tr= aceroute_cond($1_t, $1_r) >> @@ -1362,6 +1366,10 @@ template(`userdom_admin_user_template',` >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 userdom_manage_user_home_content_socket= s($1_t) >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 userdom_user_home_dir_filetrans_user_ho= me_content($1_t, { dir >> file lnk_file fifo_file sock_file }) >> =C2=A0 +=C2=A0=C2=A0=C2=A0 tunable_policy(`allow_bluetooth',` >> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 allow $1_t self:bluetooth_= socket create_stream_socket_perms; >> +=C2=A0=C2=A0=C2=A0 ') >> + >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 optional_policy(` >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 postgresql_unco= nfined($1_t) >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ') >> >=20 >=20 --=20 Lukas Vrabec Senior Software Engineer, Security Technologies Red Hat, Inc. --SePj7LcquBKtgWuPlBf2JTpdzYwelt0B8-- --5qpDWHlJAOONSyFBuDO073tFRNJMEDgVP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE3wrP3ArXoyYgAS7LRyAaxC8pzgYFAlzNaOIACgkQRyAaxC8p zgY++gf9EYNQAllbDwJqbAM0bli5yjmmto3XJeO/uOCAVy8axdjuAmAtxvMswPsY UlRPF8rwDjym/3d4t/Fh51kDMT2bFSdR+ITwg0Z6Gb9GQedqF1/Dj3LAlDRFGDv2 1MrlB+5e4StCLgF/ITkKBDhJhuYh5A0fCUqfzlsUB+4mKzC7nYu/EIhlOwFTjSut GIyXJVQkfwawc8NFBtvuwHKO1II8dD4whhBNdaIhGuyZCpBxPVhtPkaeZUvcNWat ElEuomHCvmnVzTz8GprGbktlTSsWO+L1nf/rm/MRwHdYCBNsAU3Kd+7+rK7qjNiY Fq4JtarMj8l02mz3Xq/iwv4073zPNg== =TS0+ -----END PGP SIGNATURE----- --5qpDWHlJAOONSyFBuDO073tFRNJMEDgVP--