Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp336566yba;
        Sat, 4 May 2019 03:30:14 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyO9gQVOKEU6WcWmlxBVBLviUpsefoyFA+AwifG8rqMJHD4ZkfwD2JOZnI+Wv/Ov9ZII8GY
X-Received: by 2002:a63:4a5a:: with SMTP id j26mr16945039pgl.361.1556965814537;
        Sat, 04 May 2019 03:30:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1556965814; cv=none;
        d=google.com; s=arc-20160816;
        b=ik17H+T93zYczSqbMdrgQeTiwpNRy/6cRz9SbqASR9bgk7Uo5IWyNapfmVYhd9FzbN
         AXc9iTTGBePP9PlgrHn+eGq9+T3NzPud8TL7mWKoBe4pUi9TLHT/PPPbC0L3z2OKkkqk
         xw/EiTSF+u6baeUKNv3bFrwxLGRPjk4VV//vfVkUkB00S2c8EJTEu425thbdBV/h8odA
         XXREghw/LtsvCzVDn9sp6P4YJL7T7fFsmAS6BKB08dnY5xpWPWIP/Uu5JI4RVdXg5+7v
         xnb2g/0TCO2wFG5MuJEhbu/w3LnYBCHfOcFqt4peyRr8ClbmUdUx0HMLzW1DqqXCzfji
         A7hA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:mime-version:user-agent:date
         :message-id:organization:autocrypt:openpgp:from:references:to
         :subject;
        bh=0NdFG+q+tVL9N9ktLWwpTh1aMm27jEyJw8yz4R/eIxE=;
        b=eHhcVF544J4qRKPDpMVn3ps68ehX14YJjtdx49FU1Fwh0WNKRpOWLNOWd2QGqJgAXW
         Mv/NLJ+2nYhnjX9nMhM/d0a/PsUxK2eclPaoXrxzT+55L3djYr9uKzWPbricUe1AC/yj
         P5Am8KHbeiMKcwQ+EsrfCU2aYcytg1BKimHGdwXjY2rbL+Hmvv2ZE8gagiyNuYik/HCK
         5qCFNsHkWwKtLHrCTXlahpHODmaWD6rOkOG5WpdP1wabMrF2lt0BZVjhTR0DaKuh69dn
         TKjAR7XMKOXa4Tm8IxwJoFJLV5ROgUnHJIejPihYxBqVNBfeiNsdPcz4+Vp8Bs1Jlvh9
         fTMw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d12si6918942pla.405.2019.05.04.03.30.09;
        Sat, 04 May 2019 03:30:14 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727173AbfEDK32 (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Sat, 4 May 2019 06:29:28 -0400
Received: from mx1.redhat.com ([209.132.183.28]:59192 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727861AbfEDK0r (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sat, 4 May 2019 06:26:47 -0400
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 26689309174E;
        Sat,  4 May 2019 10:26:47 +0000 (UTC)
Received: from [10.40.204.54] (ovpn-204-54.brq.redhat.com [10.40.204.54])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 137925D71A;
        Sat,  4 May 2019 10:26:44 +0000 (UTC)
Subject: Re: [PATCH] Introduce allow_bluetooth boolean
To:     Chris PeBenito <pebenito@ieee.org>,
        selinux-refpolicy@vger.kernel.org
References: <20190430175329.25335-1-lvrabec@redhat.com>
 <4438fae1-fa76-27ea-a7dc-509112540e8c@ieee.org>
From:   Lukas Vrabec <lvrabec@redhat.com>
Openpgp: preference=signencrypt
Autocrypt: addr=lvrabec@redhat.com; keydata=
 mQINBFqX9fsBEACvMZuLfMn8Fj1XFIir6sXAec5zg1ND0GqmcQM6CnvIPPtD9CDS8W4ppywB
 w/QoFHLH9XrrqNONXu/MfxerGvRu1SRtxDkQGphtR1saTZ+0WFn6b8JwrQRzn1zL3bEB55AB
 5APHcxJ+0MLJSCczbWnZ4DymuPBiEigI5yogYx7XTnbCqgsiECEWId4epatX8fyIEfensCjq
 Gc613QCppKkCABzjvR0ivu5csHvN3ZZB56h4EXiZupqzJXric4NnyqO2kDnErKzzzpB1ILiR
 UWbOogO0prR9jgeITWA3baACcjg/+byTCClp19PE5eu6e9LSlJAC0qsTFJC+XbMhDLuieCmB
 kso3uLV8Icka3IOspTp/jXwJY+jZ4vLvVWbBmNM6vBZ8sZIOXBT9L4SieYyvPb/fy5SukV/0
 LzXIKoCNC757AG51TiBLFML87qbys7+5ug5J6lAvYVbmCxSmTPTcB20MJWwUsRlXMG9l55mW
 kDs5VlPm7brq28FCebh+l5K+IKt+D3PkQlrQKa3YYgL/2QPnd65nUHBL4UfX+1vO3yBqUE7O
 hz5RZ7e5MlxirTPea9GMTfv6/QWyLF+szlFgbdqF5yICa0sn0kjHFjD5NQlmIEdmXD44RACP
 VMTnQhJ4trZ7cCiFnDtliAa9Glqedn8nmWQzS+AiMYLnrJ91fQARAQABtCFMdWthcyBWcmFi
 ZWMgPGx2cmFiZWNAcmVkaGF0LmNvbT6JAk4EEwEIADgWIQTHh3QCUBS0Ag7mUIaM2mOtYz9p
 VQUCWpf1+wIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCM2mOtYz9pVclWD/9ijfua
 XSv8CndLbMJWzmOvfjkQPBM9txIK81KgP7pj3bCQg+toQndmsNRp6KSr4hSBz33qqMZ2i7IV
 20FWxxSgvNatjs+YGSRBEmrsTmWc2fJkU8tYSL6ksEaFt0Te7N2QhpflSp72oVXM4v05vuGQ
 P2rMFibDXaP7bUk61+vUkD1N3Rwc/Kmhubk3smYXuA0PEJqs9XFEn4nF4ps4FKmsdGcSrbjJ
 RO/QMjYGQcWjynnBlneOugTY7dPkxti8yVKVE5O7zd69E6yQoqc1ydEuX78HqtbhiJGZRV1Z
 sEVBhJQX6mAVPMNyEAW56Tc3TH4w9WPcOyWUpYDfGyzcCcxeh/kcL5qDlf9nIjzeuzM9x75m
 mZ8Cp2LmN6IFEgeetnoHWmozg6+juZIIxs18fkLqWcnSUO/Eh9Yfk9U5wfQuUy4nb7aLu5f0
 vfllo7ViPXxXu6mMHhda4xKAlVbQtZU1tP/mS4H/pNXSzW5stpQzb2Ohw5G+0rslH6hSbm85
 WKWYLahSq1kETfAgsv/z+QqrDNEHXa0OSKtS4JGS1A/D4+nAComd2SwlfR34TqcyAPaB/21c
 zpeE/JoN5jGdA6UHHHXGPk495ke25rjokAK8LvEz00fpNpuaQf8W7YAjc1AJUiZ6EJBOqgpq
 F/K8WQ+G2So7c6E9J4xO8ZpfDMh+RLkBDQRal/bsAQgAzOxD4ZICqWi+OTf2luLCHk76yShx
 NRj6+DOJJUo31xoFRhgThqAKrSrVdTZT9ZOPyRWcN0hvzrbywOcSXBQE8B76vJipXtG2sGsl
 EfwWUmAObYPxLDtbI5FTZ8tdduDfuk8QMbCJptWHTS01tJKnClSdfApL27qSxOLmsRNxhP4h
 t0Q19bBGHdYaKiZenUc+MmPR/zSLgz4IxzMVBS9VNF069NVDKEOsrDeRNnYAbEf52X/sgDl1
 CFmG1GSEVamteKni3i2o4TT6uLVzSpOq45MjIx1ALCxqKZjrpt+Rv7FnBFi3HLHz978DF9vQ
 iJ0n1jero77zt+3vLVtZ/f97kQARAQABiQNsBBgBCAAgFiEEx4d0AlAUtAIO5lCGjNpjrWM/
 aVUFAlqX9uwCGwIBQAkQjNpjrWM/aVXAdCAEGQEIAB0WIQTfCs/cCtejJiABLstHIBrELynO
 BgUCWpf27AAKCRBHIBrELynOBsUoB/9lookAkdhDRhqv3I2tECBBszKt7Fo1d8vhHC7NGGfm
 3yDAUO4hXB4sobrhDPfpv6lL7QtdlhgTRku6TruT1qLtjaV+IrGB1A+Y1B5w6WO0RXi197gh
 5TlufeRWFOimK+xV2lJt5HXJRO/6Oh+54kdhE/49mx7oLy8flOvxRNC4RXTUZMKKT5ptsuYf
 wYXpmCcqEzPhejhyZnmY9+UTMEENjsV72l+B6BGfPY8lUZdRdumqAF5tWkh5vHT+aH+hpPOY
 YUz7ne7ueyVFoCH9fwNA3o7r5/AGDroMpr+2uu94c/YF04+kZJ/H6dsnekJA9JgeoxyNVTUX
 BrsOJ8DcINucr64P/09kfT9VePExSWppVLt7zM0yt/35WodBpJayoS6lQ/BFip3u7BZwz4y4
 gzTfovKOj1ktwJyxeaPaIbJnCtgDRF8drkfrTTDwFy9RnJz76WKOyGNARVtr9OStI14wGQKo
 RaAePn8uhkbv7zvzvYkse6Gr2uhoFL0/UeWbT48huZhAlzf81yT46nErrT03h+CDDuWaF/sd
 qHNeSNNr2OPE22A1mFLtkYaylpv+l8NUy4TDTPKyK2O3yQCqurJx/2jKVSFojnmpYNmAmVci
 YMiL8dF5wzr2RJUqsVx3X007Tbx4F0x7KD4+9Q9XI2Mw+yHCMZ0HpCZc9QUzE5oSdUCd2N53
 qStoziLp3kJlrCeXEKIE7lV6aoN/BOSEN1NFU0jtR8pHpvZoyZA/3Dm1vKqHjBDoGNr33Yk5
 37Rx8lnkoF513us3FxtWQDzxteQDq24SqfrOOir6dSLHatCOV8cX2Yw1+PHuIx5utLXaLMXH
 vbkaa2Qf3sUY0hvGT2quw+fACkQ+4FA0yLP969E4tfenlQVX1wt8QH5VY4KixL4ReDoCS5Y0
 7cO0wkzI1EYPS4iS4QTcQLNP7EKh3NreV9/hszggrdXnj5p6T2uK1AMCy6wftJBwUx1XoJjo
 dxEY08huxMYJtbY8gIK+Tg2/4eDp3bSWzHU8nTumbUbpf5VcMkvYuQENBFqX9wsBCADIMwny
 vUHLXR+CRcCW93/8zMrtRRNxRVyMuMVWrmBEArSun3sAw+lpmN8FKSkmpD8SO2SYdE0jiAU4
 7OJ7mHL4A1YAqXh3EOjf+GaClcjie46Vb61kR4N7tCymk9wVLxNlrPDb2cxQ9xm8t186z/e9
 RuUfaH/RIBhWUUBAWxdfTuwqX5RbfoOl8+2I5q+C06r56VvgT/fzC3tNtl/fB4+8Cc0iKXi9
 pRGKTEQOfbhxTSogbm4GD4rPs9q4v3CQT3czjSyhrL4uboYGUf82UjQ2ae+XLclDnaUnYfjp
 VrregsW12c5KPN0uuc3Fepvn0G4eQfNhwqqGA9zZqCVJMkDjABEBAAGJAjYEGAEIACAWIQTH
 h3QCUBS0Ag7mUIaM2mOtYz9pVQUCWpf3CwIbDAAKCRCM2mOtYz9pVYeoD/sH++dZ8QLMb3JN
 QiW6mEIKoEmZH5FrOP7t7UWuUmpAlTcUJ87n1221pLcdr/56uFBRIdvpp0YC5rB9ACaqD6gx
 oiNQmR0MkLzN25GWSeD8+bs2thO2SZecO0r+/dAvwgnU3rs+LdVqLcUGPfFwebRH94ZQiPjg
 Y/Ci6LkV6CNDP/rg9odtfYQnL5EHs9yWZdi5f/kLewdrYOAen+i5Sw0oZOiM6tSNOTt59yd3
 LPi6NKDb3rVnul7UU9KkvV7NxZykvs+hyYmUbwnS5UAvFyC40B/dgK9uYongPlzVb4MQmaB0
 rimSlHMMsHRBMnPxNr/F9kpFkYnbIqQwAYIf3FoQ0QuwCn3YljTEJYdbMM3ivl5woclVI6M1
 JytwpFGq6VX3sRhctk+Xe3JOk8Rxt6cvjKeoSmaaxg+kVt4a50LYysh0n3VoETg8d1Gq9NnW
 fhEFtJ0rNy01aZLO28gyDy4sSJiudkSFo17UtabrhcP/hv5ocvaGSzTfXEyYaw4Su23A0RC8
 ska1wAtlZpTYmZ6Mumw2vAkc6bOeh7npcrAfduWSaXtHrUxjuxy6sVCl58IOo2+2AMJaFdMq
 ktne5U1i8Lrrt8r507w4sBasTReQXL5i/AhqOnHt+FkhpVT5J1sE79VM5gwszP3AvBqOREcS
 fhCmGay+X9lHV3XhGE8GWA==
Organization: Red Hat, Inc.
Message-ID: <5a75d7e6-c56b-e4f5-653c-b846388cfbb4@redhat.com>
Date:   Sat, 4 May 2019 12:26:42 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <4438fae1-fa76-27ea-a7dc-509112540e8c@ieee.org>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="5qpDWHlJAOONSyFBuDO073tFRNJMEDgVP"
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Sat, 04 May 2019 10:26:47 +0000 (UTC)
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--5qpDWHlJAOONSyFBuDO073tFRNJMEDgVP
Content-Type: multipart/mixed; boundary="SePj7LcquBKtgWuPlBf2JTpdzYwelt0B8";
 protected-headers="v1"
From: Lukas Vrabec <lvrabec@redhat.com>
To: Chris PeBenito <pebenito@ieee.org>, selinux-refpolicy@vger.kernel.org
Message-ID: <5a75d7e6-c56b-e4f5-653c-b846388cfbb4@redhat.com>
Subject: Re: [PATCH] Introduce allow_bluetooth boolean
References: <20190430175329.25335-1-lvrabec@redhat.com>
 <4438fae1-fa76-27ea-a7dc-509112540e8c@ieee.org>
In-Reply-To: <4438fae1-fa76-27ea-a7dc-509112540e8c@ieee.org>

--SePj7LcquBKtgWuPlBf2JTpdzYwelt0B8
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 5/1/19 1:37 AM, Chris PeBenito wrote:
> On 4/30/19 1:53 PM, Lukas Vrabec wrote:
>> Because of new bluetooth_socket which is part of extended_socket_class=

>> policy capability, it's possible to control which SELinux domains can
>> use bluetooth wireless technology. Default value of the boolean is
>> turned off.
>>
>> Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
>> ---
>> =C2=A0 policy/global_tunables=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 7 +++++++
>> =C2=A0 policy/modules/admin/netutils.te=C2=A0=C2=A0=C2=A0=C2=A0 | 4 ++=
++
>> =C2=A0 policy/modules/services/arpwatch.te=C2=A0 | 4 ++++
>> =C2=A0 policy/modules/services/bluetooth.if | 4 ++++
>> =C2=A0 policy/modules/services/bluetooth.te | 4 ++++
>> =C2=A0 policy/modules/services/ntop.te=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=
 4 ++++
>> =C2=A0 policy/modules/system/userdomain.if=C2=A0 | 8 ++++++++
>> =C2=A0 7 files changed, 35 insertions(+)
>>
>> diff --git a/policy/global_tunables b/policy/global_tunables
>> index affc020f..69b356e2 100644
>> --- a/policy/global_tunables
>> +++ b/policy/global_tunables
>> @@ -4,6 +4,13 @@
>> =C2=A0 # file should be used.
>> =C2=A0 #
>> =C2=A0 +## <desc>
>> +## <p>
>> +## Allow all system processes and Linux users to use bluetooth
>> wireless technology.
>> +## </p>
>> +## </desc>
>> +gen_tunable(allow_bluetooth,false)
>> +
>> =C2=A0 ## <desc>
>> =C2=A0 ## <p>
>> =C2=A0 ## Allow unconfined executables to make their heap memory
>> executable.=C2=A0 Doing this is a really bad idea. Probably indicates =
a
>> badly coded executable, but could indicate an attack. This executable
>> should be reported in bugzilla
>> diff --git a/policy/modules/admin/netutils.te
>> b/policy/modules/admin/netutils.te
>> index 46560a09..8821b108 100644
>> --- a/policy/modules/admin/netutils.te
>> +++ b/policy/modules/admin/netutils.te
>> @@ -99,6 +99,10 @@ optional_policy(`
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xen_append_log(netutils_t)
>> =C2=A0 ')
>> =C2=A0 +tunable_policy(`allow_bluetooth',`
>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 allow netutils_t self:blue=
tooth_socket
>> create_stream_socket_perms;
>> +')
>> +
>> =C2=A0 ########################################
>> =C2=A0 #
>> =C2=A0 # Ping local policy
>> diff --git a/policy/modules/services/arpwatch.te
>> b/policy/modules/services/arpwatch.te
>> index 87aed96f..6f05441a 100644
>> --- a/policy/modules/services/arpwatch.te
>> +++ b/policy/modules/services/arpwatch.te
>> @@ -77,6 +77,10 @@ miscfiles_read_localization(arpwatch_t)
>> =C2=A0 userdom_dontaudit_search_user_home_dirs(arpwatch_t)
>> =C2=A0 userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
>> =C2=A0 +tunable_policy(`allow_bluetooth',`
>> +=C2=A0=C2=A0=C2=A0 allow arpwatch_t self:bluetooth_socket create_sock=
et_perms;
>> +')
>> +
>> =C2=A0 optional_policy(`
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 mta_send_mail(arpwatch_t)
>> =C2=A0 ')
>> diff --git a/policy/modules/services/bluetooth.if
>> b/policy/modules/services/bluetooth.if
>> index dc61988c..9097803f 100644
>> --- a/policy/modules/services/bluetooth.if
>> +++ b/policy/modules/services/bluetooth.if
>> @@ -68,6 +68,10 @@ interface(`bluetooth_stream_connect',`
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 files_search_pids($1)
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 allow $1 bluetooth_t:socket rw_socket_p=
erms;
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 stream_connect_pattern($1, bluetooth_va=
r_run_t,
>> bluetooth_var_run_t, bluetooth_t)
>> +
>> +=C2=A0=C2=A0=C2=A0 tunable_policy(`deny_bluetooth',`',`
>=20
> Missed a deny_bluetooth.
>=20
> I'm also a little uneasy with adding this access here, as this would
> seem to be a side effect to a simple stream socket connection.=C2=A0 Pe=
rhaps
> there should be a new interface like bluetooth_client().=C2=A0 It might=
 also
> make sense in bluetooth_role(), as there is a generic socket class rule=

> in there too.
>=20

Hi Chris,

I'll update deny_bluetooth() to allow_bluetooth().

So, you're suggesting create new interface bluetooth_client() but all
bluetooth related stuff there, and use this interface in tunable_policy
block instead of just allowing using bluetooth socket?

bluetooth_role() should be fixed to use only bluetooth_socket, not the
general one. I'll create PR also for it.

Thanks,
Lukas.

>=20
>=20
>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 allow $1 bluetooth_t:bluet=
ooth_socket rw_socket_perms;
>> +=C2=A0=C2=A0=C2=A0 ')
>> =C2=A0 ')
>> =C2=A0 =C2=A0 ########################################
>> diff --git a/policy/modules/services/bluetooth.te
>> b/policy/modules/services/bluetooth.te
>> index 45e5a361..39af72d5 100644
>> --- a/policy/modules/services/bluetooth.te
>> +++ b/policy/modules/services/bluetooth.te
>> @@ -133,6 +133,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t=
)
>> =C2=A0 userdom_dontaudit_use_user_terminals(bluetooth_t)
>> =C2=A0 userdom_dontaudit_search_user_home_dirs(bluetooth_t)
>> =C2=A0 +tunable_policy(`allow_bluetooth',`
>> +=C2=A0=C2=A0=C2=A0 allow bluetooth_t self:bluetooth_socket create_str=
eam_socket_perms;
>> +')
>> +
>> =C2=A0 optional_policy(`
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 dbus_system_bus_client(bluetooth_t)
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 dbus_connect_system_bus(bluetooth_t)
>> diff --git a/policy/modules/services/ntop.te
>> b/policy/modules/services/ntop.te
>> index 178bbb1d..537d9323 100644
>> --- a/policy/modules/services/ntop.te
>> +++ b/policy/modules/services/ntop.te
>> @@ -96,6 +96,10 @@ miscfiles_read_localization(ntop_t)
>> =C2=A0 userdom_dontaudit_use_unpriv_user_fds(ntop_t)
>> =C2=A0 userdom_dontaudit_search_user_home_dirs(ntop_t)
>> =C2=A0 +tunable_policy(`allow_bluetooth',`
>> +=C2=A0=C2=A0=C2=A0 allow ntop_t self:bluetooth_socket create_socket_p=
erms;
>> +')
>> +
>> =C2=A0 optional_policy(`
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 apache_read_sys_content(ntop_t)
>> =C2=A0 ')
>> diff --git a/policy/modules/system/userdomain.if
>> b/policy/modules/system/userdomain.if
>> index 5221bd13..5654de6e 100644
>> --- a/policy/modules/system/userdomain.if
>> +++ b/policy/modules/system/userdomain.if
>> @@ -1189,6 +1189,10 @@ template(`userdom_unpriv_user_template', `
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 corenet_udp_bin=
d_generic_port($1_t)
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ')
>> =C2=A0 +=C2=A0=C2=A0=C2=A0 tunable_policy(`allow_bluetooth',`
>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 allow $1_t self:bluetooth_=
socket create_socket_perms;
>> +=C2=A0=C2=A0=C2=A0 ')
>> +
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 optional_policy(`
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 netutils_run_pi=
ng_cond($1_t, $1_r)
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 netutils_run_tr=
aceroute_cond($1_t, $1_r)
>> @@ -1362,6 +1366,10 @@ template(`userdom_admin_user_template',`
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 userdom_manage_user_home_content_socket=
s($1_t)
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 userdom_user_home_dir_filetrans_user_ho=
me_content($1_t, { dir
>> file lnk_file fifo_file sock_file })
>> =C2=A0 +=C2=A0=C2=A0=C2=A0 tunable_policy(`allow_bluetooth',`
>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 allow $1_t self:bluetooth_=
socket create_stream_socket_perms;
>> +=C2=A0=C2=A0=C2=A0 ')
>> +
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 optional_policy(`
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 postgresql_unco=
nfined($1_t)
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ')
>>
>=20
>=20


--=20
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.


--SePj7LcquBKtgWuPlBf2JTpdzYwelt0B8--

--5qpDWHlJAOONSyFBuDO073tFRNJMEDgVP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE3wrP3ArXoyYgAS7LRyAaxC8pzgYFAlzNaOIACgkQRyAaxC8p
zgY++gf9EYNQAllbDwJqbAM0bli5yjmmto3XJeO/uOCAVy8axdjuAmAtxvMswPsY
UlRPF8rwDjym/3d4t/Fh51kDMT2bFSdR+ITwg0Z6Gb9GQedqF1/Dj3LAlDRFGDv2
1MrlB+5e4StCLgF/ITkKBDhJhuYh5A0fCUqfzlsUB+4mKzC7nYu/EIhlOwFTjSut
GIyXJVQkfwawc8NFBtvuwHKO1II8dD4whhBNdaIhGuyZCpBxPVhtPkaeZUvcNWat
ElEuomHCvmnVzTz8GprGbktlTSsWO+L1nf/rm/MRwHdYCBNsAU3Kd+7+rK7qjNiY
Fq4JtarMj8l02mz3Xq/iwv4073zPNg==
=TS0+
-----END PGP SIGNATURE-----

--5qpDWHlJAOONSyFBuDO073tFRNJMEDgVP--