1 |
commit: 20a04b9df908ff4b54b8a17a266f0250ef013ef1 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Tue Jul 10 16:41:44 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Jul 10 16:41:44 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=20a04b9d |
7 |
|
8 |
Add blueman policy (backport) |
9 |
|
10 |
--- |
11 |
policy/modules/contrib/blueman.fc | 3 + |
12 |
policy/modules/contrib/blueman.if | 99 +++++++++++++++++++++++++++++++++++++ |
13 |
policy/modules/contrib/blueman.te | 46 +++++++++++++++++ |
14 |
3 files changed, 148 insertions(+), 0 deletions(-) |
15 |
|
16 |
diff --git a/policy/modules/contrib/blueman.fc b/policy/modules/contrib/blueman.fc |
17 |
new file mode 100644 |
18 |
index 0000000..6355318 |
19 |
--- /dev/null |
20 |
+++ b/policy/modules/contrib/blueman.fc |
21 |
@@ -0,0 +1,3 @@ |
22 |
+/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0) |
23 |
+ |
24 |
+/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0) |
25 |
|
26 |
diff --git a/policy/modules/contrib/blueman.if b/policy/modules/contrib/blueman.if |
27 |
new file mode 100644 |
28 |
index 0000000..6b081c4 |
29 |
--- /dev/null |
30 |
+++ b/policy/modules/contrib/blueman.if |
31 |
@@ -0,0 +1,99 @@ |
32 |
+## <summary>Blueman is a tool to manage Bluetooth devices</summary> |
33 |
+ |
34 |
+######################################## |
35 |
+## <summary> |
36 |
+## Execute blueman in the blueman domain.. |
37 |
+## </summary> |
38 |
+## <param name="domain"> |
39 |
+## <summary> |
40 |
+## Domain allowed to transition. |
41 |
+## </summary> |
42 |
+## </param> |
43 |
+# |
44 |
+interface(`blueman_domtrans',` |
45 |
+ gen_require(` |
46 |
+ type blueman_t, blueman_exec_t; |
47 |
+ ') |
48 |
+ |
49 |
+ corecmd_search_bin($1) |
50 |
+ domtrans_pattern($1, blueman_exec_t, blueman_t) |
51 |
+') |
52 |
+ |
53 |
+######################################## |
54 |
+## <summary> |
55 |
+## Send and receive messages from |
56 |
+## blueman over dbus. |
57 |
+## </summary> |
58 |
+## <param name="domain"> |
59 |
+## <summary> |
60 |
+## Domain allowed access. |
61 |
+## </summary> |
62 |
+## </param> |
63 |
+# |
64 |
+interface(`blueman_dbus_chat',` |
65 |
+ gen_require(` |
66 |
+ type blueman_t; |
67 |
+ class dbus send_msg; |
68 |
+ ') |
69 |
+ |
70 |
+ allow $1 blueman_t:dbus send_msg; |
71 |
+ allow blueman_t $1:dbus send_msg; |
72 |
+') |
73 |
+ |
74 |
+######################################## |
75 |
+## <summary> |
76 |
+## Search blueman lib directories. |
77 |
+## </summary> |
78 |
+## <param name="domain"> |
79 |
+## <summary> |
80 |
+## Domain allowed access. |
81 |
+## </summary> |
82 |
+## </param> |
83 |
+# |
84 |
+interface(`blueman_search_lib',` |
85 |
+ gen_require(` |
86 |
+ type blueman_var_lib_t; |
87 |
+ ') |
88 |
+ |
89 |
+ allow $1 blueman_var_lib_t:dir search_dir_perms; |
90 |
+ files_search_var_lib($1) |
91 |
+') |
92 |
+ |
93 |
+######################################## |
94 |
+## <summary> |
95 |
+## Read blueman lib files. |
96 |
+## </summary> |
97 |
+## <param name="domain"> |
98 |
+## <summary> |
99 |
+## Domain allowed access. |
100 |
+## </summary> |
101 |
+## </param> |
102 |
+# |
103 |
+interface(`blueman_read_lib_files',` |
104 |
+ gen_require(` |
105 |
+ type blueman_var_lib_t; |
106 |
+ ') |
107 |
+ |
108 |
+ files_search_var_lib($1) |
109 |
+ read_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t) |
110 |
+') |
111 |
+ |
112 |
+######################################## |
113 |
+## <summary> |
114 |
+## Create, read, write, and delete |
115 |
+## blueman lib files. |
116 |
+## </summary> |
117 |
+## <param name="domain"> |
118 |
+## <summary> |
119 |
+## Domain allowed access. |
120 |
+## </summary> |
121 |
+## </param> |
122 |
+# |
123 |
+interface(`blueman_manage_lib_files',` |
124 |
+ gen_require(` |
125 |
+ type blueman_var_lib_t; |
126 |
+ ') |
127 |
+ |
128 |
+ files_search_var_lib($1) |
129 |
+ manage_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t) |
130 |
+') |
131 |
|
132 |
diff --git a/policy/modules/contrib/blueman.te b/policy/modules/contrib/blueman.te |
133 |
new file mode 100644 |
134 |
index 0000000..70969fa |
135 |
--- /dev/null |
136 |
+++ b/policy/modules/contrib/blueman.te |
137 |
@@ -0,0 +1,46 @@ |
138 |
+policy_module(blueman, 1.0.0) |
139 |
+ |
140 |
+######################################## |
141 |
+# |
142 |
+# Declarations |
143 |
+# |
144 |
+ |
145 |
+type blueman_t; |
146 |
+type blueman_exec_t; |
147 |
+dbus_system_domain(blueman_t, blueman_exec_t) |
148 |
+init_daemon_domain(blueman_t, blueman_exec_t) |
149 |
+ |
150 |
+type blueman_var_lib_t; |
151 |
+files_type(blueman_var_lib_t) |
152 |
+ |
153 |
+######################################## |
154 |
+# |
155 |
+# blueman local policy |
156 |
+# |
157 |
+allow blueman_t self:fifo_file rw_fifo_file_perms; |
158 |
+ |
159 |
+manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) |
160 |
+manage_files_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) |
161 |
+files_var_lib_filetrans(blueman_t, blueman_var_lib_t, dir) |
162 |
+ |
163 |
+kernel_read_system_state(blueman_t) |
164 |
+ |
165 |
+corecmd_exec_bin(blueman_t) |
166 |
+ |
167 |
+dev_read_rand(blueman_t) |
168 |
+dev_read_urand(blueman_t) |
169 |
+dev_rw_wireless(blueman_t) |
170 |
+ |
171 |
+domain_use_interactive_fds(blueman_t) |
172 |
+ |
173 |
+files_read_usr_files(blueman_t) |
174 |
+ |
175 |
+auth_use_nsswitch(blueman_t) |
176 |
+ |
177 |
+logging_send_syslog_msg(blueman_t) |
178 |
+ |
179 |
+miscfiles_read_localization(blueman_t) |
180 |
+ |
181 |
+optional_policy(` |
182 |
+ avahi_domtrans(blueman_t) |
183 |
+') |