bluetooth_selinux(8)

1bluetooth_selinux(8)       SELinux Policy bluetooth       bluetooth_selinux(8)
2
3
4

NAME

6       bluetooth_selinux  -  Security  Enhanced Linux Policy for the bluetooth
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the bluetooth  processes  via  flexible
11       mandatory access control.
12
13       The  bluetooth processes execute with the bluetooth_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep bluetooth_t
20
21
22

ENTRYPOINTS

24       The  bluetooth_t  SELinux  type can be entered via the bluetooth_exec_t
25       file type.
26
27       The default entrypoint paths for the bluetooth_t domain are the follow‐
28       ing:
29
30       /usr/bin/dund,     /usr/bin/hidd,     /usr/bin/pand,    /usr/sbin/hcid,
31       /usr/sbin/sdpd,  /usr/bin/rfcomm,  /usr/sbin/hid2hci,  /usr/sbin/hciat‐
32       tach, /usr/sbin/bluetoothd, /usr/libexec/bluetooth/bluetoothd
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       bluetooth  policy  is very flexible allowing users to setup their blue‐
42       tooth processes in as secure a method as possible.
43
44       The following process types are defined for bluetooth:
45
46       bluetooth_t, bluetooth_helper_t
47
48       Note: semanage permissive -a  bluetooth_t  can  be  used  to  make  the
49       process  type  bluetooth_t  permissive. SELinux does not deny access to
50       permissive process types, but the AVC (SELinux  denials)  messages  are
51       still generated.
52
53

BOOLEANS

55       SELinux  policy  is customizable based on least access required.  blue‐
56       tooth policy is extremely flexible and has several booleans that  allow
57       you to manipulate the policy and run bluetooth with the tightest access
58       possible.
59
60
61
62       If you want to allow users to resolve user passwd entries directly from
63       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
64       gin_nsswitch_use_ldap boolean. Disabled by default.
65
66       setsebool -P authlogin_nsswitch_use_ldap 1
67
68
69
70       If you want to allow all domains to execute in fips_mode, you must turn
71       on the fips_mode boolean. Enabled by default.
72
73       setsebool -P fips_mode 1
74
75
76
77       If  you  want  to allow confined applications to run with kerberos, you
78       must turn on the kerberos_enabled boolean. Enabled by default.
79
80       setsebool -P kerberos_enabled 1
81
82
83
84       If you want to allow system to run with  NIS,  you  must  turn  on  the
85       nis_enabled boolean. Disabled by default.
86
87       setsebool -P nis_enabled 1
88
89
90
91       If  you  want to allow confined applications to use nscd shared memory,
92       you must turn on the nscd_use_shm boolean. Enabled by default.
93
94       setsebool -P nscd_use_shm 1
95
96
97
98       If you want to allow xguest to use blue tooth devices, you must turn on
99       the xguest_use_bluetooth boolean. Enabled by default.
100
101       setsebool -P xguest_use_bluetooth 1
102
103
104

MANAGED FILES

106       The  SELinux process type bluetooth_t can manage files labeled with the
107       following file types.  The paths listed are the default paths for these
108       file types.  Note the processes UID still need to have DAC permissions.
109
110       bluetooth_conf_rw_t
111
112            /etc/bluetooth/link_key
113
114       bluetooth_lock_t
115
116            /var/lock/subsys/bluetoothd
117
118       bluetooth_tmp_t
119
120
121       bluetooth_var_lib_t
122
123            /var/lib/bluetooth(/.*)?
124
125       bluetooth_var_run_t
126
127            /var/run/sdp
128            /var/run/bluetoothd_address
129
130       cluster_conf_t
131
132            /etc/cluster(/.*)?
133
134       cluster_var_lib_t
135
136            /var/lib/pcsd(/.*)?
137            /var/lib/cluster(/.*)?
138            /var/lib/openais(/.*)?
139            /var/lib/pengine(/.*)?
140            /var/lib/corosync(/.*)?
141            /usr/lib/heartbeat(/.*)?
142            /var/lib/heartbeat(/.*)?
143            /var/lib/pacemaker(/.*)?
144
145       cluster_var_run_t
146
147            /var/run/crm(/.*)?
148            /var/run/cman_.*
149            /var/run/rsctmp(/.*)?
150            /var/run/aisexec.*
151            /var/run/heartbeat(/.*)?
152            /var/run/corosync-qnetd(/.*)?
153            /var/run/corosync-qdevice(/.*)?
154            /var/run/corosync.pid
155            /var/run/cpglockd.pid
156            /var/run/rgmanager.pid
157            /var/run/cluster/rgmanager.sk
158
159       root_t
160
161            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
162            /
163            /initrd
164
165       sysfs_t
166
167            /sys(/.*)?
168
169       usbfs_t
170
171
172

FILE CONTEXTS

174       SELinux requires files to have an extended attribute to define the file
175       type.
176
177       You can see the context of a file using the -Z option to ls
178
179       Policy governs the access  confined  processes  have  to  these  files.
180       SELinux bluetooth policy is very flexible allowing users to setup their
181       bluetooth processes in as secure a method as possible.
182
183       STANDARD FILE CONTEXT
184
185       SELinux defines the file context types for the bluetooth, if you wanted
186       to store files with these types in a diffent paths, you need to execute
187       the semanage command  to  sepecify  alternate  labeling  and  then  use
188       restorecon to put the labels on disk.
189
190       semanage  fcontext  -a  -t bluetooth_unit_file_t '/srv/mybluetooth_con‐
191       tent(/.*)?'
192       restorecon -R -v /srv/mybluetooth_content
193
194       Note: SELinux often uses regular expressions  to  specify  labels  that
195       match multiple files.
196
197       The following file types are defined for bluetooth:
198
199
200
201       bluetooth_conf_rw_t
202
203       - Set files with the bluetooth_conf_rw_t type, if you want to treat the
204       files as bluetooth conf read/write content.
205
206
207
208       bluetooth_conf_t
209
210       - Set files with the bluetooth_conf_t type, if you want  to  treat  the
211       files  as  bluetooth  configuration data, usually stored under the /etc
212       directory.
213
214
215
216       bluetooth_exec_t
217
218       - Set files with the bluetooth_exec_t type, if you want  to  transition
219       an executable to the bluetooth_t domain.
220
221
222       Paths:
223            /usr/bin/dund,   /usr/bin/hidd,   /usr/bin/pand,   /usr/sbin/hcid,
224            /usr/sbin/sdpd, /usr/bin/rfcomm, /usr/sbin/hid2hci, /usr/sbin/hci‐
225            attach, /usr/sbin/bluetoothd, /usr/libexec/bluetooth/bluetoothd
226
227
228       bluetooth_helper_exec_t
229
230       - Set files with the bluetooth_helper_exec_t type, if you want to tran‐
231       sition an executable to the bluetooth_helper_t domain.
232
233
234
235       bluetooth_helper_tmp_t
236
237       - Set files with the bluetooth_helper_tmp_t type, if you want to  store
238       bluetooth helper temporary files in the /tmp directories.
239
240
241
242       bluetooth_helper_tmpfs_t
243
244       -  Set  files  with  the  bluetooth_helper_tmpfs_t type, if you want to
245       store bluetooth helper files on a tmpfs file system.
246
247
248
249       bluetooth_initrc_exec_t
250
251       - Set files with the bluetooth_initrc_exec_t type, if you want to tran‐
252       sition an executable to the bluetooth_initrc_t domain.
253
254
255       Paths:
256            /etc/rc.d/init.d/dund,                      /etc/rc.d/init.d/pand,
257            /etc/rc.d/init.d/bluetooth
258
259
260       bluetooth_lock_t
261
262       - Set files with the bluetooth_lock_t type, if you want  to  treat  the
263       files as bluetooth lock data, stored under the /var/lock directory
264
265
266
267       bluetooth_tmp_t
268
269       -  Set  files with the bluetooth_tmp_t type, if you want to store blue‐
270       tooth temporary files in the /tmp directories.
271
272
273
274       bluetooth_unit_file_t
275
276       - Set files with the bluetooth_unit_file_t type, if you want  to  treat
277       the files as bluetooth unit content.
278
279
280
281       bluetooth_var_lib_t
282
283       - Set files with the bluetooth_var_lib_t type, if you want to store the
284       bluetooth files under the /var/lib directory.
285
286
287
288       bluetooth_var_run_t
289
290       - Set files with the bluetooth_var_run_t type, if you want to store the
291       bluetooth files under the /run or /var/run directory.
292
293
294       Paths:
295            /var/run/sdp, /var/run/bluetoothd_address
296
297
298       Note:  File context can be temporarily modified with the chcon command.
299       If you want to permanently change the file context you need to use  the
300       semanage fcontext command.  This will modify the SELinux labeling data‐
301       base.  You will need to use restorecon to apply the labels.
302
303

COMMANDS

305       semanage fcontext can also be used to manipulate default  file  context
306       mappings.
307
308       semanage  permissive  can  also  be used to manipulate whether or not a
309       process type is permissive.
310
311       semanage module can also be used to enable/disable/install/remove  pol‐
312       icy modules.
313
314       semanage boolean can also be used to manipulate the booleans
315
316
317       system-config-selinux is a GUI tool available to customize SELinux pol‐
318       icy settings.
319
320

AUTHOR

322       This manual page was auto-generated using sepolicy manpage .
323
324