1bluetooth_selinux(8) SELinux Policy bluetooth bluetooth_selinux(8)
2
3
4
6 bluetooth_selinux - Security Enhanced Linux Policy for the bluetooth
7 processes
8
10 Security-Enhanced Linux secures the bluetooth processes via flexible
11 mandatory access control.
12
13 The bluetooth processes execute with the bluetooth_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep bluetooth_t
20
21
22
24 The bluetooth_t SELinux type can be entered via the bluetooth_exec_t
25 file type.
26
27 The default entrypoint paths for the bluetooth_t domain are the follow‐
28 ing:
29
30 /usr/bin/dund, /usr/bin/hidd, /usr/bin/pand, /usr/sbin/hcid,
31 /usr/sbin/sdpd, /usr/bin/rfcomm, /usr/sbin/hid2hci, /usr/sbin/hciat‐
32 tach, /usr/sbin/bluetoothd, /usr/libexec/bluetooth/bluetoothd
33
35 SELinux defines process types (domains) for each process running on the
36 system
37
38 You can see the context of a process using the -Z option to ps
39
40 Policy governs the access confined processes have to files. SELinux
41 bluetooth policy is very flexible allowing users to setup their blue‐
42 tooth processes in as secure a method as possible.
43
44 The following process types are defined for bluetooth:
45
46 bluetooth_t, bluetooth_helper_t
47
48 Note: semanage permissive -a bluetooth_t can be used to make the
49 process type bluetooth_t permissive. SELinux does not deny access to
50 permissive process types, but the AVC (SELinux denials) messages are
51 still generated.
52
53
55 SELinux policy is customizable based on least access required. blue‐
56 tooth policy is extremely flexible and has several booleans that allow
57 you to manipulate the policy and run bluetooth with the tightest access
58 possible.
59
60
61
62 If you want to deny all system processes and Linux users to use blue‐
63 tooth wireless technology, you must turn on the deny_bluetooth boolean.
64 Enabled by default.
65
66 setsebool -P deny_bluetooth 1
67
68
69
70 If you want to allow all domains to execute in fips_mode, you must turn
71 on the fips_mode boolean. Enabled by default.
72
73 setsebool -P fips_mode 1
74
75
76
77 If you want to allow xguest to use blue tooth devices, you must turn on
78 the xguest_use_bluetooth boolean. Enabled by default.
79
80 setsebool -P xguest_use_bluetooth 1
81
82
83
85 The SELinux process type bluetooth_t can manage files labeled with the
86 following file types. The paths listed are the default paths for these
87 file types. Note the processes UID still need to have DAC permissions.
88
89 bluetooth_conf_rw_t
90
91 /etc/bluetooth/link_key
92
93 bluetooth_lock_t
94
95 /var/lock/subsys/bluetoothd
96
97 bluetooth_var_lib_t
98
99 /var/lib/bluetooth(/.*)?
100
101 bluetooth_var_run_t
102
103 /var/run/sdp
104 /var/run/bluetoothd_address
105
106 cluster_conf_t
107
108 /etc/cluster(/.*)?
109
110 cluster_var_lib_t
111
112 /var/lib/pcsd(/.*)?
113 /var/lib/cluster(/.*)?
114 /var/lib/openais(/.*)?
115 /var/lib/pengine(/.*)?
116 /var/lib/corosync(/.*)?
117 /usr/lib/heartbeat(/.*)?
118 /var/lib/heartbeat(/.*)?
119 /var/lib/pacemaker(/.*)?
120
121 cluster_var_run_t
122
123 /var/run/crm(/.*)?
124 /var/run/cman_.*
125 /var/run/rsctmp(/.*)?
126 /var/run/aisexec.*
127 /var/run/heartbeat(/.*)?
128 /var/run/corosync-qnetd(/.*)?
129 /var/run/corosync-qdevice(/.*)?
130 /var/run/corosync.pid
131 /var/run/cpglockd.pid
132 /var/run/rgmanager.pid
133 /var/run/cluster/rgmanager.sk
134
135 root_t
136
137 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
138 /
139 /initrd
140
141 sysfs_t
142
143 /sys(/.*)?
144
145 usbfs_t
146
147
148
150 SELinux requires files to have an extended attribute to define the file
151 type.
152
153 You can see the context of a file using the -Z option to ls
154
155 Policy governs the access confined processes have to these files.
156 SELinux bluetooth policy is very flexible allowing users to setup their
157 bluetooth processes in as secure a method as possible.
158
159 STANDARD FILE CONTEXT
160
161 SELinux defines the file context types for the bluetooth, if you wanted
162 to store files with these types in a diffent paths, you need to execute
163 the semanage command to sepecify alternate labeling and then use
164 restorecon to put the labels on disk.
165
166 semanage fcontext -a -t bluetooth_unit_file_t '/srv/mybluetooth_con‐
167 tent(/.*)?'
168 restorecon -R -v /srv/mybluetooth_content
169
170 Note: SELinux often uses regular expressions to specify labels that
171 match multiple files.
172
173 The following file types are defined for bluetooth:
174
175
176
177 bluetooth_conf_rw_t
178
179 - Set files with the bluetooth_conf_rw_t type, if you want to treat the
180 files as bluetooth conf read/write content.
181
182
183
184 bluetooth_conf_t
185
186 - Set files with the bluetooth_conf_t type, if you want to treat the
187 files as bluetooth configuration data, usually stored under the /etc
188 directory.
189
190
191
192 bluetooth_exec_t
193
194 - Set files with the bluetooth_exec_t type, if you want to transition
195 an executable to the bluetooth_t domain.
196
197
198 Paths:
199 /usr/bin/dund, /usr/bin/hidd, /usr/bin/pand, /usr/sbin/hcid,
200 /usr/sbin/sdpd, /usr/bin/rfcomm, /usr/sbin/hid2hci, /usr/sbin/hci‐
201 attach, /usr/sbin/bluetoothd, /usr/libexec/bluetooth/bluetoothd
202
203
204 bluetooth_helper_exec_t
205
206 - Set files with the bluetooth_helper_exec_t type, if you want to tran‐
207 sition an executable to the bluetooth_helper_t domain.
208
209
210
211 bluetooth_helper_tmp_t
212
213 - Set files with the bluetooth_helper_tmp_t type, if you want to store
214 bluetooth helper temporary files in the /tmp directories.
215
216
217
218 bluetooth_helper_tmpfs_t
219
220 - Set files with the bluetooth_helper_tmpfs_t type, if you want to
221 store bluetooth helper files on a tmpfs file system.
222
223
224
225 bluetooth_initrc_exec_t
226
227 - Set files with the bluetooth_initrc_exec_t type, if you want to tran‐
228 sition an executable to the bluetooth_initrc_t domain.
229
230
231 Paths:
232 /etc/rc.d/init.d/dund, /etc/rc.d/init.d/pand,
233 /etc/rc.d/init.d/bluetooth
234
235
236 bluetooth_lock_t
237
238 - Set files with the bluetooth_lock_t type, if you want to treat the
239 files as bluetooth lock data, stored under the /var/lock directory
240
241
242
243 bluetooth_tmp_t
244
245 - Set files with the bluetooth_tmp_t type, if you want to store blue‐
246 tooth temporary files in the /tmp directories.
247
248
249
250 bluetooth_unit_file_t
251
252 - Set files with the bluetooth_unit_file_t type, if you want to treat
253 the files as bluetooth unit content.
254
255
256
257 bluetooth_var_lib_t
258
259 - Set files with the bluetooth_var_lib_t type, if you want to store the
260 bluetooth files under the /var/lib directory.
261
262
263
264 bluetooth_var_run_t
265
266 - Set files with the bluetooth_var_run_t type, if you want to store the
267 bluetooth files under the /run or /var/run directory.
268
269
270 Paths:
271 /var/run/sdp, /var/run/bluetoothd_address
272
273
274 Note: File context can be temporarily modified with the chcon command.
275 If you want to permanently change the file context you need to use the
276 semanage fcontext command. This will modify the SELinux labeling data‐
277 base. You will need to use restorecon to apply the labels.
278
279
281 semanage fcontext can also be used to manipulate default file context
282 mappings.
283
284 semanage permissive can also be used to manipulate whether or not a
285 process type is permissive.
286
287 semanage module can also be used to enable/disable/install/remove pol‐
288 icy modules.
289
290 semanage boolean can also be used to manipulate the booleans
291
292
293 system-config-selinux is a GUI tool available to customize SELinux pol‐
294 icy settings.
295
296
298 This manual page was auto-generated using sepolicy manpage .
299
300
302 selinux(8), bluetooth(8), semanage(8), restorecon(8), chcon(1), sepol‐
303 icy(8), setsebool(8), bluetooth_helper_selinux(8), blue‐
304 tooth_helper_selinux(8)
305
306
307
308bluetooth 20-05-05 bluetooth_selinux(8)