1bluetooth_selinux(8)       SELinux Policy bluetooth       bluetooth_selinux(8)
2
3
4

NAME

6       bluetooth_selinux  -  Security  Enhanced Linux Policy for the bluetooth
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the bluetooth  processes  via  flexible
11       mandatory access control.
12
13       The  bluetooth processes execute with the bluetooth_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep bluetooth_t
20
21
22

ENTRYPOINTS

24       The  bluetooth_t  SELinux  type can be entered via the bluetooth_exec_t
25       file type.
26
27       The default entrypoint paths for the bluetooth_t domain are the follow‐
28       ing:
29
30       /usr/bin/dund,     /usr/bin/hidd,     /usr/bin/pand,    /usr/sbin/hcid,
31       /usr/sbin/sdpd,  /usr/bin/rfcomm,  /usr/sbin/hid2hci,  /usr/sbin/hciat‐
32       tach, /usr/sbin/bluetoothd, /usr/libexec/bluetooth/bluetoothd
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       bluetooth  policy  is very flexible allowing users to setup their blue‐
42       tooth processes in as secure a method as possible.
43
44       The following process types are defined for bluetooth:
45
46       bluetooth_t, bluetooth_helper_t
47
48       Note: semanage permissive -a  bluetooth_t  can  be  used  to  make  the
49       process  type  bluetooth_t  permissive. SELinux does not deny access to
50       permissive process types, but the AVC (SELinux  denials)  messages  are
51       still generated.
52
53

BOOLEANS

55       SELinux  policy  is customizable based on least access required.  blue‐
56       tooth policy is extremely flexible and has several booleans that  allow
57       you to manipulate the policy and run bluetooth with the tightest access
58       possible.
59
60
61
62       If you want to deny all system processes and Linux users to  use  blue‐
63       tooth wireless technology, you must turn on the deny_bluetooth boolean.
64       Enabled by default.
65
66       setsebool -P deny_bluetooth 1
67
68
69
70       If you want to allow all domains to execute in fips_mode, you must turn
71       on the fips_mode boolean. Enabled by default.
72
73       setsebool -P fips_mode 1
74
75
76
77       If you want to allow xguest to use blue tooth devices, you must turn on
78       the xguest_use_bluetooth boolean. Enabled by default.
79
80       setsebool -P xguest_use_bluetooth 1
81
82
83

MANAGED FILES

85       The SELinux process type bluetooth_t can manage files labeled with  the
86       following file types.  The paths listed are the default paths for these
87       file types.  Note the processes UID still need to have DAC permissions.
88
89       bluetooth_conf_rw_t
90
91            /etc/bluetooth/link_key
92
93       bluetooth_lock_t
94
95            /var/lock/subsys/bluetoothd
96
97       bluetooth_var_lib_t
98
99            /var/lib/bluetooth(/.*)?
100
101       bluetooth_var_run_t
102
103            /var/run/sdp
104            /var/run/bluetoothd_address
105
106       cluster_conf_t
107
108            /etc/cluster(/.*)?
109
110       cluster_var_lib_t
111
112            /var/lib/pcsd(/.*)?
113            /var/lib/cluster(/.*)?
114            /var/lib/openais(/.*)?
115            /var/lib/pengine(/.*)?
116            /var/lib/corosync(/.*)?
117            /usr/lib/heartbeat(/.*)?
118            /var/lib/heartbeat(/.*)?
119            /var/lib/pacemaker(/.*)?
120
121       cluster_var_run_t
122
123            /var/run/crm(/.*)?
124            /var/run/cman_.*
125            /var/run/rsctmp(/.*)?
126            /var/run/aisexec.*
127            /var/run/heartbeat(/.*)?
128            /var/run/corosync-qnetd(/.*)?
129            /var/run/corosync-qdevice(/.*)?
130            /var/run/corosync.pid
131            /var/run/cpglockd.pid
132            /var/run/rgmanager.pid
133            /var/run/cluster/rgmanager.sk
134
135       root_t
136
137            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
138            /
139            /initrd
140
141       sysfs_t
142
143            /sys(/.*)?
144
145       usbfs_t
146
147
148

FILE CONTEXTS

150       SELinux requires files to have an extended attribute to define the file
151       type.
152
153       You can see the context of a file using the -Z option to ls
154
155       Policy  governs  the  access  confined  processes  have to these files.
156       SELinux bluetooth policy is very flexible allowing users to setup their
157       bluetooth processes in as secure a method as possible.
158
159       STANDARD FILE CONTEXT
160
161       SELinux defines the file context types for the bluetooth, if you wanted
162       to store files with these types in a diffent paths, you need to execute
163       the  semanage  command  to  sepecify  alternate  labeling  and then use
164       restorecon to put the labels on disk.
165
166       semanage fcontext -a  -t  bluetooth_unit_file_t  '/srv/mybluetooth_con‐
167       tent(/.*)?'
168       restorecon -R -v /srv/mybluetooth_content
169
170       Note:  SELinux  often  uses  regular expressions to specify labels that
171       match multiple files.
172
173       The following file types are defined for bluetooth:
174
175
176
177       bluetooth_conf_rw_t
178
179       - Set files with the bluetooth_conf_rw_t type, if you want to treat the
180       files as bluetooth conf read/write content.
181
182
183
184       bluetooth_conf_t
185
186       -  Set  files  with the bluetooth_conf_t type, if you want to treat the
187       files as bluetooth configuration data, usually stored  under  the  /etc
188       directory.
189
190
191
192       bluetooth_exec_t
193
194       -  Set  files with the bluetooth_exec_t type, if you want to transition
195       an executable to the bluetooth_t domain.
196
197
198       Paths:
199            /usr/bin/dund,   /usr/bin/hidd,   /usr/bin/pand,   /usr/sbin/hcid,
200            /usr/sbin/sdpd, /usr/bin/rfcomm, /usr/sbin/hid2hci, /usr/sbin/hci‐
201            attach, /usr/sbin/bluetoothd, /usr/libexec/bluetooth/bluetoothd
202
203
204       bluetooth_helper_exec_t
205
206       - Set files with the bluetooth_helper_exec_t type, if you want to tran‐
207       sition an executable to the bluetooth_helper_t domain.
208
209
210
211       bluetooth_helper_tmp_t
212
213       -  Set files with the bluetooth_helper_tmp_t type, if you want to store
214       bluetooth helper temporary files in the /tmp directories.
215
216
217
218       bluetooth_helper_tmpfs_t
219
220       - Set files with the bluetooth_helper_tmpfs_t  type,  if  you  want  to
221       store bluetooth helper files on a tmpfs file system.
222
223
224
225       bluetooth_initrc_exec_t
226
227       - Set files with the bluetooth_initrc_exec_t type, if you want to tran‐
228       sition an executable to the bluetooth_initrc_t domain.
229
230
231       Paths:
232            /etc/rc.d/init.d/dund,                      /etc/rc.d/init.d/pand,
233            /etc/rc.d/init.d/bluetooth
234
235
236       bluetooth_lock_t
237
238       -  Set  files  with the bluetooth_lock_t type, if you want to treat the
239       files as bluetooth lock data, stored under the /var/lock directory
240
241
242
243       bluetooth_tmp_t
244
245       - Set files with the bluetooth_tmp_t type, if you want to  store  blue‐
246       tooth temporary files in the /tmp directories.
247
248
249
250       bluetooth_unit_file_t
251
252       -  Set  files with the bluetooth_unit_file_t type, if you want to treat
253       the files as bluetooth unit content.
254
255
256
257       bluetooth_var_lib_t
258
259       - Set files with the bluetooth_var_lib_t type, if you want to store the
260       bluetooth files under the /var/lib directory.
261
262
263
264       bluetooth_var_run_t
265
266       - Set files with the bluetooth_var_run_t type, if you want to store the
267       bluetooth files under the /run or /var/run directory.
268
269
270       Paths:
271            /var/run/sdp, /var/run/bluetoothd_address
272
273
274       Note: File context can be temporarily modified with the chcon  command.
275       If  you want to permanently change the file context you need to use the
276       semanage fcontext command.  This will modify the SELinux labeling data‐
277       base.  You will need to use restorecon to apply the labels.
278
279

COMMANDS

281       semanage  fcontext  can also be used to manipulate default file context
282       mappings.
283
284       semanage permissive can also be used to manipulate  whether  or  not  a
285       process type is permissive.
286
287       semanage  module can also be used to enable/disable/install/remove pol‐
288       icy modules.
289
290       semanage boolean can also be used to manipulate the booleans
291
292
293       system-config-selinux is a GUI tool available to customize SELinux pol‐
294       icy settings.
295
296

AUTHOR

298       This manual page was auto-generated using sepolicy manpage .
299
300

SEE ALSO

302       selinux(8),  bluetooth(8), semanage(8), restorecon(8), chcon(1), sepol‐
303       icy(8),      setsebool(8),      bluetooth_helper_selinux(8),      blue‐
304       tooth_helper_selinux(8)
305
306
307
308bluetooth                          20-05-05               bluetooth_selinux(8)
Impressum