1bluetooth_selinux(8) SELinux Policy bluetooth bluetooth_selinux(8)
2
3
4
6 bluetooth_selinux - Security Enhanced Linux Policy for the bluetooth
7 processes
8
10 Security-Enhanced Linux secures the bluetooth processes via flexible
11 mandatory access control.
12
13 The bluetooth processes execute with the bluetooth_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep bluetooth_t
20
21
22
24 The bluetooth_t SELinux type can be entered via the bluetooth_exec_t
25 file type.
26
27 The default entrypoint paths for the bluetooth_t domain are the follow‐
28 ing:
29
30 /usr/bin/dund, /usr/bin/hidd, /usr/bin/pand, /usr/sbin/hcid,
31 /usr/sbin/sdpd, /usr/bin/rfcomm, /usr/sbin/hid2hci, /usr/sbin/hciat‐
32 tach, /usr/sbin/bluetoothd, /usr/libexec/bluetooth/bluetoothd
33
35 SELinux defines process types (domains) for each process running on the
36 system
37
38 You can see the context of a process using the -Z option to ps
39
40 Policy governs the access confined processes have to files. SELinux
41 bluetooth policy is very flexible allowing users to setup their blue‐
42 tooth processes in as secure a method as possible.
43
44 The following process types are defined for bluetooth:
45
46 bluetooth_t, bluetooth_helper_t
47
48 Note: semanage permissive -a bluetooth_t can be used to make the
49 process type bluetooth_t permissive. SELinux does not deny access to
50 permissive process types, but the AVC (SELinux denials) messages are
51 still generated.
52
53
55 SELinux policy is customizable based on least access required. blue‐
56 tooth policy is extremely flexible and has several booleans that allow
57 you to manipulate the policy and run bluetooth with the tightest access
58 possible.
59
60
61
62 If you want to deny all system processes and Linux users to use blue‐
63 tooth wireless technology, you must turn on the deny_bluetooth boolean.
64 Enabled by default.
65
66 setsebool -P deny_bluetooth 1
67
68
69
70 If you want to allow all domains to execute in fips_mode, you must turn
71 on the fips_mode boolean. Enabled by default.
72
73 setsebool -P fips_mode 1
74
75
76
77 If you want to allow xguest to use blue tooth devices, you must turn on
78 the xguest_use_bluetooth boolean. Enabled by default.
79
80 setsebool -P xguest_use_bluetooth 1
81
82
83
85 The SELinux process type bluetooth_t can manage files labeled with the
86 following file types. The paths listed are the default paths for these
87 file types. Note the processes UID still need to have DAC permissions.
88
89 bluetooth_conf_rw_t
90
91 /etc/bluetooth/link_key
92
93 bluetooth_lock_t
94
95 /var/lock/subsys/bluetoothd
96
97 bluetooth_tmp_t
98
99
100 bluetooth_var_lib_t
101
102 /var/lib/bluetooth(/.*)?
103
104 bluetooth_var_run_t
105
106 /var/run/sdp
107 /var/run/bluetoothd_address
108
109 cluster_conf_t
110
111 /etc/cluster(/.*)?
112
113 cluster_var_lib_t
114
115 /var/lib/pcsd(/.*)?
116 /var/lib/cluster(/.*)?
117 /var/lib/openais(/.*)?
118 /var/lib/pengine(/.*)?
119 /var/lib/corosync(/.*)?
120 /usr/lib/heartbeat(/.*)?
121 /var/lib/heartbeat(/.*)?
122 /var/lib/pacemaker(/.*)?
123
124 cluster_var_run_t
125
126 /var/run/crm(/.*)?
127 /var/run/cman_.*
128 /var/run/rsctmp(/.*)?
129 /var/run/aisexec.*
130 /var/run/heartbeat(/.*)?
131 /var/run/pcsd-ruby.socket
132 /var/run/corosync-qnetd(/.*)?
133 /var/run/corosync-qdevice(/.*)?
134 /var/run/corosync.pid
135 /var/run/cpglockd.pid
136 /var/run/rgmanager.pid
137 /var/run/cluster/rgmanager.sk
138
139 krb5_host_rcache_t
140
141 /var/tmp/krb5_0.rcache2
142 /var/cache/krb5rcache(/.*)?
143 /var/tmp/nfs_0
144 /var/tmp/DNS_25
145 /var/tmp/host_0
146 /var/tmp/imap_0
147 /var/tmp/HTTP_23
148 /var/tmp/HTTP_48
149 /var/tmp/ldap_55
150 /var/tmp/ldap_487
151 /var/tmp/ldapmap1_0
152
153 root_t
154
155 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
156 /
157 /initrd
158
159 sysfs_t
160
161 /sys(/.*)?
162
163 usbfs_t
164
165
166
168 SELinux requires files to have an extended attribute to define the file
169 type.
170
171 You can see the context of a file using the -Z option to ls
172
173 Policy governs the access confined processes have to these files.
174 SELinux bluetooth policy is very flexible allowing users to setup their
175 bluetooth processes in as secure a method as possible.
176
177 STANDARD FILE CONTEXT
178
179 SELinux defines the file context types for the bluetooth, if you wanted
180 to store files with these types in a diffent paths, you need to execute
181 the semanage command to specify alternate labeling and then use re‐
182 storecon to put the labels on disk.
183
184 semanage fcontext -a -t bluetooth_unit_file_t '/srv/mybluetooth_con‐
185 tent(/.*)?'
186 restorecon -R -v /srv/mybluetooth_content
187
188 Note: SELinux often uses regular expressions to specify labels that
189 match multiple files.
190
191 The following file types are defined for bluetooth:
192
193
194
195 bluetooth_conf_rw_t
196
197 - Set files with the bluetooth_conf_rw_t type, if you want to treat the
198 files as bluetooth conf read/write content.
199
200
201
202 bluetooth_conf_t
203
204 - Set files with the bluetooth_conf_t type, if you want to treat the
205 files as bluetooth configuration data, usually stored under the /etc
206 directory.
207
208
209
210 bluetooth_exec_t
211
212 - Set files with the bluetooth_exec_t type, if you want to transition
213 an executable to the bluetooth_t domain.
214
215
216 Paths:
217 /usr/bin/dund, /usr/bin/hidd, /usr/bin/pand, /usr/sbin/hcid,
218 /usr/sbin/sdpd, /usr/bin/rfcomm, /usr/sbin/hid2hci, /usr/sbin/hci‐
219 attach, /usr/sbin/bluetoothd, /usr/libexec/bluetooth/bluetoothd
220
221
222 bluetooth_helper_exec_t
223
224 - Set files with the bluetooth_helper_exec_t type, if you want to tran‐
225 sition an executable to the bluetooth_helper_t domain.
226
227
228
229 bluetooth_helper_tmp_t
230
231 - Set files with the bluetooth_helper_tmp_t type, if you want to store
232 bluetooth helper temporary files in the /tmp directories.
233
234
235
236 bluetooth_helper_tmpfs_t
237
238 - Set files with the bluetooth_helper_tmpfs_t type, if you want to
239 store bluetooth helper files on a tmpfs file system.
240
241
242
243 bluetooth_initrc_exec_t
244
245 - Set files with the bluetooth_initrc_exec_t type, if you want to tran‐
246 sition an executable to the bluetooth_initrc_t domain.
247
248
249 Paths:
250 /etc/rc.d/init.d/dund, /etc/rc.d/init.d/pand,
251 /etc/rc.d/init.d/bluetooth
252
253
254 bluetooth_lock_t
255
256 - Set files with the bluetooth_lock_t type, if you want to treat the
257 files as bluetooth lock data, stored under the /var/lock directory
258
259
260
261 bluetooth_tmp_t
262
263 - Set files with the bluetooth_tmp_t type, if you want to store blue‐
264 tooth temporary files in the /tmp directories.
265
266
267
268 bluetooth_unit_file_t
269
270 - Set files with the bluetooth_unit_file_t type, if you want to treat
271 the files as bluetooth unit content.
272
273
274
275 bluetooth_var_lib_t
276
277 - Set files with the bluetooth_var_lib_t type, if you want to store the
278 bluetooth files under the /var/lib directory.
279
280
281
282 bluetooth_var_run_t
283
284 - Set files with the bluetooth_var_run_t type, if you want to store the
285 bluetooth files under the /run or /var/run directory.
286
287
288 Paths:
289 /var/run/sdp, /var/run/bluetoothd_address
290
291
292 Note: File context can be temporarily modified with the chcon command.
293 If you want to permanently change the file context you need to use the
294 semanage fcontext command. This will modify the SELinux labeling data‐
295 base. You will need to use restorecon to apply the labels.
296
297
299 semanage fcontext can also be used to manipulate default file context
300 mappings.
301
302 semanage permissive can also be used to manipulate whether or not a
303 process type is permissive.
304
305 semanage module can also be used to enable/disable/install/remove pol‐
306 icy modules.
307
308 semanage boolean can also be used to manipulate the booleans
309
310
311 system-config-selinux is a GUI tool available to customize SELinux pol‐
312 icy settings.
313
314
316 This manual page was auto-generated using sepolicy manpage .
317
318
320 selinux(8), bluetooth(8), semanage(8), restorecon(8), chcon(1), sepol‐
321 icy(8), setsebool(8), bluetooth_helper_selinux(8), blue‐
322 tooth_helper_selinux(8)
323
324
325
326bluetooth 23-02-03 bluetooth_selinux(8)