1bluetooth_selinux(8)       SELinux Policy bluetooth       bluetooth_selinux(8)
2
3
4

NAME

6       bluetooth_selinux  -  Security  Enhanced Linux Policy for the bluetooth
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the bluetooth  processes  via  flexible
11       mandatory access control.
12
13       The  bluetooth processes execute with the bluetooth_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep bluetooth_t
20
21
22

ENTRYPOINTS

24       The  bluetooth_t  SELinux  type can be entered via the bluetooth_exec_t
25       file type.
26
27       The default entrypoint paths for the bluetooth_t domain are the follow‐
28       ing:
29
30       /usr/bin/dund,     /usr/bin/hidd,     /usr/bin/pand,    /usr/sbin/hcid,
31       /usr/sbin/sdpd,  /usr/bin/rfcomm,  /usr/sbin/hid2hci,  /usr/sbin/hciat‐
32       tach, /usr/sbin/bluetoothd, /usr/libexec/bluetooth/bluetoothd
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       bluetooth  policy  is very flexible allowing users to setup their blue‐
42       tooth processes in as secure a method as possible.
43
44       The following process types are defined for bluetooth:
45
46       bluetooth_t, bluetooth_helper_t
47
48       Note: semanage permissive -a  bluetooth_t  can  be  used  to  make  the
49       process  type  bluetooth_t  permissive. SELinux does not deny access to
50       permissive process types, but the AVC (SELinux  denials)  messages  are
51       still generated.
52
53

BOOLEANS

55       SELinux  policy  is customizable based on least access required.  blue‐
56       tooth policy is extremely flexible and has several booleans that  allow
57       you to manipulate the policy and run bluetooth with the tightest access
58       possible.
59
60
61
62       If you want to deny all system processes and Linux users to  use  blue‐
63       tooth wireless technology, you must turn on the deny_bluetooth boolean.
64       Enabled by default.
65
66       setsebool -P deny_bluetooth 1
67
68
69
70       If you want to allow all domains to execute in fips_mode, you must turn
71       on the fips_mode boolean. Enabled by default.
72
73       setsebool -P fips_mode 1
74
75
76
77       If you want to allow xguest to use blue tooth devices, you must turn on
78       the xguest_use_bluetooth boolean. Enabled by default.
79
80       setsebool -P xguest_use_bluetooth 1
81
82
83

MANAGED FILES

85       The SELinux process type bluetooth_t can manage files labeled with  the
86       following file types.  The paths listed are the default paths for these
87       file types.  Note the processes UID still need to have DAC permissions.
88
89       bluetooth_conf_rw_t
90
91            /etc/bluetooth/link_key
92
93       bluetooth_lock_t
94
95            /var/lock/subsys/bluetoothd
96
97       bluetooth_tmp_t
98
99
100       bluetooth_var_lib_t
101
102            /var/lib/bluetooth(/.*)?
103
104       bluetooth_var_run_t
105
106            /var/run/sdp
107            /var/run/bluetoothd_address
108
109       cluster_conf_t
110
111            /etc/cluster(/.*)?
112
113       cluster_var_lib_t
114
115            /var/lib/pcsd(/.*)?
116            /var/lib/cluster(/.*)?
117            /var/lib/openais(/.*)?
118            /var/lib/pengine(/.*)?
119            /var/lib/corosync(/.*)?
120            /usr/lib/heartbeat(/.*)?
121            /var/lib/heartbeat(/.*)?
122            /var/lib/pacemaker(/.*)?
123
124       cluster_var_run_t
125
126            /var/run/crm(/.*)?
127            /var/run/cman_.*
128            /var/run/rsctmp(/.*)?
129            /var/run/aisexec.*
130            /var/run/heartbeat(/.*)?
131            /var/run/pcsd-ruby.socket
132            /var/run/corosync-qnetd(/.*)?
133            /var/run/corosync-qdevice(/.*)?
134            /var/run/corosync.pid
135            /var/run/cpglockd.pid
136            /var/run/rgmanager.pid
137            /var/run/cluster/rgmanager.sk
138
139       krb5_host_rcache_t
140
141            /var/tmp/krb5_0.rcache2
142            /var/cache/krb5rcache(/.*)?
143            /var/tmp/nfs_0
144            /var/tmp/DNS_25
145            /var/tmp/host_0
146            /var/tmp/imap_0
147            /var/tmp/HTTP_23
148            /var/tmp/HTTP_48
149            /var/tmp/ldap_55
150            /var/tmp/ldap_487
151            /var/tmp/ldapmap1_0
152
153       root_t
154
155            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
156            /
157            /initrd
158
159       sysfs_t
160
161            /sys(/.*)?
162
163       usbfs_t
164
165
166

FILE CONTEXTS

168       SELinux requires files to have an extended attribute to define the file
169       type.
170
171       You can see the context of a file using the -Z option to ls
172
173       Policy  governs  the  access  confined  processes  have to these files.
174       SELinux bluetooth policy is very flexible allowing users to setup their
175       bluetooth processes in as secure a method as possible.
176
177       STANDARD FILE CONTEXT
178
179       SELinux defines the file context types for the bluetooth, if you wanted
180       to store files with these types in a diffent paths, you need to execute
181       the  semanage  command  to  specify alternate labeling and then use re‐
182       storecon to put the labels on disk.
183
184       semanage fcontext -a  -t  bluetooth_unit_file_t  '/srv/mybluetooth_con‐
185       tent(/.*)?'
186       restorecon -R -v /srv/mybluetooth_content
187
188       Note:  SELinux  often  uses  regular expressions to specify labels that
189       match multiple files.
190
191       The following file types are defined for bluetooth:
192
193
194
195       bluetooth_conf_rw_t
196
197       - Set files with the bluetooth_conf_rw_t type, if you want to treat the
198       files as bluetooth conf read/write content.
199
200
201
202       bluetooth_conf_t
203
204       -  Set  files  with the bluetooth_conf_t type, if you want to treat the
205       files as bluetooth configuration data, usually stored  under  the  /etc
206       directory.
207
208
209
210       bluetooth_exec_t
211
212       -  Set  files with the bluetooth_exec_t type, if you want to transition
213       an executable to the bluetooth_t domain.
214
215
216       Paths:
217            /usr/bin/dund,   /usr/bin/hidd,   /usr/bin/pand,   /usr/sbin/hcid,
218            /usr/sbin/sdpd, /usr/bin/rfcomm, /usr/sbin/hid2hci, /usr/sbin/hci‐
219            attach, /usr/sbin/bluetoothd, /usr/libexec/bluetooth/bluetoothd
220
221
222       bluetooth_helper_exec_t
223
224       - Set files with the bluetooth_helper_exec_t type, if you want to tran‐
225       sition an executable to the bluetooth_helper_t domain.
226
227
228
229       bluetooth_helper_tmp_t
230
231       -  Set files with the bluetooth_helper_tmp_t type, if you want to store
232       bluetooth helper temporary files in the /tmp directories.
233
234
235
236       bluetooth_helper_tmpfs_t
237
238       - Set files with the bluetooth_helper_tmpfs_t  type,  if  you  want  to
239       store bluetooth helper files on a tmpfs file system.
240
241
242
243       bluetooth_initrc_exec_t
244
245       - Set files with the bluetooth_initrc_exec_t type, if you want to tran‐
246       sition an executable to the bluetooth_initrc_t domain.
247
248
249       Paths:
250            /etc/rc.d/init.d/dund,                      /etc/rc.d/init.d/pand,
251            /etc/rc.d/init.d/bluetooth
252
253
254       bluetooth_lock_t
255
256       -  Set  files  with the bluetooth_lock_t type, if you want to treat the
257       files as bluetooth lock data, stored under the /var/lock directory
258
259
260
261       bluetooth_tmp_t
262
263       - Set files with the bluetooth_tmp_t type, if you want to  store  blue‐
264       tooth temporary files in the /tmp directories.
265
266
267
268       bluetooth_unit_file_t
269
270       -  Set  files with the bluetooth_unit_file_t type, if you want to treat
271       the files as bluetooth unit content.
272
273
274
275       bluetooth_var_lib_t
276
277       - Set files with the bluetooth_var_lib_t type, if you want to store the
278       bluetooth files under the /var/lib directory.
279
280
281
282       bluetooth_var_run_t
283
284       - Set files with the bluetooth_var_run_t type, if you want to store the
285       bluetooth files under the /run or /var/run directory.
286
287
288       Paths:
289            /var/run/sdp, /var/run/bluetoothd_address
290
291
292       Note: File context can be temporarily modified with the chcon  command.
293       If  you want to permanently change the file context you need to use the
294       semanage fcontext command.  This will modify the SELinux labeling data‐
295       base.  You will need to use restorecon to apply the labels.
296
297

COMMANDS

299       semanage  fcontext  can also be used to manipulate default file context
300       mappings.
301
302       semanage permissive can also be used to manipulate  whether  or  not  a
303       process type is permissive.
304
305       semanage  module can also be used to enable/disable/install/remove pol‐
306       icy modules.
307
308       semanage boolean can also be used to manipulate the booleans
309
310
311       system-config-selinux is a GUI tool available to customize SELinux pol‐
312       icy settings.
313
314

AUTHOR

316       This manual page was auto-generated using sepolicy manpage .
317
318

SEE ALSO

320       selinux(8),  bluetooth(8), semanage(8), restorecon(8), chcon(1), sepol‐
321       icy(8),      setsebool(8),      bluetooth_helper_selinux(8),      blue‐
322       tooth_helper_selinux(8)
323
324
325
326bluetooth                          23-02-03               bluetooth_selinux(8)
Impressum