From ff7e5305b87da76735add3444846814958c5d555 Mon Sep 17 00:00:00 2001
From: rpcraig <rpcraig@tycho.ncsc.mil>
Date: Tue, 4 Dec 2012 08:09:02 -0500
Subject: [PATCH] Create policy for PAN connections.

Policy to allow bluetooth tethering.

Change-Id: Ic24c97b0e1dc93395b8381b78ca4929baa30337c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
---
 bluetooth.te | 6 +++++-
 dhcp.te      | 8 ++++++++
 netd.te      | 9 ++++++++-
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/bluetooth.te b/bluetooth.te
index 102ee20e8..8fb088242 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -10,7 +10,7 @@ allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
 r_dir_file(bluetooth, bluetooth_efs_file)
 
 # Device accesses.
-allow bluetooth hci_attach_dev:chr_file rw_file_perms;
+allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
 allow bluetooth input_device:chr_file write;
 
 # sysfs access.
@@ -21,3 +21,7 @@ allow bluetooth self:capability net_admin;
 # SELinux does not presently define a specific socket class for
 # bluetooth sockets, nor does it distinguish among the bluetooth protocols.
 allow bluetoothdomain self:socket *;
+
+# tethering
+allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
+allow bluetooth efs_file:dir search;
diff --git a/dhcp.te b/dhcp.te
index 1cf7af51e..0c533eb40 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -22,3 +22,11 @@ unix_socket_connect(dhcp, property, init)
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
 allow dhcp dhcp_data_file:dir create_dir_perms;
 allow dhcp dhcp_data_file:file create_file_perms;
+
+# PAN connections
+allow dhcp netd:fd use;
+allow dhcp netd:fifo_file rw_file_perms;
+allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
+allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
+# netdev-bt-pan driver loading
+allow dhcp kernel:system module_request;
diff --git a/netd.te b/netd.te
index 47687dc7d..654dae50f 100644
--- a/netd.te
+++ b/netd.te
@@ -4,7 +4,7 @@ type netd_exec, exec_type, file_type;
 
 init_daemon_domain(netd)
 typeattribute netd mlstrustedsubject;
-allow netd self:capability { net_admin net_raw sys_module };
+allow netd self:capability { net_admin net_raw sys_module kill };
 allow netd self:netlink_kobject_uevent_socket *;
 allow netd self:netlink_route_socket *;
 allow netd self:netlink_nflog_socket *;
@@ -28,3 +28,10 @@ allow netd sysfs:file write;
 # Network driver loading.
 allow netd kernel:system module_request;
 
+# Set dhcp lease for PAN connection
+unix_socket_connect(netd, property, init)
+allow netd system_prop:property_service set;
+
+# Connect to PAN
+domain_auto_trans(netd, dhcp_exec, dhcp);
+allow netd dhcp:process signal;
-- 
GitLab