New boolean for using bluetooth

New boolean for using bluetooth

[Lukas Vrabec]

[-- Attachment #1.1: Type: text/plain, Size: 914 bytes --]

Hi All,

I added new SELinux boolean[1][2] to Fedora SELinux policy called
deny_bluetooth.

I would like to push it also to refpolicy, however, refpolicy is not
using bluetooth_socket at all, it's defined in policy but not used by
any SELinux domain. Can I create patch also with adding these rules from
Fedora policy? And also, for some reason my colleagues didn't follow
name conventions of global booleans with refpolicy (I didn't find any
deny_* boolean in refpolicy). So if it make sense to add these kind of
boolean also to refpolicy, should I defined it as allow_bluetooth ?

[1]https://github.com/fedora-selinux/selinux-policy/commit/54c05f2645a660c545ec406558b42687df2552a7
[2]
https://github.com/fedora-selinux/selinux-policy-contrib/commit/5a0561d7b67ae8403d4e1a44acfc8db40ee269a5

Thanks,
Lukas.

-- 
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: New boolean for using bluetooth

[Russell Coker]

SE Linux is based on a default deny model. So failing to allow something means denying it at the lowest levels of policy. So probably a deny boolean is a bad idea.

As for writing a patch, is Fedora still way different from upstream? If so you need to separately do the patch for upstream.

On 26 April 2019 2:58:27 am AEST, Lukas Vrabec <lvrabec@redhat.com> wrote:
>Hi All,
>
>I added new SELinux boolean[1][2] to Fedora SELinux policy called
>deny_bluetooth.
>
>I would like to push it also to refpolicy, however, refpolicy is not
>using bluetooth_socket at all, it's defined in policy but not used by
>any SELinux domain. Can I create patch also with adding these rules
>from
>Fedora policy? And also, for some reason my colleagues didn't follow
>name conventions of global booleans with refpolicy (I didn't find any
>deny_* boolean in refpolicy). So if it make sense to add these kind of
>boolean also to refpolicy, should I defined it as allow_bluetooth ?
>
>[1]https://github.com/fedora-selinux/selinux-policy/commit/54c05f2645a660c545ec406558b42687df2552a7
>[2]
>https://github.com/fedora-selinux/selinux-policy-contrib/commit/5a0561d7b67ae8403d4e1a44acfc8db40ee269a5
>
>Thanks,
>Lukas.

-- 
Sent from my Huawei Mate 9 with K-9 Mail.

Re: New boolean for using bluetooth

[Jason Zaman]

On Thu, Apr 25, 2019 at 06:58:27PM +0200, Lukas Vrabec wrote:
> Hi All,
> 
> I added new SELinux boolean[1][2] to Fedora SELinux policy called
> deny_bluetooth.
> 
> I would like to push it also to refpolicy, however, refpolicy is not
> using bluetooth_socket at all, it's defined in policy but not used by
> any SELinux domain. Can I create patch also with adding these rules from
> Fedora policy? And also, for some reason my colleagues didn't follow
> name conventions of global booleans with refpolicy (I didn't find any
> deny_* boolean in refpolicy). So if it make sense to add these kind of
> boolean also to refpolicy, should I defined it as allow_bluetooth ?

I'd love for these to be upstreamed! but yes it should be named
"allow_bluetooth" and should be default disabled. Refpolicy doenst have
any deny_* booleans, and always defaults to disable.
(When we pull down into gentoo some booleans are default enabled but
upstream always goes the secure route.)

-- Jason

> [1]https://github.com/fedora-selinux/selinux-policy/commit/54c05f2645a660c545ec406558b42687df2552a7
> [2]
> https://github.com/fedora-selinux/selinux-policy-contrib/commit/5a0561d7b67ae8403d4e1a44acfc8db40ee269a5
> 
> Thanks,
> Lukas.
> 
> -- 
> Lukas Vrabec
> Senior Software Engineer, Security Technologies
> Red Hat, Inc.
> 

Re: New boolean for using bluetooth

[Lukas Vrabec]

[-- Attachment #1.1: Type: text/plain, Size: 1587 bytes --]

On 4/26/19 11:02 AM, Jason Zaman wrote:
> On Thu, Apr 25, 2019 at 06:58:27PM +0200, Lukas Vrabec wrote:
>> Hi All,
>>
>> I added new SELinux boolean[1][2] to Fedora SELinux policy called
>> deny_bluetooth.
>>
>> I would like to push it also to refpolicy, however, refpolicy is not
>> using bluetooth_socket at all, it's defined in policy but not used by
>> any SELinux domain. Can I create patch also with adding these rules from
>> Fedora policy? And also, for some reason my colleagues didn't follow
>> name conventions of global booleans with refpolicy (I didn't find any
>> deny_* boolean in refpolicy). So if it make sense to add these kind of
>> boolean also to refpolicy, should I defined it as allow_bluetooth ?
> 
> I'd love for these to be upstreamed! but yes it should be named
> "allow_bluetooth" and should be default disabled. Refpolicy doenst have
> any deny_* booleans, and always defaults to disable.
> (When we pull down into gentoo some booleans are default enabled but
> upstream always goes the secure route.)
> 

I see, okay. I will send patch shortly.

Thanks,
Lukas.

> -- Jason
> 
>> [1]https://github.com/fedora-selinux/selinux-policy/commit/54c05f2645a660c545ec406558b42687df2552a7
>> [2]
>> https://github.com/fedora-selinux/selinux-policy-contrib/commit/5a0561d7b67ae8403d4e1a44acfc8db40ee269a5
>>
>> Thanks,
>> Lukas.
>>
>> -- 
>> Lukas Vrabec
>> Senior Software Engineer, Security Technologies
>> Red Hat, Inc.
>>
> 
> 
> 


-- 
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]