On 4/26/19 11:02 AM, Jason Zaman wrote:
> On Thu, Apr 25, 2019 at 06:58:27PM +0200, Lukas Vrabec wrote:
>> Hi All,
>>
>> I added new SELinux boolean[1][2] to Fedora SELinux policy called
>> deny_bluetooth.
>>
>> I would like to push it also to refpolicy, however, refpolicy is not
>> using bluetooth_socket at all, it's defined in policy but not used by
>> any SELinux domain. Can I create patch also with adding these rules from
>> Fedora policy? And also, for some reason my colleagues didn't follow
>> name conventions of global booleans with refpolicy (I didn't find any
>> deny_* boolean in refpolicy). So if it make sense to add these kind of
>> boolean also to refpolicy, should I defined it as allow_bluetooth ?
> 
> I'd love for these to be upstreamed! but yes it should be named
> "allow_bluetooth" and should be default disabled. Refpolicy doenst have
> any deny_* booleans, and always defaults to disable.
> (When we pull down into gentoo some booleans are default enabled but
> upstream always goes the secure route.)
> 

I see, okay. I will send patch shortly.

Thanks,
Lukas.

> -- Jason
> 
>> [1]https://github.com/fedora-selinux/selinux-policy/commit/54c05f2645a660c545ec406558b42687df2552a7
>> [2]
>> https://github.com/fedora-selinux/selinux-policy-contrib/commit/5a0561d7b67ae8403d4e1a44acfc8db40ee269a5
>>
>> Thanks,
>> Lukas.
>>
>> -- 
>> Lukas Vrabec
>> Senior Software Engineer, Security Technologies
>> Red Hat, Inc.
>>
> 
> 
> 


-- 
Lukas Vrabec
Senior Software Engineer, Security Technologies
Red Hat, Inc.