SE Linux is based on a default deny model. So failing to allow something means denying it at the lowest levels of policy. So probably a deny boolean is a bad idea. As for writing a patch, is Fedora still way different from upstream? If so you need to separately do the patch for upstream. On 26 April 2019 2:58:27 am AEST, Lukas Vrabec <lvrabec@xxxxxxxxxx> wrote: >Hi All, > >I added new SELinux boolean[1][2] to Fedora SELinux policy called >deny_bluetooth. > >I would like to push it also to refpolicy, however, refpolicy is not >using bluetooth_socket at all, it's defined in policy but not used by >any SELinux domain. Can I create patch also with adding these rules >from >Fedora policy? And also, for some reason my colleagues didn't follow >name conventions of global booleans with refpolicy (I didn't find any >deny_* boolean in refpolicy). So if it make sense to add these kind of >boolean also to refpolicy, should I defined it as allow_bluetooth ? > >[1]https://github.com/fedora-selinux/selinux-policy/commit/54c05f2645a660c545ec406558b42687df2552a7 >[2] >https://github.com/fedora-selinux/selinux-policy-contrib/commit/5a0561d7b67ae8403d4e1a44acfc8db40ee269a5 > >Thanks, >Lukas. -- Sent from my Huawei Mate 9 with K-9 Mail.
