On Thu, Apr 25, 2019 at 06:58:27PM +0200, Lukas Vrabec wrote: > Hi All, > > I added new SELinux boolean[1][2] to Fedora SELinux policy called > deny_bluetooth. > > I would like to push it also to refpolicy, however, refpolicy is not > using bluetooth_socket at all, it's defined in policy but not used by > any SELinux domain. Can I create patch also with adding these rules from > Fedora policy? And also, for some reason my colleagues didn't follow > name conventions of global booleans with refpolicy (I didn't find any > deny_* boolean in refpolicy). So if it make sense to add these kind of > boolean also to refpolicy, should I defined it as allow_bluetooth ? I'd love for these to be upstreamed! but yes it should be named "allow_bluetooth" and should be default disabled. Refpolicy doenst have any deny_* booleans, and always defaults to disable. (When we pull down into gentoo some booleans are default enabled but upstream always goes the secure route.) -- Jason > [1]https://github.com/fedora-selinux/selinux-policy/commit/54c05f2645a660c545ec406558b42687df2552a7 > [2] > https://github.com/fedora-selinux/selinux-policy-contrib/commit/5a0561d7b67ae8403d4e1a44acfc8db40ee269a5 > > Thanks, > Lukas. > > -- > Lukas Vrabec > Senior Software Engineer, Security Technologies > Red Hat, Inc. >
