On 4/26/19 11:02 AM, Jason Zaman wrote: > On Thu, Apr 25, 2019 at 06:58:27PM +0200, Lukas Vrabec wrote: >> Hi All, >> >> I added new SELinux boolean[1][2] to Fedora SELinux policy called >> deny_bluetooth. >> >> I would like to push it also to refpolicy, however, refpolicy is not >> using bluetooth_socket at all, it's defined in policy but not used by >> any SELinux domain. Can I create patch also with adding these rules from >> Fedora policy? And also, for some reason my colleagues didn't follow >> name conventions of global booleans with refpolicy (I didn't find any >> deny_* boolean in refpolicy). So if it make sense to add these kind of >> boolean also to refpolicy, should I defined it as allow_bluetooth ? > > I'd love for these to be upstreamed! but yes it should be named > "allow_bluetooth" and should be default disabled. Refpolicy doenst have > any deny_* booleans, and always defaults to disable. > (When we pull down into gentoo some booleans are default enabled but > upstream always goes the secure route.) > I see, okay. I will send patch shortly. Thanks, Lukas. > -- Jason > >> [1]https://github.com/fedora-selinux/selinux-policy/commit/54c05f2645a660c545ec406558b42687df2552a7 >> [2] >> https://github.com/fedora-selinux/selinux-policy-contrib/commit/5a0561d7b67ae8403d4e1a44acfc8db40ee269a5 >> >> Thanks, >> Lukas. >> >> -- >> Lukas Vrabec >> Senior Software Engineer, Security Technologies >> Red Hat, Inc. >> > > > -- Lukas Vrabec Senior Software Engineer, Security Technologies Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
