Merge pull request #1076 from pebenito/bluetooth-notify-damodar.gangireddy

sepolicy: Add sepolicy rules for bluetooth Notify failures

Author: pebenito

policy/modules/services/bluetooth.te

@@ -157,6 +157,12 @@ optional_policy(`
 	optional_policy(`
 		systemd_dbus_chat_hostnamed(bluetooth_t)
 	')
+
+	optional_policy(`
+	    unconfined_use_fds(bluetooth_t)
+		unconfined_rw_stream_sockets(bluetooth_t)
+	')
+
 ')
 
 optional_policy(`
@@ -177,6 +183,7 @@ allow bluetooth_helper_t self:process getsched;
 allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
 allow bluetooth_helper_t self:shm create_shm_perms;
 allow bluetooth_helper_t self:unix_stream_socket { accept connectto listen };
+allow bluetooth_helper_t self:bluetooth_socket create_socket_perms;
 
 allow bluetooth_helper_t bluetooth_t:socket { read write };
 allow bluetooth_helper_t bluetooth_t:fd use;

policy/modules/services/dbus.te

@@ -310,6 +310,7 @@ optional_policy(`
 optional_policy(`
 	unconfined_dbus_send(system_dbusd_t)
 	unconfined_use_fds(system_dbusd_t)
+	unconfined_rw_stream_sockets(system_dbusd_t)
 ')
 
 optional_policy(`

policy/modules/system/unconfined.if

@@ -489,6 +489,24 @@ interface(`unconfined_stream_connect',`
 	allow $1 unconfined_t:unix_stream_socket connectto;
 ')
 
+########################################
+## <summary>
+##	Allow a domain to read and write
+##	to unconfined unix stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to grant permission to.
+##	</summary>
+## </param>
+#
+interface(`unconfined_rw_stream_sockets',`
+	gen_require(`
+		type unconfined_t;
+	')
+	allow $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
+
 ########################################
 ## <summary>
 ##      Do not audit attempts to read and write