Merge sbin_t and ls_exec_t into bin_t.

Changelog

@@ -1,3 +1,4 @@
+- Merge sbin_t and ls_exec_t into bin_t.
 - Remove disable_trans booleans.
 - Output different header sets for kernel and userland from flask headers.
 - Marked the pax class as deprecated, changed it to userland so

policy/modules/admin/acct.if

@@ -15,7 +15,7 @@ interface(`acct_domtrans',`
 		type acct_t, acct_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,acct_exec_t,acct_t)
 ')
 
@@ -34,7 +34,7 @@ interface(`acct_exec',`
 		type acct_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	can_exec($1,acct_exec_t)
 ')
 

policy/modules/admin/acct.te

@@ -44,7 +44,6 @@ fs_getattr_xattr_fs(acct_t)
 
 term_dontaudit_use_console(acct_t)
 
-corecmd_search_sbin(acct_t)
 corecmd_exec_bin(acct_t)
 corecmd_exec_shell(acct_t)
 

policy/modules/admin/amanda.te

@@ -145,7 +145,6 @@ files_getattr_all_pipes(amanda_t)
 files_getattr_all_sockets(amanda_t)
 
 corecmd_exec_shell(amanda_t)
-corecmd_exec_sbin(amanda_t)
 corecmd_exec_bin(amanda_t)
 
 libs_use_ld_so(amanda_t)

policy/modules/admin/apt.te

@@ -71,7 +71,6 @@ kernel_read_kernel_sysctls(apt_t)
 # to launch dpkg-preconfigure
 corecmd_exec_bin(apt_t)
 corecmd_exec_shell(apt_t)
-corecmd_exec_sbin(apt_t)
 
 corenet_non_ipsec_sendrecv(apt_t)
 corenet_tcp_sendrecv_all_if(apt_t)

policy/modules/admin/certwatch.if

@@ -16,7 +16,7 @@ interface(`certwatch_domtrans',`
 	')
 
 	files_search_usr($1)
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,certwatch_exec_t,certwatch_t)
 ')
 

policy/modules/admin/consoletype.if

@@ -17,7 +17,7 @@ interface(`consoletype_domtrans',`
 		type consoletype_t, consoletype_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,consoletype_exec_t,consoletype_t)
 ')
 
@@ -68,6 +68,6 @@ interface(`consoletype_exec',`
 		type consoletype_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	can_exec($1,consoletype_exec_t)
 ')

policy/modules/admin/ddcprobe.te

@@ -26,9 +26,8 @@ kernel_change_ring_buffer_level(ddcprobe_t)
 
 files_search_kernel_modules(ddcprobe_t)
 
-corecmd_list_sbin(ddcprobe_t)
 corecmd_list_bin(ddcprobe_t)
-corecmd_exec_sbin(ddcprobe_t)
+corecmd_exec_bin(ddcprobe_t)
 
 dev_read_urand(ddcprobe_t)
 dev_read_raw_memory(ddcprobe_t)

policy/modules/admin/dmesg.if

@@ -23,7 +23,7 @@ interface(`dmesg_domtrans',`
 			type dmesg_t, dmesg_exec_t;
 		')
 
-		corecmd_search_sbin($1)
+		corecmd_search_bin($1)
 		domain_auto_trans($1,dmesg_exec_t,dmesg_t)
 
 		allow $1 dmesg_t:fd use;
@@ -54,8 +54,7 @@ interface(`dmesg_exec',`
 			type dmesg_exec_t;
 		')
 
-		corecmd_search_sbin($1)
+		corecmd_search_bin($1)
 		can_exec($1,dmesg_exec_t)
 	')
 ')
-

policy/modules/admin/logrotate.te

@@ -83,9 +83,7 @@ auth_manage_login_records(logrotate_t)
 
 # Run helper programs.
 corecmd_exec_bin(logrotate_t)
-corecmd_exec_sbin(logrotate_t)
 corecmd_exec_shell(logrotate_t)
-corecmd_exec_ls(logrotate_t)
 
 domain_signal_all_domains(logrotate_t)
 domain_use_interactive_fds(logrotate_t)

policy/modules/admin/logwatch.te

@@ -45,12 +45,8 @@ kernel_read_fs_sysctls(logwatch_t)
 kernel_read_kernel_sysctls(logwatch_t)
 kernel_read_system_state(logwatch_t)
 
-corecmd_read_sbin_symlinks(logwatch_t)
-corecmd_read_sbin_files(logwatch_t)
 corecmd_exec_bin(logwatch_t)
-corecmd_exec_sbin(logwatch_t)
 corecmd_exec_shell(logwatch_t)
-corecmd_exec_ls(logwatch_t)
 
 dev_read_urand(logwatch_t)
 dev_search_sysfs(logwatch_t)

policy/modules/admin/mrtg.te

@@ -61,7 +61,6 @@ kernel_read_network_state(mrtg_t)
 kernel_read_kernel_sysctls(mrtg_t)
 
 corecmd_exec_bin(mrtg_t)
-corecmd_exec_sbin(mrtg_t)
 corecmd_exec_shell(mrtg_t)
 
 corenet_non_ipsec_sendrecv(mrtg_t)

policy/modules/admin/portage.if

@@ -241,7 +241,6 @@ interface(`portage_fetch_domain',`
 	kernel_read_kernel_sysctls($1)
 
 	corecmd_exec_bin($1)
-	corecmd_exec_sbin($1)
 
 	corenet_non_ipsec_sendrecv($1)
 	corenet_tcp_sendrecv_generic_if($1)

policy/modules/admin/portage.te

@@ -88,11 +88,8 @@ kernel_read_system_state(gcc_config_t)
 kernel_read_kernel_sysctls(gcc_config_t)
 
 corecmd_exec_shell(gcc_config_t)
-corecmd_exec_ls(gcc_config_t)
 corecmd_exec_bin(gcc_config_t)
-corecmd_exec_sbin(gcc_config_t)
 corecmd_manage_bin_files(gcc_config_t)
-corecmd_read_sbin_symlinks(gcc_config_t)
 
 files_manage_etc_files(gcc_config_t)
 files_rw_etc_runtime_files(gcc_config_t)

policy/modules/admin/prelink.if

@@ -15,7 +15,7 @@ interface(`prelink_domtrans',`
 		type prelink_t, prelink_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1, prelink_exec_t, prelink_t)
 ')
 

policy/modules/admin/prelink.te

@@ -55,7 +55,6 @@ kernel_dontaudit_search_sysctl(prelink_t)
 corecmd_manage_all_executables(prelink_t)
 corecmd_relabel_all_executables(prelink_t)
 corecmd_mmap_all_executables(prelink_t)
-corecmd_read_sbin_symlinks(prelink_t)
 corecmd_read_bin_symlinks(prelink_t)
 
 dev_read_urand(prelink_t)

policy/modules/admin/su.if

@@ -208,7 +208,6 @@ template(`su_per_role_template',`
 	auth_use_nsswitch($1_su_t)
 
 	corecmd_search_bin($1_su_t)
-	corecmd_search_sbin($1_su_t)
 
 	domain_use_interactive_fds($1_su_t)
 

policy/modules/admin/sudo.if

@@ -94,7 +94,7 @@ template(`sudo_per_role_template',`
 	# sudo stores a token in the pam_pid directory
 	auth_manage_pam_pid($1_sudo_t)
 
-	corecmd_read_sbin_symlinks($1_sudo_t)
+	corecmd_read_bin_symlinks($1_sudo_t)
 	corecmd_getattr_all_executables($1_sudo_t)
 
 	domain_use_interactive_fds($1_sudo_t)

policy/modules/admin/sxid.te

@@ -40,7 +40,6 @@ kernel_read_system_state(sxid_t)
 kernel_read_kernel_sysctls(sxid_t)
 
 corecmd_exec_bin(sxid_t)
-corecmd_exec_sbin(sxid_t)
 corecmd_exec_shell(sxid_t)
 
 corenet_non_ipsec_sendrecv(sxid_t)

policy/modules/admin/tmpreaper.if

@@ -16,6 +16,6 @@ interface(`tmpreaper_exec',`
 	')
 
 	files_search_usr($1)
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	can_exec($1,tmpreaper_exec_t)
 ')

policy/modules/admin/tripwire.te

@@ -74,7 +74,7 @@ kernel_getattr_message_if(tripwire_t)
 kernel_read_kernel_sysctls(tripwire_t)
 
 corecmd_exec_shell(tripwire_t)
-corecmd_exec_sbin(tripwire_t)
+corecmd_exec_bin(tripwire_t)
 
 domain_use_interactive_fds(tripwire_t)
 

policy/modules/admin/updfstab.if

@@ -16,6 +16,6 @@ interface(`updfstab_domtrans',`
 	')
 
 	files_search_usr($1)
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,updfstab_exec_t,updfstab_t)
 ')

policy/modules/admin/updfstab.te

@@ -53,8 +53,6 @@ storage_write_scsi_generic(updfstab_t)
 term_dontaudit_use_console(updfstab_t)
 
 corecmd_exec_bin(updfstab_t)
-corecmd_exec_sbin(updfstab_t)
-corecmd_exec_ls(updfstab_t)
 
 domain_use_interactive_fds(updfstab_t)
 

policy/modules/admin/usermanage.if

@@ -67,7 +67,7 @@ interface(`usermanage_domtrans_groupadd',`
 	')
 
 	files_search_usr($1)
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,groupadd_exec_t,groupadd_t)
 ')
 
@@ -226,7 +226,7 @@ interface(`usermanage_domtrans_useradd',`
 	')
 
 	files_search_usr($1)
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,useradd_exec_t,useradd_t)
 ')
 

policy/modules/admin/usermanage.te

@@ -101,9 +101,6 @@ dev_read_urand(chfn_t)
 auth_domtrans_chk_passwd(chfn_t)
 auth_dontaudit_read_shadow(chfn_t)
 
-# can exec /sbin/unix_chkpwd
-corecmd_search_bin(chfn_t)
-corecmd_search_sbin(chfn_t)
 # allow checking if a shell is executable
 corecmd_check_exec_shell(chfn_t)
 
@@ -170,7 +167,6 @@ files_read_etc_runtime_files(crack_t)
 files_read_usr_files(crack_t)
 
 corecmd_exec_bin(crack_t)
-corecmd_dontaudit_search_sbin(crack_t)
 
 libs_use_ld_so(crack_t)
 libs_use_shared_libs(crack_t)
@@ -233,7 +229,6 @@ libs_use_shared_libs(groupadd_t)
 
 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
 corecmd_exec_bin(groupadd_t)
-corecmd_exec_sbin(groupadd_t)
 
 logging_send_syslog_msg(groupadd_t)
 
@@ -401,10 +396,7 @@ auth_manage_shadow(sysadm_passwd_t)
 auth_relabel_shadow(sysadm_passwd_t)
 auth_etc_filetrans_shadow(sysadm_passwd_t)
 
-# allow checking if a shell is executable
-corecmd_check_exec_shell(sysadm_passwd_t)
 # allow vipw to exec the editor
-corecmd_search_sbin(sysadm_passwd_t)
 corecmd_exec_bin(sysadm_passwd_t)
 corecmd_exec_shell(sysadm_passwd_t)
 files_read_usr_files(sysadm_passwd_t)
@@ -470,7 +462,6 @@ kernel_read_kernel_sysctls(useradd_t)
 corecmd_exec_shell(useradd_t)
 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
 corecmd_exec_bin(useradd_t)
-corecmd_exec_sbin(useradd_t)
 
 domain_use_interactive_fds(useradd_t)
 

policy/modules/admin/vbetool.if

@@ -15,6 +15,6 @@ interface(`vbetool_domtrans',`
 		type vbetool_t, vbetool_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,vbetool_exec_t,vbetool_t)
 ')

policy/modules/apps/ethereal.if

@@ -76,7 +76,7 @@ template(`ethereal_per_role_template',`
 
 	# Re-execute itself (why?)
 	can_exec($1_ethereal_t, ethereal_exec_t)
-	corecmd_search_sbin($1_ethereal_t)
+	corecmd_search_bin($1_ethereal_t)
 
 	# /home/.ethereal
 	manage_dirs_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)

policy/modules/apps/evolution.if

@@ -187,7 +187,7 @@ template(`evolution_per_role_template',`
 	corecmd_exec_shell($1_evolution_t)
 	# Run various programs
 	corecmd_exec_bin($1_evolution_t)
-	corecmd_exec_sbin($1_evolution_t)
+	corecmd_exec_bin($1_evolution_t)
 
 	corenet_non_ipsec_sendrecv($1_evolution_t)
 	corenet_tcp_sendrecv_generic_if($1_evolution_t)

policy/modules/apps/games.if

@@ -90,7 +90,6 @@ template(`games_per_role_template',`
 	kernel_read_system_state($1_games_t)
 
 	corecmd_exec_bin($1_games_t)
-	corecmd_exec_sbin($1_games_t)
 
 	corenet_non_ipsec_sendrecv($1_games_t)
 	corenet_tcp_sendrecv_generic_if($1_games_t)

policy/modules/apps/loadkeys.te

@@ -34,7 +34,6 @@ ifdef(`targeted_policy',`
 
 	corecmd_exec_bin(loadkeys_t)
 	corecmd_exec_shell(loadkeys_t)
-	corecmd_search_sbin(loadkeys_t)
 
 	files_read_etc_files(loadkeys_t)
 	files_read_etc_runtime_files(loadkeys_t)

policy/modules/apps/mozilla.if

@@ -115,7 +115,6 @@ template(`mozilla_per_role_template',`
 	kernel_read_system_state($1_mozilla_t)
 	kernel_read_net_sysctls($1_mozilla_t)
 
-	corecmd_search_sbin($1_mozilla_t)
 	# Look for plugins 
 	corecmd_list_bin($1_mozilla_t)
 	# for bash - old mozilla binary

policy/modules/apps/screen.if

@@ -107,11 +107,6 @@ template(`screen_per_role_template',`
 	corecmd_read_bin_symlinks($1_screen_t)
 	corecmd_read_bin_pipes($1_screen_t)
 	corecmd_read_bin_sockets($1_screen_t)
-	corecmd_list_sbin($1_screen_t)
-	corecmd_read_sbin_symlinks($1_screen_t)
-	corecmd_read_sbin_files($1_screen_t)
-	corecmd_read_sbin_pipes($1_screen_t)
-	corecmd_read_sbin_sockets($1_screen_t)
 	# Revert to the user domain when a shell is executed.
 	corecmd_shell_domtrans($1_screen_t,$2)
 	corecmd_bin_domtrans($1_screen_t,$2)

policy/modules/apps/thunderbird.if

@@ -101,9 +101,8 @@ template(`thunderbird_per_role_template',`
 	kernel_read_net_sysctls($1_thunderbird_t)
 	kernel_read_system_state($1_thunderbird_t)
 	
-	corecmd_exec_shell($1_thunderbird_t)
 	# Startup shellscript
-	corecmd_search_sbin($1_thunderbird_t)
+	corecmd_exec_shell($1_thunderbird_t)
 
 	corenet_non_ipsec_sendrecv($1_thunderbird_t)
 	corenet_tcp_sendrecv_generic_if($1_thunderbird_t)

policy/modules/apps/uml.if

@@ -151,7 +151,6 @@ template(`uml_per_role_template',`
 
 	# for xterm
 	corecmd_exec_bin($1_uml_t)
-	corecmd_exec_sbin($1_uml_t)
 
 	corenet_non_ipsec_sendrecv($1_uml_t)
 	corenet_tcp_sendrecv_generic_if($1_uml_t)

policy/modules/apps/userhelper.if

@@ -88,7 +88,6 @@ template(`userhelper_per_role_template',`
 	corecmd_exec_shell($1_userhelper_t)
 	# By default, revert to the calling domain when a program is executed
 	corecmd_bin_domtrans($1_userhelper_t,$2)
-	corecmd_sbin_domtrans($1_userhelper_t,$2)
 
 	# Inherit descriptors from the current session.
 	domain_use_interactive_fds($1_userhelper_t)
@@ -152,7 +151,6 @@ template(`userhelper_per_role_template',`
 	userdom_use_unpriv_users_fds($1_userhelper_t)
 	# Allow $1_userhelper_t to transition to user domains.
 	userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
-	userdom_sbin_spec_domtrans_unpriv_users($1_userhelper_t)
 	userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
 
 	ifdef(`distro_redhat',`
@@ -165,7 +163,6 @@ template(`userhelper_per_role_template',`
 	tunable_policy(`! secure_mode',`
 		#if we are not in secure mode then we can transition to sysadm_t
 		userdom_bin_spec_domtrans_sysadm($1_userhelper_t)
-		userdom_sbin_spec_domtrans_sysadm($1_userhelper_t)
 		userdom_entry_spec_domtrans_sysadm($1_userhelper_t)
 	')
 	

policy/modules/apps/usernetctl.te

@@ -37,8 +37,6 @@ kernel_read_kernel_sysctls(usernetctl_t)
 
 corecmd_list_bin(usernetctl_t)
 corecmd_exec_bin(usernetctl_t)
-corecmd_list_sbin(usernetctl_t)
-corecmd_exec_sbin(usernetctl_t)
 corecmd_exec_shell(usernetctl_t)
 
 domain_dontaudit_read_all_domains_state(usernetctl_t)

policy/modules/apps/yam.if

@@ -15,7 +15,7 @@ interface(`yam_domtrans',`
 		type yam_t, yam_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,yam_exec_t,yam_t)
 ')
 

policy/modules/kernel/corecommands.fc

@@ -8,7 +8,6 @@
 /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/ksh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/ls				--	gen_context(system_u:object_r:ls_exec_t,s0)
 /bin/sash			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/tcsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /bin/zsh.*			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -16,17 +15,17 @@
 #
 # /dev
 #
-/dev/MAKEDEV			--	gen_context(system_u:object_r:sbin_t,s0)
+/dev/MAKEDEV			--	gen_context(system_u:object_r:bin_t,s0)
 
 #
 # /emul
 #
 ifdef(`distro_redhat',`
 /emul/ia32-linux/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-/emul/ia32-linux/sbin(/.*)?		gen_context(system_u:object_r:sbin_t,s0)
+/emul/ia32-linux/sbin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /emul/ia32-linux/usr(/.*)?/bin(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /emul/ia32-linux/usr(/.*)?/Bin(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
-/emul/ia32-linux/usr(/.*)?/sbin(/.*)?	gen_context(system_u:object_r:sbin_t,s0)
+/emul/ia32-linux/usr(/.*)?/sbin(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /emul/ia32-linux/usr/libexec(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 ')
 
@@ -37,14 +36,14 @@ ifdef(`distro_redhat',`
 /etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/cipe/ip-down.*		--	gen_context(system_u:object_r:bin_t,s0)
 
-/etc/hotplug/.*agent		--	gen_context(system_u:object_r:sbin_t,s0)
-/etc/hotplug/.*rc		-- 	gen_context(system_u:object_r:sbin_t,s0)
-/etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:sbin_t,s0)
-/etc/hotplug\.d/default/default.*	gen_context(system_u:object_r:sbin_t,s0)
+/etc/hotplug/.*agent		--	gen_context(system_u:object_r:bin_t,s0)
+/etc/hotplug/.*rc		-- 	gen_context(system_u:object_r:bin_t,s0)
+/etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:bin_t,s0)
+/etc/hotplug\.d/default/default.*	gen_context(system_u:object_r:bin_t,s0)
 
 /etc/init\.d/functions		--	gen_context(system_u:object_r:bin_t,s0)
 
-/etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:sbin_t,s0)
+/etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
 
 /etc/ppp/ip-down\..*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/ppp/ip-up\..*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -82,7 +81,7 @@ ifdef(`targeted_policy',`
 #
 
 /lib/udev/[^/]*			--	gen_context(system_u:object_r:bin_t,s0)
-/lib/udev/scsi_id		--	gen_context(system_u:object_r:sbin_t,s0)
+/lib/udev/scsi_id		--	gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_gentoo',`
 /lib/rcscripts/addons(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -94,10 +93,10 @@ ifdef(`distro_gentoo',`
 #
 # /sbin
 #
-/sbin				-d	gen_context(system_u:object_r:sbin_t,s0)
-/sbin/.*				gen_context(system_u:object_r:sbin_t,s0)
-/sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:sbin_t,s0)
-/sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:sbin_t,s0)
+/sbin				-d	gen_context(system_u:object_r:bin_t,s0)
+/sbin/.*				gen_context(system_u:object_r:bin_t,s0)
+/sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
+/sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
 
 #
 # /opt
@@ -106,7 +105,7 @@ ifdef(`distro_gentoo',`
 
 /opt/(.*/)?libexec(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
-/opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
+/opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_gentoo',`
 /opt/RealPlayer/realplay(\.bin)?	gen_context(system_u:object_r:bin_t,s0)
@@ -122,8 +121,8 @@ ifdef(`distro_gentoo',`
 /usr/(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
-/usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:sbin_t,s0)
-/usr/lib(.*/)?sbin(/.*)?		gen_context(system_u:object_r:sbin_t,s0)
+/usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(.*/)?sbin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
@@ -136,7 +135,7 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/ipsec/.*		--	gen_context(system_u:object_r:sbin_t,s0)
+/usr/lib(64)?/ipsec/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/mailman/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/mailman/mail(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
@@ -148,9 +147,9 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/vte/gnome-pty-helper --	gen_context(system_u:object_r:bin_t,s0)
 
 /usr/lib(64)?/debug/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/debug/sbin(/.*)? --	gen_context(system_u:object_r:sbin_t,s0)
+/usr/lib(64)?/debug/sbin(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/debug/usr/bin(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/debug/usr/sbin(/.*)? --	gen_context(system_u:object_r:sbin_t,s0)
+/usr/lib(64)?/debug/usr/sbin(/.*)? --	gen_context(system_u:object_r:bin_t,s0)
 
 /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
@@ -164,7 +163,7 @@ ifdef(`distro_gentoo',`
 /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
 
-/usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:sbin_t,s0)
+/usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
 
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
@@ -245,7 +244,6 @@ ifdef(`distro_suse', `
 /var/mailman/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 
 /var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-/var/ftp/bin/ls			--	gen_context(system_u:object_r:ls_exec_t,s0)
 
 /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
 

policy/modules/kernel/corecommands.if

@@ -84,7 +84,7 @@ interface(`corecmd_bin_entry_type',`
 ########################################
 ## <summary>
 ##	Make general progams in sbin an entrypoint for
-##	the specified domain.
+##	the specified domain.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -93,11 +93,8 @@ interface(`corecmd_bin_entry_type',`
 ## </param>
 #
 interface(`corecmd_sbin_entry_type',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	domain_entry_file($1,sbin_t)
+	corecmd_bin_entry_type($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_bin_entry_type() instead.')
 ')
 
 ########################################
@@ -136,6 +133,24 @@ interface(`corecmd_search_bin',`
 	search_dirs_pattern($1,bin_t,bin_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search the contents of bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_dontaudit_search_bin',`
+	gen_require(`
+		type bin_t;
+	')
+
+	dontaudit $1 bin_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	List the contents of bin directories.
@@ -154,6 +169,24 @@ interface(`corecmd_list_bin',`
 	list_dirs_pattern($1,bin_t,bin_t)
 ')
 
+########################################
+## <summary>
+##	Do not auidt attempts to write bin directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_dontaudit_write_bin_dirs',`
+	gen_require(`
+		type bin_t;
+	')
+
+	dontaudit $1 bin_t:dir write;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of files in bin directories.
@@ -410,7 +443,7 @@ interface(`corecmd_bin_domtrans',`
 
 ########################################
 ## <summary>
-##	Search the contents of sbin directories.
+##	Search the contents of sbin directories.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -419,17 +452,14 @@ interface(`corecmd_bin_domtrans',`
 ## </param>
 #
 interface(`corecmd_search_sbin',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	allow $1 sbin_t:dir search_dir_perms;
+	corecmd_search_bin($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.')
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to search
-##	sbin directories.
+##	sbin directories.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -438,16 +468,13 @@ interface(`corecmd_search_sbin',`
 ## </param>
 #
 interface(`corecmd_dontaudit_search_sbin',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	dontaudit $1 sbin_t:dir search_dir_perms;
+	corecmd_dontaudit_search_bin($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_search_bin() instead.')
 ')
 
 ########################################
 ## <summary>
-##	List the contents of sbin directories.
+##	List the contents of sbin directories.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -456,17 +483,14 @@ interface(`corecmd_dontaudit_search_sbin',`
 ## </param>
 #
 interface(`corecmd_list_sbin',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	list_dirs_pattern($1,sbin_t,sbin_t)
+	corecmd_list_bin($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_list_bin() instead.')
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to write
-##	sbin directories.
+##	sbin directories.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -475,16 +499,13 @@ interface(`corecmd_list_sbin',`
 ## </param>
 #
 interface(`corecmd_dontaudit_write_sbin_dirs',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	dontaudit $1 sbin_t:dir write;
+	corecmd_dontaudit_write_bin_dirs($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_write_bin_dirs() instead.')
 ')
 
 ########################################
 ## <summary>
-##	Get the attributes of sbin files.
+##	Get the attributes of sbin files.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -493,17 +514,14 @@ interface(`corecmd_dontaudit_write_sbin_dirs',`
 ## </param>
 #
 interface(`corecmd_getattr_sbin_files',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	getattr_files_pattern($1,sbin_t,sbin_t)
+	corecmd_getattr_bin_files($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_getattr_bin_files() instead.')
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attibutes
-##	of sbin files.
+##	of sbin files.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -512,16 +530,13 @@ interface(`corecmd_getattr_sbin_files',`
 ## </param>
 #
 interface(`corecmd_dontaudit_getattr_sbin_files',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	dontaudit $1 sbin_t:file getattr;
+	corecmd_dontaudit_getattr_bin_files($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_getattr_bin_files() instead.')
 ')
 
 ########################################
 ## <summary>
-##	Read files in sbin directories.
+##	Read files in sbin directories.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -530,16 +545,13 @@ interface(`corecmd_dontaudit_getattr_sbin_files',`
 ## </param>
 #
 interface(`corecmd_read_sbin_files',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	read_files_pattern($1,sbin_t,sbin_t)
+	corecmd_read_bin_files($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_files() instead.')
 ')
 
 ########################################
 ## <summary>
-##	Read symbolic links in sbin directories.
+##	Read symbolic links in sbin directories.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -548,16 +560,13 @@ interface(`corecmd_read_sbin_files',`
 ## </param>
 #
 interface(`corecmd_read_sbin_symlinks',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	read_lnk_files_pattern($1,sbin_t,sbin_t)
+	corecmd_read_bin_symlinks($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_symlinks() instead.')
 ')
 
 ########################################
 ## <summary>
-##	Read named pipes in sbin directories.
+##	Read named pipes in sbin directories.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -566,16 +575,13 @@ interface(`corecmd_read_sbin_symlinks',`
 ## </param>
 #
 interface(`corecmd_read_sbin_pipes',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	read_fifo_files_pattern($1,sbin_t,sbin_t)
+	corecmd_read_bin_pipes($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_pipes() instead.')
 ')
 
 ########################################
 ## <summary>
-##	Read named sockets in sbin directories.
+##	Read named sockets in sbin directories.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -584,17 +590,14 @@ interface(`corecmd_read_sbin_pipes',`
 ## </param>
 #
 interface(`corecmd_read_sbin_sockets',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	read_sock_files_pattern($1,sbin_t,sbin_t)
+	corecmd_read_bin_sockets($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_sockets() instead.')
 ')
 
 ########################################
 ## <summary>
 ##	Execute generic programs in sbin directories,
-##	in the caller domain.
+##	in the caller domain.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -603,18 +606,13 @@ interface(`corecmd_read_sbin_sockets',`
 ## </param>
 #
 interface(`corecmd_exec_sbin',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	list_dirs_pattern($1,sbin_t,sbin_t)
-	read_lnk_files_pattern($1,sbin_t,sbin_t)
-	can_exec($1,sbin_t)
+	corecmd_exec_bin($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.')
 ')
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete sbin files.
+##	Create, read, write, and delete sbin files.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -624,16 +622,13 @@ interface(`corecmd_exec_sbin',`
 #
 # cjp: added for prelink
 interface(`corecmd_manage_sbin_files',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	manage_files_pattern($1,sbin_t,sbin_t)
+	corecmd_manage_bin_files($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_manage_bin_files() instead.')
 ')
 
 ########################################
 ## <summary>
-##	Relabel to and from the sbin type.
+##	Relabel to and from the sbin type.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -643,16 +638,13 @@ interface(`corecmd_manage_sbin_files',`
 #
 # cjp: added for prelink
 interface(`corecmd_relabel_sbin_files',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	relabel_files_pattern($1,sbin_t,sbin_t)
+	corecmd_relabel_bin_files($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_relabel_bin_files() instead.')
 ')
 
 ########################################
 ## <summary>
-##	Mmap a sbin file as executable.
+##	Mmap a sbin file as executable.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -662,18 +654,14 @@ interface(`corecmd_relabel_sbin_files',`
 #
 # cjp: added for prelink
 interface(`corecmd_mmap_sbin_files',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	allow $1 sbin_t:dir search_dir_perms;
-	allow $1 sbin_t:file { getattr read execute };
+	corecmd_mmap_bin_files($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_mmap_bin_files() instead.')
 ')
 
 ########################################
 ## <summary>
 ##	Execute a file in a sbin directory
-##	in the specified domain.
+##	in the specified domain.  (Deprecated)
 ## </summary>
 ## <desc>
 ##	<p>
@@ -681,7 +669,7 @@ interface(`corecmd_mmap_sbin_files',`
 ##	in the specified domain.  This allows
 ##	the specified domain to execute any file
 ##	on these filesystems in the specified
-##	domain.  This is not suggested.
+##	domain.  This is not suggested.  (Deprecated)
 ##	</p>
 ##	<p>
 ##	No interprocess communication (signals, pipes,
@@ -705,12 +693,8 @@ interface(`corecmd_mmap_sbin_files',`
 ## </param>
 #
 interface(`corecmd_sbin_domtrans',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	read_lnk_files_pattern($1,sbin_t,sbin_t)
-	domain_auto_transition_pattern($1,sbin_t,$2)
+	corecmd_bin_domtrans($1,$2,$3)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_bin_domtrans() instead.')
 ')
 
 ########################################
@@ -718,7 +702,7 @@ interface(`corecmd_sbin_domtrans',`
 ##	Execute a file in a sbin directory
 ##	in the specified domain but do not
 ##	do it automatically. This is an explicit
-##	transition, requiring the caller to use setexeccon().
+##	transition, requiring the caller to use setexeccon().  (Deprecated)
 ## </summary>
 ## <desc>
 ##	<p>
@@ -726,7 +710,7 @@ interface(`corecmd_sbin_domtrans',`
 ##	in the specified domain.  This allows
 ##	the specified domain to execute any file
 ##	on these filesystems in the specified
-##	domain.  This is not suggested.
+##	domain.  This is not suggested.  (Deprecated)
 ##	</p>
 ##	<p>
 ##	No interprocess communication (signals, pipes,
@@ -750,12 +734,8 @@ interface(`corecmd_sbin_domtrans',`
 ## </param>
 #
 interface(`corecmd_sbin_spec_domtrans',`
-	gen_require(`
-		type sbin_t;
-	')
-
-	read_lnk_files_pattern($1,sbin_t,sbin_t)
-	domain_transition_pattern($1,sbin_t,$2)
+	corecmd_bin_spec_domtrans($1,$2,$3)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_bin_spec_domtrans() instead.')
 ')
 
 ########################################
@@ -800,7 +780,7 @@ interface(`corecmd_exec_shell',`
 
 ########################################
 ## <summary>
-##	Execute ls in the caller domain.
+##	Execute ls in the caller domain.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -809,13 +789,8 @@ interface(`corecmd_exec_shell',`
 ## </param>
 #
 interface(`corecmd_exec_ls',`
-	gen_require(`
-		type bin_t, ls_exec_t;
-	')
-
-	list_dirs_pattern($1,bin_t,bin_t)
-	read_lnk_files_pattern($1,bin_t,bin_t)
-	can_exec($1,ls_exec_t)
+	corecmd_exec_bin($1)
+	refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.')
 ')
 
 ########################################
@@ -925,11 +900,11 @@ interface(`corecmd_exec_chroot',`
 interface(`corecmd_getattr_all_executables',`
 	gen_require(`
 		attribute exec_type;
-		type bin_t, sbin_t;
+		type bin_t;
 	')
 
-	allow $1 { bin_t sbin_t }:dir list_dir_perms;
-	getattr_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
+	allow $1 bin_t:dir list_dir_perms;
+	getattr_files_pattern($1,bin_t,exec_type)
 ')
 
 ########################################
@@ -946,12 +921,12 @@ interface(`corecmd_getattr_all_executables',`
 interface(`corecmd_exec_all_executables',`
 	gen_require(`
 		attribute exec_type;
-		type bin_t, sbin_t;
+		type bin_t;
 	')
 
 	can_exec($1,exec_type)
-	list_dirs_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
-	read_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
+	list_dirs_pattern($1,bin_t,bin_t)
+	read_lnk_files_pattern($1,bin_t,exec_type)
 ')
 
 ########################################
@@ -968,11 +943,11 @@ interface(`corecmd_exec_all_executables',`
 interface(`corecmd_manage_all_executables',`
 	gen_require(`
 		attribute exec_type;
-		type bin_t, sbin_t;
+		type bin_t;
 	')
 
-	manage_files_pattern($1,{ bin_t sbin_t },exec_type)
-	manage_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
+	manage_files_pattern($1,bin_t,exec_type)
+	manage_lnk_files_pattern($1,bin_t,bin_t)
 ')
 
 ########################################
@@ -989,9 +964,10 @@ interface(`corecmd_manage_all_executables',`
 interface(`corecmd_relabel_all_executables',`
 	gen_require(`
 		attribute exec_type;
+		type bin_t;
 	')
 
-	allow $1 exec_type:file relabel_file_perms;
+	relabel_files_pattern($1,bin_t,exec_type)
 ')
 
 ########################################
@@ -1007,7 +983,8 @@ interface(`corecmd_relabel_all_executables',`
 interface(`corecmd_mmap_all_executables',`
 	gen_require(`
 		attribute exec_type;
+		type bin_t;
 	')
 
-	allow $1 exec_type:file { getattr read execute };
+	mmap_files_pattern($1,bin_t,exec_type)
 ')

policy/modules/kernel/corecommands.te

@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.5.3)
+policy_module(corecommands,1.5.4)
 
 ########################################
 #
@@ -12,23 +12,11 @@ policy_module(corecommands,1.5.3)
 attribute exec_type;
 
 #
-# bin_t is the type of files in the system bin directories.
+# bin_t is the type of files in the system bin/sbin directories.
 #
-type bin_t;
+type bin_t alias { ls_exec_t sbin_t };
 corecmd_executable_file(bin_t)
 
-#
-# sbin_t is the type of files in the system sbin directories.
-#
-type sbin_t;
-corecmd_executable_file(sbin_t)
-
-#
-# ls_exec_t is the type of the ls program.
-#
-type ls_exec_t;
-corecmd_executable_file(ls_exec_t)
-
 #
 # shell_exec_t is the type of user shells such as /bin/bash.
 #

policy/modules/kernel/kernel.te

@@ -230,7 +230,7 @@ selinux_load_policy(kernel_t)
 term_use_console(kernel_t)
 
 corecmd_exec_shell(kernel_t)
-corecmd_list_sbin(kernel_t)
+corecmd_list_bin(kernel_t)
 # /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
 corecmd_exec_bin(kernel_t)
 

policy/modules/services/aide.if

@@ -15,7 +15,7 @@ interface(`aide_domtrans',`
                 type aide_t, aide_exec_t;
         ')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
         domtrans_pattern($1,aide_exec_t,aide_t)
 ')
 

policy/modules/services/amavis.te

@@ -97,7 +97,6 @@ kernel_dontaudit_read_system_state(amavis_t)
 
 # find perl
 corecmd_exec_bin(amavis_t)
-corecmd_search_sbin(amavis_t)
 
 corenet_non_ipsec_sendrecv(amavis_t)
 corenet_tcp_sendrecv_all_if(amavis_t)

policy/modules/services/apache.if

@@ -392,7 +392,7 @@ interface(`apache_domtrans',`
 		type httpd_t, httpd_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,httpd_exec_t,httpd_t)
 ')
 
@@ -593,7 +593,7 @@ interface(`apache_domtrans_helper',`
 		type httpd_helper_t, httpd_helper_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,httpd_helper_exec_t,httpd_helper_t)
 ')
 

policy/modules/services/apache.te

@@ -238,7 +238,6 @@ auth_use_nsswitch(httpd_t)
 
 # execute perl
 corecmd_exec_bin(httpd_t)
-corecmd_exec_sbin(httpd_t)
 corecmd_exec_shell(httpd_t)
 
 domain_use_interactive_fds(httpd_t)

policy/modules/services/arpwatch.te

@@ -63,7 +63,7 @@ dev_read_sysfs(arpwatch_t)
 fs_getattr_all_fs(arpwatch_t)
 fs_search_auto_mountpoints(arpwatch_t)
 
-corecmd_read_sbin_symlinks(arpwatch_t)
+corecmd_read_bin_symlinks(arpwatch_t)
 
 domain_use_interactive_fds(arpwatch_t)
 

policy/modules/services/asterisk.te

@@ -80,7 +80,7 @@ kernel_read_system_state(asterisk_t)
 kernel_read_kernel_sysctls(asterisk_t)
 
 corecmd_exec_bin(asterisk_t)
-corecmd_search_sbin(asterisk_t)
+corecmd_search_bin(asterisk_t)
 
 corenet_non_ipsec_sendrecv(asterisk_t)
 corenet_tcp_sendrecv_generic_if(asterisk_t)

policy/modules/services/automount.if

@@ -15,7 +15,7 @@ interface(`automount_domtrans',`
 		type automount_t, automount_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1, automount_exec_t, automount_t)
 ')
 
@@ -34,7 +34,7 @@ interface(`automount_exec_config',`
 		type automount_etc_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	can_exec($1,automount_etc_t)
 ')
 

policy/modules/services/automount.te

@@ -73,7 +73,6 @@ files_unmount_all_file_type_fs(automount_t)
 fs_mount_all_fs(automount_t)
 fs_unmount_all_fs(automount_t)
 
-corecmd_exec_sbin(automount_t)
 corecmd_exec_bin(automount_t)
 corecmd_exec_shell(automount_t)
 

policy/modules/services/bind.te

@@ -117,7 +117,7 @@ dev_read_rand(named_t)
 fs_getattr_all_fs(named_t)
 fs_search_auto_mountpoints(named_t)
 
-corecmd_search_sbin(named_t)
+corecmd_search_bin(named_t)
 
 dev_read_urand(named_t)
 

policy/modules/services/ccs.te

@@ -64,7 +64,7 @@ files_pid_filetrans(ccs_t,ccs_var_run_t, { dir file sock_file })
 
 kernel_read_kernel_sysctls(ccs_t)
 
-corecmd_list_sbin(ccs_t)
+corecmd_list_bin(ccs_t)
 corecmd_exec_bin(ccs_t)
 
 corenet_non_ipsec_sendrecv(ccs_t)
@@ -97,7 +97,7 @@ miscfiles_read_localization(ccs_t)
 sysnet_dns_name_resolve(ccs_t)
 
 ifdef(`hide_broken_symptoms', `
-	corecmd_dontaudit_write_sbin_dirs(ccs_t)
+	corecmd_dontaudit_write_bin_dirs(ccs_t)
 	files_manage_isid_type_files(ccs_t)
 ')
 

policy/modules/services/cipe.te

@@ -28,7 +28,6 @@ kernel_read_system_state(ciped_t)
 
 corecmd_exec_shell(ciped_t)
 corecmd_exec_bin(ciped_t)
-corecmd_exec_sbin(ciped_t)
 
 corenet_non_ipsec_sendrecv(ciped_t)
 corenet_udp_sendrecv_generic_if(ciped_t)

policy/modules/services/courier.te

@@ -50,7 +50,7 @@ allow courier_authdaemon_t courier_tcpd_t:fd use;
 allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
 allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
 
-corecmd_search_sbin(courier_authdaemon_t)
+corecmd_search_bin(courier_authdaemon_t)
 
 # for SSP
 dev_read_urand(courier_authdaemon_t)
@@ -116,7 +116,7 @@ manage_files_pattern(courier_tcpd_t,courier_var_lib_t,courier_var_lib_t)
 manage_lnk_files_pattern(courier_tcpd_t,courier_var_lib_t,courier_var_lib_t)
 files_search_var_lib(courier_tcpd_t)
 
-corecmd_search_sbin(courier_tcpd_t)
+corecmd_search_bin(courier_tcpd_t)
 
 corenet_tcp_bind_all_nodes(courier_tcpd_t)
 corenet_tcp_bind_pop_port(courier_tcpd_t)

policy/modules/services/cron.if

@@ -214,7 +214,6 @@ template(`cron_per_role_template',`
 
 	# Run helper programs as the user domain
 	corecmd_bin_domtrans($1_crontab_t,$2)
-	corecmd_sbin_domtrans($1_crontab_t,$2)
 	corecmd_shell_domtrans($1_crontab_t,$2)
 
 	domain_use_interactive_fds($1_crontab_t)

policy/modules/services/cron.te

@@ -117,8 +117,8 @@ fs_search_auto_mountpoints(crond_t)
 auth_domtrans_chk_passwd(crond_t)
 
 corecmd_exec_shell(crond_t)
-corecmd_list_sbin(crond_t)
-corecmd_read_sbin_symlinks(crond_t)
+corecmd_list_bin(crond_t)
+corecmd_read_bin_symlinks(crond_t)
 
 domain_use_interactive_fds(crond_t)
 

policy/modules/services/cups.te

@@ -182,7 +182,6 @@ auth_dontaudit_read_pam_pid(cupsd_t)
 # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
 corecmd_exec_shell(cupsd_t)
 corecmd_exec_bin(cupsd_t)
-corecmd_exec_sbin(cupsd_t)
 
 domain_use_interactive_fds(cupsd_t)
 
@@ -357,7 +356,6 @@ fs_getattr_all_fs(cupsd_config_t)
 fs_search_auto_mountpoints(cupsd_config_t)
 
 corecmd_exec_bin(cupsd_config_t)
-corecmd_exec_sbin(cupsd_config_t)
 corecmd_exec_shell(cupsd_config_t)
 
 domain_use_interactive_fds(cupsd_config_t)
@@ -596,7 +594,6 @@ fs_search_auto_mountpoints(hplip_t)
 
 # for python
 corecmd_exec_bin(hplip_t)
-corecmd_search_sbin(hplip_t)
 
 domain_use_interactive_fds(hplip_t)
 

policy/modules/services/cvs.te

@@ -62,7 +62,6 @@ fs_getattr_xattr_fs(cvs_t)
 auth_domtrans_chk_passwd(cvs_t)
 
 corecmd_exec_bin(cvs_t)
-corecmd_exec_sbin(cvs_t)
 corecmd_exec_shell(cvs_t)
 
 files_read_etc_files(cvs_t)

policy/modules/services/dbus.if

@@ -108,11 +108,6 @@ template(`dbus_per_role_template',`
 	corecmd_read_bin_files($1_dbusd_t)
 	corecmd_read_bin_pipes($1_dbusd_t)
 	corecmd_read_bin_sockets($1_dbusd_t)
-	corecmd_list_sbin($1_dbusd_t)
-	corecmd_read_sbin_symlinks($1_dbusd_t)
-	corecmd_read_sbin_files($1_dbusd_t)
-	corecmd_read_sbin_pipes($1_dbusd_t)
-	corecmd_read_sbin_sockets($1_dbusd_t)
 
 	corenet_non_ipsec_sendrecv($1_dbusd_t)
 	corenet_tcp_sendrecv_all_if($1_dbusd_t)

policy/modules/services/dbus.te

@@ -76,16 +76,9 @@ auth_use_nsswitch(system_dbusd_t)
 auth_read_pam_console_data(system_dbusd_t)
 
 corecmd_list_bin(system_dbusd_t)
-corecmd_read_bin_symlinks(system_dbusd_t)
-corecmd_read_bin_files(system_dbusd_t)
 corecmd_read_bin_pipes(system_dbusd_t)
 corecmd_read_bin_sockets(system_dbusd_t)
-corecmd_list_sbin(system_dbusd_t)
-corecmd_read_sbin_symlinks(system_dbusd_t)
-corecmd_read_sbin_files(system_dbusd_t)
-corecmd_read_sbin_pipes(system_dbusd_t)
-corecmd_read_sbin_sockets(system_dbusd_t)
-corecmd_exec_sbin(system_dbusd_t)
+corecmd_exec_bin(system_dbusd_t)
 
 domain_use_interactive_fds(system_dbusd_t)
 

policy/modules/services/dcc.if

@@ -15,7 +15,7 @@ interface(`dcc_domtrans_cdcc',`
 		type cdcc_t, cdcc_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,cdcc_exec_t,cdcc_t)
 ')
 
@@ -66,7 +66,7 @@ interface(`dcc_domtrans_client',`
 		type dcc_client_t, dcc_client_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,dcc_client_exec_t,dcc_client_t)
 ')
 
@@ -117,7 +117,7 @@ interface(`dcc_domtrans_dbclean',`
 		type dcc_dbclean_t, dcc_dbclean_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,dcc_dbclean_exec_t,dcc_dbclean_t)
 ')
 

policy/modules/services/ddclient.if

@@ -15,6 +15,6 @@ interface(`ddclient_domtrans',`
 		type ddclient_t, ddclient_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1, ddclient_exec_t, ddclient_t)
 ')

policy/modules/services/dhcp.te

@@ -79,7 +79,6 @@ fs_getattr_all_fs(dhcpd_t)
 fs_search_auto_mountpoints(dhcpd_t)
 
 corecmd_exec_bin(dhcpd_t)
-corecmd_exec_sbin(dhcpd_t)
 
 domain_use_interactive_fds(dhcpd_t)
 

policy/modules/services/distcc.te

@@ -61,7 +61,7 @@ fs_getattr_all_fs(distccd_t)
 fs_search_auto_mountpoints(distccd_t)
 
 corecmd_exec_bin(distccd_t)
-corecmd_read_sbin_symlinks(distccd_t)
+corecmd_read_bin_symlinks(distccd_t)
 
 domain_use_interactive_fds(distccd_t)
 

policy/modules/services/fail2ban.te

@@ -38,7 +38,6 @@ files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file)
 
 kernel_read_system_state(fail2ban_t)
 
-corecmd_search_sbin(fail2ban_t)
 corecmd_exec_bin(fail2ban_t)
 corecmd_exec_shell(fail2ban_t)
 

policy/modules/services/finger.te

@@ -68,7 +68,6 @@ term_getattr_all_user_ptys(fingerd_t)
 auth_read_lastlog(fingerd_t)
 
 corecmd_exec_bin(fingerd_t)
-corecmd_exec_sbin(fingerd_t)
 corecmd_exec_shell(fingerd_t)
 
 domain_use_interactive_fds(fingerd_t)

policy/modules/services/ftp.if

@@ -85,7 +85,7 @@ interface(`ftp_check_exec',`
 		type ftpd_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	allow $1 ftpd_exec_t:file x_file_perms;
 ')
 

policy/modules/services/ftp.te

@@ -86,10 +86,6 @@ dev_read_sysfs(ftpd_t)
 dev_read_urand(ftpd_t)
 
 corecmd_exec_bin(ftpd_t)
-corecmd_exec_sbin(ftpd_t)
-# Execute /bin/ls (can comment this out for proftpd)
-# also may need rules to allow tar etc...
-corecmd_exec_ls(ftpd_t)
 
 corenet_non_ipsec_sendrecv(ftpd_t)
 corenet_tcp_sendrecv_all_if(ftpd_t)

policy/modules/services/gatekeeper.te

@@ -51,7 +51,7 @@ files_pid_filetrans(gatekeeper_t,gatekeeper_var_run_t,file)
 kernel_read_system_state(gatekeeper_t)
 kernel_read_kernel_sysctls(gatekeeper_t)
 
-corecmd_list_sbin(gatekeeper_t)
+corecmd_list_bin(gatekeeper_t)
 
 corenet_non_ipsec_sendrecv(gatekeeper_t)
 corenet_tcp_sendrecv_generic_if(gatekeeper_t)

policy/modules/services/i18n_input.te

@@ -55,7 +55,6 @@ dev_read_sysfs(i18n_input_t)
 fs_getattr_all_fs(i18n_input_t)
 fs_search_auto_mountpoints(i18n_input_t)
 
-corecmd_search_sbin(i18n_input_t)
 corecmd_search_bin(i18n_input_t)
 corecmd_exec_bin(i18n_input_t)
 

policy/modules/services/inetd.if

@@ -164,7 +164,7 @@ interface(`inetd_domtrans_child',`
 		type inetd_child_t, inetd_child_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,inetd_child_exec_t,inetd_child_t)
 ')
 

policy/modules/services/inetd.te

@@ -118,7 +118,7 @@ selinux_compute_create_context(inetd_t)
 
 # Run other daemons in the inetd_child_t domain.
 corecmd_search_bin(inetd_t)
-corecmd_read_sbin_symlinks(inetd_t)
+corecmd_read_bin_symlinks(inetd_t)
 
 domain_use_interactive_fds(inetd_t)
 

policy/modules/services/inn.te

@@ -84,8 +84,6 @@ fs_search_auto_mountpoints(innd_t)
 
 corecmd_exec_bin(innd_t)
 corecmd_exec_shell(innd_t)
-corecmd_search_sbin(innd_t)
-corecmd_read_sbin_symlinks(innd_t)
 
 domain_use_interactive_fds(innd_t)
 

policy/modules/services/ircd.te

@@ -48,7 +48,7 @@ files_pid_filetrans(ircd_t,ircd_var_run_t,file)
 kernel_read_system_state(ircd_t)
 kernel_read_kernel_sysctls(ircd_t)
 
-corecmd_search_sbin(ircd_t)
+corecmd_search_bin(ircd_t)
 
 corenet_non_ipsec_sendrecv(ircd_t)
 corenet_tcp_sendrecv_generic_if(ircd_t)

policy/modules/services/kerberos.te

@@ -183,7 +183,6 @@ kernel_read_proc_symlinks(krb5kdc_t)
 kernel_read_network_state(krb5kdc_t)
 kernel_search_network_sysctl(krb5kdc_t)
 
-corecmd_exec_sbin(krb5kdc_t)
 corecmd_exec_bin(krb5kdc_t)
 
 corenet_non_ipsec_sendrecv(krb5kdc_t)

policy/modules/services/lpd.te

@@ -80,7 +80,6 @@ dev_append_printer(checkpc_t)
 # This is less desirable, but checkpc demands /bin/bash and /bin/chown:
 corecmd_exec_shell(checkpc_t)
 corecmd_exec_bin(checkpc_t)
-corecmd_search_sbin(checkpc_t)
 
 domain_use_interactive_fds(checkpc_t)
 
@@ -170,7 +169,6 @@ fs_search_auto_mountpoints(lpd_t)
 
 # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
 corecmd_exec_bin(lpd_t)
-corecmd_exec_sbin(lpd_t)
 corecmd_exec_shell(lpd_t)
 
 domain_use_interactive_fds(lpd_t)

policy/modules/services/mta.if

@@ -81,7 +81,6 @@ template(`mta_base_mail_template',`
 	corenet_sendrecv_smtp_client_packets($1_mail_t)
 
 	corecmd_exec_bin($1_mail_t)
-	corecmd_search_sbin($1_mail_t)
 
 	files_read_etc_files($1_mail_t)
 	files_search_spool($1_mail_t)
@@ -497,7 +496,7 @@ interface(`mta_sendmail_domtrans',`
 	')
 
 	files_search_usr($1)
-	corecmd_read_sbin_symlinks($1)
+	corecmd_read_bin_symlinks($1)
 	domain_auto_trans($1,sendmail_exec_t,$2)
 ')
 

policy/modules/services/nagios.te

@@ -195,7 +195,6 @@ kernel_read_kernel_sysctls(nrpe_t)
 
 corecmd_exec_bin(nrpe_t)
 corecmd_exec_shell(nrpe_t)
-corecmd_exec_ls(nrpe_t)
 
 dev_read_sysfs(nrpe_t)
 dev_read_urand(nrpe_t)

policy/modules/services/networkmanager.te

@@ -71,8 +71,6 @@ selinux_dontaudit_search_fs(NetworkManager_t)
 
 corecmd_exec_shell(NetworkManager_t)
 corecmd_exec_bin(NetworkManager_t)
-corecmd_exec_sbin(NetworkManager_t)
-corecmd_exec_ls(NetworkManager_t)
 
 domain_use_interactive_fds(NetworkManager_t)
 domain_read_confined_domains_state(NetworkManager_t)

policy/modules/services/nis.if

@@ -241,6 +241,5 @@ interface(`nis_domtrans_ypxfr',`
 	')
 
 	corecmd_search_bin($1)
-	corecmd_search_sbin($1)
 	domtrans_pattern($1,ypxfr_exec_t,ypxfr_t)
 ')

policy/modules/services/nis.te

@@ -180,7 +180,6 @@ auth_etc_filetrans_shadow(yppasswdd_t)
 
 corecmd_exec_bin(yppasswdd_t)
 corecmd_exec_shell(yppasswdd_t)
-corecmd_search_sbin(yppasswdd_t)
 
 domain_use_interactive_fds(yppasswdd_t)
 

policy/modules/services/nscd.if

@@ -33,7 +33,7 @@ interface(`nscd_domtrans',`
 		type nscd_t, nscd_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,nscd_exec_t,nscd_t)
 ')
 

policy/modules/services/nsd.te

@@ -146,7 +146,6 @@ can_exec(nsd_crond_t,nsd_exec_t)
 kernel_read_system_state(nsd_crond_t)
 
 corecmd_exec_bin(nsd_crond_t)
-corecmd_exec_sbin(nsd_crond_t)
 corecmd_exec_shell(nsd_crond_t)
 
 corenet_non_ipsec_sendrecv(nsd_crond_t)

policy/modules/services/ntp.if

@@ -31,7 +31,7 @@ interface(`ntp_domtrans',`
 		type ntpd_t, ntpd_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,ntpd_exec_t,ntpd_t)
 ')
 
@@ -50,6 +50,6 @@ interface(`ntp_domtrans_ntpdate',`
 		type ntpd_t, ntpdate_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
 ')

policy/modules/services/ntp.te

@@ -85,8 +85,6 @@ fs_search_auto_mountpoints(ntpd_t)
 auth_use_nsswitch(ntpd_t)
 
 corecmd_exec_bin(ntpd_t)
-corecmd_exec_sbin(ntpd_t)
-corecmd_exec_ls(ntpd_t)
 corecmd_exec_shell(ntpd_t)
 
 domain_use_interactive_fds(ntpd_t)

policy/modules/services/oav.if

@@ -15,7 +15,7 @@ interface(`oav_domtrans_update',`
 		type oav_update_t, oav_update_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1,oav_update_exec_t,oav_update_t)
 ')
 

policy/modules/services/oddjob.te

@@ -38,7 +38,6 @@ files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file })
 
 kernel_read_system_state(oddjob_t)
 
-corecmd_exec_sbin(oddjob_t)
 corecmd_exec_bin(oddjob_t)
 corecmd_exec_shell(oddjob_t)
 

policy/modules/services/openvpn.te

@@ -51,7 +51,6 @@ kernel_read_network_state(openvpn_t)
 kernel_read_system_state(openvpn_t)
 
 corecmd_exec_bin(openvpn_t)
-corecmd_exec_sbin(openvpn_t)
 corecmd_exec_shell(openvpn_t)
 
 corenet_non_ipsec_sendrecv(openvpn_t)

policy/modules/services/pegasus.te

@@ -84,7 +84,6 @@ corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
 corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
 corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
 
-corecmd_exec_sbin(pegasus_t)
 corecmd_exec_bin(pegasus_t)
 corecmd_exec_shell(pegasus_t)
 

policy/modules/services/postfix.if

@@ -69,10 +69,6 @@ template(`postfix_domain_template',`
 
 	term_dontaudit_use_console(postfix_$1_t)
 
-	corecmd_list_bin(postfix_$1_t)
-	corecmd_list_sbin(postfix_$1_t)
-	corecmd_read_bin_symlinks(postfix_$1_t)
-	corecmd_read_sbin_symlinks(postfix_$1_t)
 	corecmd_exec_shell(postfix_$1_t)
 
 	files_read_etc_files(postfix_$1_t)

policy/modules/services/postfix.te

@@ -151,8 +151,6 @@ corenet_sendrecv_all_client_packets(postfix_master_t)
 # for a find command
 selinux_dontaudit_search_fs(postfix_master_t)
 
-corecmd_exec_ls(postfix_master_t)
-corecmd_exec_sbin(postfix_master_t)
 corecmd_exec_shell(postfix_master_t)
 corecmd_exec_bin(postfix_master_t)
 
@@ -326,11 +324,6 @@ corecmd_read_bin_symlinks(postfix_map_t)
 corecmd_read_bin_files(postfix_map_t)
 corecmd_read_bin_pipes(postfix_map_t)
 corecmd_read_bin_sockets(postfix_map_t)
-corecmd_list_sbin(postfix_map_t)
-corecmd_read_sbin_symlinks(postfix_map_t)
-corecmd_read_sbin_files(postfix_map_t)
-corecmd_read_sbin_pipes(postfix_map_t)
-corecmd_read_sbin_sockets(postfix_map_t)
 
 files_list_home(postfix_map_t)
 files_read_usr_files(postfix_map_t)

policy/modules/services/postgresql.te

@@ -104,8 +104,6 @@ fs_search_auto_mountpoints(postgresql_t)
 term_use_controlling_term(postgresql_t)
 
 corecmd_exec_bin(postgresql_t)
-corecmd_exec_ls(postgresql_t)
-corecmd_exec_sbin(postgresql_t)
 corecmd_exec_shell(postgresql_t)
 
 domain_dontaudit_list_all_domains_state(postgresql_t)

policy/modules/services/postgrey.te

@@ -45,7 +45,6 @@ kernel_read_kernel_sysctls(postgrey_t)
 
 # for perl
 corecmd_search_bin(postgrey_t)
-corecmd_search_sbin(postgrey_t)
 
 corenet_non_ipsec_sendrecv(postgrey_t)
 corenet_tcp_sendrecv_generic_if(postgrey_t)

policy/modules/services/ppp.if

@@ -89,7 +89,7 @@ interface(`ppp_domtrans',`
 		type pppd_t, pppd_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	domtrans_pattern($1, pppd_exec_t, pppd_t)
 ')
 
@@ -153,7 +153,7 @@ interface(`ppp_exec',`
 		type pppd_exec_t;
 	')
 
-	corecmd_search_sbin($1)
+	corecmd_search_bin($1)
 	can_exec($1, pppd_exec_t)
 ')
 

policy/modules/services/ppp.te

@@ -133,7 +133,6 @@ term_create_pty(pppd_t,pppd_devpts_t)
 
 # allow running ip-up and ip-down scripts and running chat.
 corecmd_exec_bin(pppd_t)
-corecmd_exec_sbin(pppd_t)
 corecmd_exec_shell(pppd_t)
 
 domain_use_interactive_fds(pppd_t)

policy/modules/services/procmail.te

@@ -55,8 +55,6 @@ auth_use_nsswitch(procmail_t)
 
 corecmd_exec_bin(procmail_t)
 corecmd_exec_shell(procmail_t)
-corecmd_dontaudit_search_sbin(procmail_t)
-corecmd_exec_ls(procmail_t)
 
 files_read_etc_files(procmail_t)
 files_read_etc_runtime_files(procmail_t)

policy/modules/services/qmail.if

@@ -113,7 +113,7 @@ interface(`qmail_domtrans_inject',`
 
 	ifdef(`distro_debian',`
 		files_search_usr($1)
-		corecmd_search_sbin($1)
+		corecmd_search_bin($1)
 	',`
 		files_search_var($1)
 		corecmd_search_bin($1)
@@ -140,7 +140,7 @@ interface(`qmail_domtrans_queue',`
 
 	ifdef(`distro_debian',`
 		files_search_usr($1)
-		corecmd_search_sbin($1)
+		corecmd_search_bin($1)
 	',`
 		files_search_var($1)
 		corecmd_search_bin($1)

policy/modules/services/qmail.te

@@ -80,7 +80,6 @@ allow qmail_inject_t self:process signal_perms;
 allow qmail_inject_t qmail_queue_exec_t:file read;
 
 corecmd_search_bin(qmail_inject_t)
-corecmd_search_sbin(qmail_inject_t)
 
 files_search_var(qmail_inject_t)
 
@@ -109,7 +108,6 @@ allow qmail_local_t qmail_spool_t:file read_file_perms;
 kernel_read_system_state(qmail_local_t)
 
 corecmd_exec_shell(qmail_local_t)
-corecmd_search_sbin(qmail_local_t)
 
 files_read_etc_files(qmail_local_t)
 files_read_etc_runtime_files(qmail_local_t)
@@ -135,7 +133,7 @@ allow qmail_lspawn_t qmail_local_exec_t:file read;
 
 read_files_pattern(qmail_lspawn_t,qmail_spool_t,qmail_spool_t)
 
-corecmd_search_sbin(qmail_lspawn_t)
+corecmd_search_bin(qmail_lspawn_t)
 
 files_read_etc_files(qmail_lspawn_t)
 files_search_pids(qmail_lspawn_t)
@@ -202,7 +200,6 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read;
 rw_files_pattern(qmail_rspawn_t,qmail_spool_t,qmail_spool_t)
 
 corecmd_search_bin(qmail_rspawn_t)
-corecmd_search_sbin(qmail_rspawn_t)
 
 ########################################
 #
@@ -276,7 +273,6 @@ allow qmail_start_t self:process signal_perms;
 can_exec(qmail_start_t, qmail_start_exec_t)
 
 corecmd_search_bin(qmail_start_t)
-corecmd_search_sbin(qmail_start_t)
 
 files_search_var(qmail_start_t)
 
@@ -298,7 +294,7 @@ optional_policy(`
 
 allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
 
-corecmd_search_sbin(qmail_tcp_env_t)
+corecmd_search_bin(qmail_tcp_env_t)
 
 sysnet_read_config(qmail_tcp_env_t)
 

policy/modules/services/radius.te

@@ -84,7 +84,6 @@ auth_domtrans_chk_passwd(radiusd_t)
 
 corecmd_exec_bin(radiusd_t)
 corecmd_exec_shell(radiusd_t)
-corecmd_search_sbin(radiusd_t)
 
 domain_use_interactive_fds(radiusd_t)
 

policy/modules/services/remotelogin.te

@@ -57,16 +57,11 @@ auth_manage_pam_console_data(remote_login_t)
 auth_domtrans_pam_console(remote_login_t)
 
 corecmd_list_bin(remote_login_t)
-corecmd_list_sbin(remote_login_t)
 corecmd_read_bin_symlinks(remote_login_t)
-corecmd_read_sbin_symlinks(remote_login_t)
 # cjp: these are probably not needed:
 corecmd_read_bin_files(remote_login_t)
 corecmd_read_bin_pipes(remote_login_t)
 corecmd_read_bin_sockets(remote_login_t)
-corecmd_read_sbin_files(remote_login_t)
-corecmd_read_sbin_pipes(remote_login_t)
-corecmd_read_sbin_sockets(remote_login_t)
 
 domain_read_all_entry_files(remote_login_t)
 

policy/modules/services/rhgb.te

@@ -42,7 +42,6 @@ kernel_read_kernel_sysctls(rhgb_t)
 kernel_read_system_state(rhgb_t)
 
 corecmd_exec_bin(rhgb_t)
-corecmd_exec_sbin(rhgb_t)
 corecmd_exec_shell(rhgb_t)
 
 corenet_non_ipsec_sendrecv(rhgb_t)