## ## Core policy for shells, and generic programs ## in /bin, /sbin, /usr/bin, and /usr/sbin. ## ## ## Contains the base bin and sbin directory types ## which need to be searched for the kernel to ## run init. ## ######################################## ## ## Make the specified type usable for files ## that are exectuables, such as binary programs. ## This does not include shared libraries. ## ## ## ## Type to be used for files. ## ## # interface(`corecmd_executable_file',` gen_require(` attribute exec_type; ') typeattribute $1 exec_type; files_type($1) ') ######################################## ## ## Create a aliased type to generic bin files. ## ## ##

## Create a aliased type to generic bin files. ##

##

## This is added to support targeted policy. Its ## use should be limited. It has no effect ## on the strict policy. ##

##
## ## ## Alias type for bin_t. ## ## # interface(`corecmd_bin_alias',` ifdef(`targeted_policy',` gen_require(` type bin_t; ') typealias bin_t alias $1; ',` refpolicywarn(`$0($*) has no effect in strict policy.') ') ') ######################################## ## ## Make general progams in bin an entrypoint for ## the specified domain. ## ## ## ## The domain for which bin_t is an entrypoint. ## ## # interface(`corecmd_bin_entry_type',` gen_require(` type bin_t; ') domain_entry_file($1,bin_t) ') ######################################## ## ## Make general progams in sbin an entrypoint for ## the specified domain. ## ## ## ## The domain for which sbin programs are an entrypoint. ## ## # interface(`corecmd_sbin_entry_type',` gen_require(` type sbin_t; ') domain_entry_file($1,sbin_t) ') ######################################## ## ## Make the shell an entrypoint for the specified domain. ## ## ## ## The domain for which the shell is an entrypoint. ## ## # interface(`corecmd_shell_entry_type',` gen_require(` type shell_exec_t; ') domain_entry_file($1,shell_exec_t) ') ######################################## ## ## Search the contents of bin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_search_bin',` gen_require(` type bin_t; ') allow $1 bin_t:dir search; ') ######################################## ## ## List the contents of bin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_list_bin',` gen_require(` type bin_t; ') allow $1 bin_t:dir r_dir_perms; ') ######################################## ## ## Get the attributes of files in bin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_getattr_bin_files',` gen_require(` type bin_t; ') allow $1 bin_t:file getattr; ') ######################################## ## ## Read files in bin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_bin_files',` gen_require(` type bin_t; ') allow $1 bin_t:dir search; allow $1 bin_t:file r_file_perms; ') ######################################## ## ## Read symbolic links in bin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_bin_symlinks',` gen_require(` type bin_t; ') allow $1 bin_t:dir search; allow $1 bin_t:lnk_file r_file_perms; ') ######################################## ## ## Read pipes in bin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_bin_pipes',` gen_require(` type bin_t; ') allow $1 bin_t:dir search; allow $1 bin_t:fifo_file r_file_perms; ') ######################################## ## ## Read named sockets in bin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_bin_sockets',` gen_require(` type bin_t; ') allow $1 bin_t:dir search; allow $1 bin_t:sock_file r_file_perms; ') ######################################## ## ## Execute generic programs in bin directories, ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_exec_bin',` gen_require(` type bin_t; ') allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file r_file_perms; can_exec($1,bin_t) ') ######################################## ## ## Create, read, write, and delete bin files. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_manage_bin_files',` gen_require(` type bin_t; ') allow $1 bin_t:dir rw_dir_perms; allow $1 bin_t:file manage_file_perms; ') ######################################## ## ## Relabel to and from the bin type. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_relabel_bin_files',` gen_require(` type bin_t; ') allow $1 bin_t:dir search_dir_perms; allow $1 bin_t:file { relabelfrom relabelto }; ') ######################################## ## ## Mmap a bin file as executable. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_mmap_bin_files',` gen_require(` type bin_t; ') allow $1 bin_t:dir search_dir_perms; allow $1 bin_t:file { getattr read execute }; ') ######################################## ## ## Execute a file in a bin directory ## in the specified domain but do not ## do it automatically. This is an explicit ## transition, requiring the caller to use setexeccon(). ## ## ##

## Execute a file in a bin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the userhelper policy. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the new process. ## ## # interface(`corecmd_bin_spec_domtrans',` gen_require(` type bin_t; ') allow $1 bin_t:dir search; allow $1 bin_t:lnk_file { getattr read }; domain_trans($1,bin_t,$2) ') ######################################## ## ## Execute a file in a bin directory ## in the specified domain. ## ## ##

## Execute a file in a bin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the ssh-agent policy. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the new process. ## ## # interface(`corecmd_bin_domtrans',` gen_require(` type bin_t; ') corecmd_bin_spec_domtrans($1,$2) type_transition $1 bin_t:process $2; ') ######################################## ## ## Search the contents of sbin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_search_sbin',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to search ## sbin directories. ## ## ## ## Domain to not audit. ## ## # interface(`corecmd_dontaudit_search_sbin',` gen_require(` type sbin_t; ') dontaudit $1 sbin_t:dir search_dir_perms; ') ######################################## ## ## List the contents of sbin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_list_sbin',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir r_dir_perms; ') ######################################## ## ## Get the attributes of sbin files. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_getattr_sbin_files',` gen_require(` type sbin_t; ') allow $1 sbin_t:file getattr; ') ######################################## ## ## Do not audit attempts to get the attibutes ## of sbin files. ## ## ## ## Domain to not audit. ## ## # interface(`corecmd_dontaudit_getattr_sbin_files',` gen_require(` type sbin_t; ') dontaudit $1 sbin_t:file getattr; ') ######################################## ## ## Read files in sbin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_sbin_files',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search; allow $1 sbin_t:file r_file_perms; ') ######################################## ## ## Read symbolic links in sbin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_sbin_symlinks',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search; allow $1 sbin_t:lnk_file r_file_perms; ') ######################################## ## ## Read named pipes in sbin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_sbin_pipes',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search; allow $1 sbin_t:fifo_file r_file_perms; ') ######################################## ## ## Read named sockets in sbin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_sbin_sockets',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search; allow $1 sbin_t:sock_file r_file_perms; ') ######################################## ## ## Execute generic programs in sbin directories, ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_exec_sbin',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir r_dir_perms; allow $1 sbin_t:lnk_file r_file_perms; can_exec($1,sbin_t) ') ######################################## ## ## Create, read, write, and delete sbin files. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink interface(`corecmd_manage_sbin_files',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir rw_dir_perms; allow $1 sbin_t:file manage_file_perms; ') ######################################## ## ## Relabel to and from the sbin type. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink interface(`corecmd_relabel_sbin_files',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search_dir_perms; allow $1 sbin_t:file { relabelfrom relabelto }; ') ######################################## ## ## Mmap a sbin file as executable. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink interface(`corecmd_mmap_sbin_files',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search_dir_perms; allow $1 sbin_t:file { getattr read execute }; ') ######################################## ## ## Execute a file in a sbin directory ## in the specified domain. ## ## ##

## Execute a file in a sbin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the ssh-agent policy. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the new process. ## ## # interface(`corecmd_sbin_domtrans',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search; allow $1 sbin_t:lnk_file { getattr read }; domain_auto_trans($1,sbin_t,$2) ') ######################################## ## ## Execute a file in a sbin directory ## in the specified domain but do not ## do it automatically. This is an explicit ## transition, requiring the caller to use setexeccon(). ## ## ##

## Execute a file in a sbin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the userhelper policy. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the new process. ## ## # interface(`corecmd_sbin_spec_domtrans',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search; allow $1 sbin_t:lnk_file { getattr read }; domain_trans($1,sbin_t,$2) ') ######################################## ## ## Check if a shell is executable (DAC-wise). ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_check_exec_shell',` gen_require(` type bin_t, shell_exec_t; ') allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file r_file_perms; allow $1 shell_exec_t:file execute; ') ######################################## ## ## Execute a shell in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_exec_shell',` gen_require(` type bin_t, shell_exec_t; ') allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file r_file_perms; can_exec($1,shell_exec_t) ') ######################################## ## ## Execute ls in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_exec_ls',` gen_require(` type bin_t, ls_exec_t; ') allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file r_file_perms; can_exec($1,ls_exec_t) ') ######################################## ## ## Execute a shell in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ##

## Execute a shell in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the shell process. ## ## # interface(`corecmd_shell_spec_domtrans',` gen_require(` type bin_t, shell_exec_t; ') allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:lnk_file r_file_perms; domain_trans($1,shell_exec_t,$2) ') ######################################## ## ## Execute a shell in the specified domain. ## ## ##

## Execute a shell in the specified domain. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the shell process. ## ## # interface(`corecmd_shell_domtrans',` gen_require(` type shell_exec_t; ') corecmd_shell_spec_domtrans($1,$2) type_transition $1 shell_exec_t:process $2; ') ######################################## ## ## Execute chroot in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_exec_chroot',` gen_require(` type chroot_exec_t; ') can_exec($1,chroot_exec_t) allow $1 self:capability sys_chroot; ') ######################################## ## ## Execute all executable files. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_exec_all_executables',` gen_require(` attribute exec_type; type bin_t, sbin_t; ') can_exec($1,exec_type) allow $1 { bin_t sbin_t }:dir list_dir_perms; allow $1 { bin_t sbin_t }:lnk_file read_file_perms; ') ######################################## ## ## Create, read, write, and all executable files. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_manage_all_executables',` gen_require(` attribute exec_type; type bin_t, sbin_t; ') allow $1 exec_type:file manage_file_perms; allow $1 { bin_t sbin_t }:dir rw_dir_perms; allow $1 { bin_t sbin_t }:lnk_file create_lnk_perms; ') ######################################## ## ## Relabel to and from the bin type. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_relabel_all_executables',` gen_require(` attribute exec_type; ') allow $1 exec_type:file { relabelfrom relabelto }; ') ######################################## ## ## Mmap all executables as executable. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_mmap_all_executables',` gen_require(` attribute exec_type; ') allow $1 exec_type:file { getattr read execute }; ')