## Core policy for shells, and generic programs ## in /bin, /sbin, /usr/bin, and /usr/sbin. ##

## ## Contains the base bin and sbin directory types ## which need to be searched for the kernel to ## run init. ## ######################################## ##

## Make the specified type usable for files ## that are exectuables, such as binary programs. ## This does not include shared libraries. ##

## ##

## Type to be used for files. ##

## # interface(`corecmd_executable_file',` gen_require(` attribute exec_type; ') typeattribute $1 exec_type; files_type($1) ') ######################################## ##

## Create a aliased type to generic bin files. ##

## ##

## Create a aliased type to generic bin files. ##

## This is added to support targeted policy. Its ## use should be limited. It has no effect ## on the strict policy. ##

## ## ##

## Alias type for bin_t. ##

## # interface(`corecmd_bin_alias',` ifdef(`targeted_policy',` gen_require(` type bin_t; ') typealias bin_t alias $1; ',` refpolicywarn(`$0($*) has no effect in strict policy.') ') ') ######################################## ##

## Make general progams in bin an entrypoint for ## the specified domain. ##

## ##

## The domain for which bin_t is an entrypoint. ##

## # interface(`corecmd_bin_entry_type',` gen_require(` type bin_t; ') domain_entry_file($1,bin_t) ') ######################################## ##

## Make general progams in sbin an entrypoint for ## the specified domain. ##

## ##

## The domain for which sbin programs are an entrypoint. ##

## # interface(`corecmd_sbin_entry_type',` gen_require(` type sbin_t; ') domain_entry_file($1,sbin_t) ') ######################################## ##

## Make the shell an entrypoint for the specified domain. ##

## ##

## The domain for which the shell is an entrypoint. ##

## # interface(`corecmd_shell_entry_type',` gen_require(` type shell_exec_t; ') domain_entry_file($1,shell_exec_t) ') ######################################## ##

## Search the contents of bin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_search_bin',` gen_require(` type bin_t; ') search_dirs_pattern($1,bin_t,bin_t) ') ######################################## ##

## List the contents of bin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_list_bin',` gen_require(` type bin_t; ') list_dirs_pattern($1,bin_t,bin_t) ') ######################################## ##

## Get the attributes of files in bin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_getattr_bin_files',` gen_require(` type bin_t; ') getattr_files_pattern($1,bin_t,bin_t) ') ######################################## ##

## Read files in bin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_read_bin_files',` gen_require(` type bin_t; ') read_files_pattern($1,bin_t,bin_t) ') ######################################## ##

## Read symbolic links in bin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_read_bin_symlinks',` gen_require(` type bin_t; ') read_lnk_files_pattern($1,bin_t,bin_t) ') ######################################## ##

## Read pipes in bin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_read_bin_pipes',` gen_require(` type bin_t; ') read_fifo_files_pattern($1,bin_t,bin_t) ') ######################################## ##

## Read named sockets in bin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_read_bin_sockets',` gen_require(` type bin_t; ') read_sock_files_pattern($1,bin_t,bin_t) ') ######################################## ##

## Execute generic programs in bin directories, ## in the caller domain. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_exec_bin',` gen_require(` type bin_t; ') read_lnk_files_pattern($1,bin_t,bin_t) list_dirs_pattern($1,bin_t,bin_t) can_exec($1,bin_t) ') ######################################## ##

## Create, read, write, and delete bin files. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_manage_bin_files',` gen_require(` type bin_t; ') manage_files_pattern($1,bin_t,bin_t) ') ######################################## ##

## Relabel to and from the bin type. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_relabel_bin_files',` gen_require(` type bin_t; ') relabel_files_pattern($1,bin_t,bin_t) ') ######################################## ##

## Mmap a bin file as executable. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_mmap_bin_files',` gen_require(` type bin_t; ') allow $1 bin_t:dir search_dir_perms; allow $1 bin_t:file { getattr read execute }; ') ######################################## ##

## Execute a file in a bin directory ## in the specified domain but do not ## do it automatically. This is an explicit ## transition, requiring the caller to use setexeccon(). ##

## ##

## Execute a file in a bin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

## This interface was added to handle ## the userhelper policy. ##

## ## ##

## Domain allowed access. ##

## ## ##

## The type of the new process. ##

## # interface(`corecmd_bin_spec_domtrans',` gen_require(` type bin_t; ') read_lnk_files_pattern($1,bin_t,bin_t) domain_transition_pattern($1,bin_t,$2) ') ######################################## ##

## Execute a file in a bin directory ## in the specified domain. ##

## ##

## Execute a file in a bin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

## This interface was added to handle ## the ssh-agent policy. ##

## ## ##

## Domain allowed access. ##

## ## ##

## The type of the new process. ##

## # interface(`corecmd_bin_domtrans',` gen_require(` type bin_t; ') corecmd_bin_spec_domtrans($1,$2) type_transition $1 bin_t:process $2; ') ######################################## ##

## Search the contents of sbin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_search_sbin',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search_dir_perms; ') ######################################## ##

## Do not audit attempts to search ## sbin directories. ##

## ##

## Domain to not audit. ##

## # interface(`corecmd_dontaudit_search_sbin',` gen_require(` type sbin_t; ') dontaudit $1 sbin_t:dir search_dir_perms; ') ######################################## ##

## List the contents of sbin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_list_sbin',` gen_require(` type sbin_t; ') list_dirs_pattern($1,sbin_t,sbin_t) ') ######################################## ##

## Do not audit attempts to write ## sbin directories. ##

## ##

## Domain to not audit. ##

## # interface(`corecmd_dontaudit_write_sbin_dirs',` gen_require(` type sbin_t; ') dontaudit $1 sbin_t:dir write; ') ######################################## ##

## Get the attributes of sbin files. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_getattr_sbin_files',` gen_require(` type sbin_t; ') getattr_files_pattern($1,sbin_t,sbin_t) ') ######################################## ##

## Do not audit attempts to get the attibutes ## of sbin files. ##

## ##

## Domain to not audit. ##

## # interface(`corecmd_dontaudit_getattr_sbin_files',` gen_require(` type sbin_t; ') dontaudit $1 sbin_t:file getattr; ') ######################################## ##

## Read files in sbin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_read_sbin_files',` gen_require(` type sbin_t; ') read_files_pattern($1,sbin_t,sbin_t) ') ######################################## ##

## Read symbolic links in sbin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_read_sbin_symlinks',` gen_require(` type sbin_t; ') read_lnk_files_pattern($1,sbin_t,sbin_t) ') ######################################## ##

## Read named pipes in sbin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_read_sbin_pipes',` gen_require(` type sbin_t; ') read_fifo_files_pattern($1,sbin_t,sbin_t) ') ######################################## ##

## Read named sockets in sbin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_read_sbin_sockets',` gen_require(` type sbin_t; ') read_sock_files_pattern($1,sbin_t,sbin_t) ') ######################################## ##

## Execute generic programs in sbin directories, ## in the caller domain. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_exec_sbin',` gen_require(` type sbin_t; ') list_dirs_pattern($1,sbin_t,sbin_t) read_lnk_files_pattern($1,sbin_t,sbin_t) can_exec($1,sbin_t) ') ######################################## ##

## Create, read, write, and delete sbin files. ##

## ##

## Domain allowed access. ##

## # # cjp: added for prelink interface(`corecmd_manage_sbin_files',` gen_require(` type sbin_t; ') manage_files_pattern($1,sbin_t,sbin_t) ') ######################################## ##

## Relabel to and from the sbin type. ##

## ##

## Domain allowed access. ##

## # # cjp: added for prelink interface(`corecmd_relabel_sbin_files',` gen_require(` type sbin_t; ') relabel_files_pattern($1,sbin_t,sbin_t) ') ######################################## ##

## Mmap a sbin file as executable. ##

## ##

## Domain allowed access. ##

## # # cjp: added for prelink interface(`corecmd_mmap_sbin_files',` gen_require(` type sbin_t; ') allow $1 sbin_t:dir search_dir_perms; allow $1 sbin_t:file { getattr read execute }; ') ######################################## ##

## Execute a file in a sbin directory ## in the specified domain. ##

## ##

## Execute a file in a sbin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

## This interface was added to handle ## the ssh-agent policy. ##

## ## ##

## Domain allowed access. ##

## ## ##

## The type of the new process. ##

## # interface(`corecmd_sbin_domtrans',` gen_require(` type sbin_t; ') read_lnk_files_pattern($1,sbin_t,sbin_t) domain_auto_transition_pattern($1,sbin_t,$2) ') ######################################## ##

## Execute a file in a sbin directory ## in the specified domain but do not ## do it automatically. This is an explicit ## transition, requiring the caller to use setexeccon(). ##

## ##

## Execute a file in a sbin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

## This interface was added to handle ## the userhelper policy. ##

## ## ##

## Domain allowed access. ##

## ## ##

## The type of the new process. ##

## # interface(`corecmd_sbin_spec_domtrans',` gen_require(` type sbin_t; ') read_lnk_files_pattern($1,sbin_t,sbin_t) domain_transition_pattern($1,sbin_t,$2) ') ######################################## ##

## Check if a shell is executable (DAC-wise). ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_check_exec_shell',` gen_require(` type bin_t, shell_exec_t; ') list_dirs_pattern($1,bin_t,bin_t) read_lnk_files_pattern($1,bin_t,bin_t) allow $1 shell_exec_t:file execute; ') ######################################## ##

## Execute a shell in the caller domain. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_exec_shell',` gen_require(` type bin_t, shell_exec_t; ') list_dirs_pattern($1,bin_t,bin_t) read_lnk_files_pattern($1,bin_t,bin_t) can_exec($1,shell_exec_t) ') ######################################## ##

## Execute ls in the caller domain. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_exec_ls',` gen_require(` type bin_t, ls_exec_t; ') list_dirs_pattern($1,bin_t,bin_t) read_lnk_files_pattern($1,bin_t,bin_t) can_exec($1,ls_exec_t) ') ######################################## ##

## Execute a shell in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ##

## ##

## Execute a shell in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

## ## ##

## Domain allowed access. ##

## ## ##

## The type of the shell process. ##

## # interface(`corecmd_shell_spec_domtrans',` gen_require(` type bin_t, shell_exec_t; ') list_dirs_pattern($1,bin_t,bin_t) read_lnk_files_pattern($1,bin_t,bin_t) domain_transition_pattern($1,shell_exec_t,$2) ') ######################################## ##

## Execute a shell in the specified domain. ##

## ##

## Execute a shell in the specified domain. ##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

## ## ##

## Domain allowed access. ##

## ## ##

## The type of the shell process. ##

## # interface(`corecmd_shell_domtrans',` gen_require(` type shell_exec_t; ') corecmd_shell_spec_domtrans($1,$2) type_transition $1 shell_exec_t:process $2; ') ######################################## ##

## Execute chroot in the caller domain. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_exec_chroot',` gen_require(` type chroot_exec_t; ') read_lnk_files_pattern($1,bin_t,bin_t) can_exec($1,chroot_exec_t) allow $1 self:capability sys_chroot; ') ######################################## ##

## Get the attributes of all executable files. ##

## ##

## Domain allowed access. ##

## ## # interface(`corecmd_getattr_all_executables',` gen_require(` attribute exec_type; type bin_t, sbin_t; ') allow $1 { bin_t sbin_t }:dir list_dir_perms; getattr_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t }) ') ######################################## ##

## Execute all executable files. ##

## ##

## Domain allowed access. ##

## ## # interface(`corecmd_exec_all_executables',` gen_require(` attribute exec_type; type bin_t, sbin_t; ') can_exec($1,exec_type) list_dirs_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t }) read_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t }) ') ######################################## ##

## Create, read, write, and all executable files. ##

## ##

## Domain allowed access. ##

## ## # interface(`corecmd_manage_all_executables',` gen_require(` attribute exec_type; type bin_t, sbin_t; ') manage_files_pattern($1,{ bin_t sbin_t },exec_type) manage_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t }) ') ######################################## ##

## Relabel to and from the bin type. ##

## ##

## Domain allowed access. ##

## ## # interface(`corecmd_relabel_all_executables',` gen_require(` attribute exec_type; ') allow $1 exec_type:file relabel_file_perms; ') ######################################## ##

## Mmap all executables as executable. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_mmap_all_executables',` gen_require(` attribute exec_type; ') allow $1 exec_type:file { getattr read execute }; ')