##
## Core policy for shells, and generic programs
## in /bin, /sbin, /usr/bin, and /usr/sbin.
##
##
## Contains the base bin and sbin directory types
## which need to be searched for the kernel to
## run init.
##
########################################
##
## Make the specified type usable for files
## that are exectuables, such as binary programs.
## This does not include shared libraries.
##
##
##
## Type to be used for files.
##
##
#
interface(`corecmd_executable_file',`
gen_require(`
attribute exec_type;
')
typeattribute $1 exec_type;
files_type($1)
')
########################################
##
## Create a aliased type to generic bin files.
##
##
##
## Create a aliased type to generic bin files.
##
##
## This is added to support targeted policy. Its
## use should be limited. It has no effect
## on the strict policy.
##
##
##
##
## Alias type for bin_t.
##
##
#
interface(`corecmd_bin_alias',`
ifdef(`targeted_policy',`
gen_require(`
type bin_t;
')
typealias bin_t alias $1;
',`
refpolicywarn(`$0($*) has no effect in strict policy.')
')
')
########################################
##
## Make general progams in bin an entrypoint for
## the specified domain.
##
##
##
## The domain for which bin_t is an entrypoint.
##
##
#
interface(`corecmd_bin_entry_type',`
gen_require(`
type bin_t;
')
domain_entry_file($1,bin_t)
')
########################################
##
## Make general progams in sbin an entrypoint for
## the specified domain. (Deprecated)
##
##
##
## The domain for which sbin programs are an entrypoint.
##
##
#
interface(`corecmd_sbin_entry_type',`
corecmd_bin_entry_type($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_bin_entry_type() instead.')
')
########################################
##
## Make the shell an entrypoint for the specified domain.
##
##
##
## The domain for which the shell is an entrypoint.
##
##
#
interface(`corecmd_shell_entry_type',`
gen_require(`
type shell_exec_t;
')
domain_entry_file($1,shell_exec_t)
')
########################################
##
## Search the contents of bin directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_search_bin',`
gen_require(`
type bin_t;
')
search_dirs_pattern($1,bin_t,bin_t)
')
########################################
##
## Do not audit attempts to search the contents of bin directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_dontaudit_search_bin',`
gen_require(`
type bin_t;
')
dontaudit $1 bin_t:dir search_dir_perms;
')
########################################
##
## List the contents of bin directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_list_bin',`
gen_require(`
type bin_t;
')
list_dirs_pattern($1,bin_t,bin_t)
')
########################################
##
## Do not auidt attempts to write bin directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_dontaudit_write_bin_dirs',`
gen_require(`
type bin_t;
')
dontaudit $1 bin_t:dir write;
')
########################################
##
## Get the attributes of files in bin directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_getattr_bin_files',`
gen_require(`
type bin_t;
')
getattr_files_pattern($1,bin_t,bin_t)
')
########################################
##
## Read files in bin directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_read_bin_files',`
gen_require(`
type bin_t;
')
read_files_pattern($1,bin_t,bin_t)
')
########################################
##
## Read symbolic links in bin directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_read_bin_symlinks',`
gen_require(`
type bin_t;
')
read_lnk_files_pattern($1,bin_t,bin_t)
')
########################################
##
## Read pipes in bin directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_read_bin_pipes',`
gen_require(`
type bin_t;
')
read_fifo_files_pattern($1,bin_t,bin_t)
')
########################################
##
## Read named sockets in bin directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_read_bin_sockets',`
gen_require(`
type bin_t;
')
read_sock_files_pattern($1,bin_t,bin_t)
')
########################################
##
## Execute generic programs in bin directories,
## in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_exec_bin',`
gen_require(`
type bin_t;
')
read_lnk_files_pattern($1,bin_t,bin_t)
list_dirs_pattern($1,bin_t,bin_t)
can_exec($1,bin_t)
')
########################################
##
## Create, read, write, and delete bin files.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_manage_bin_files',`
gen_require(`
type bin_t;
')
manage_files_pattern($1,bin_t,bin_t)
')
########################################
##
## Relabel to and from the bin type.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_relabel_bin_files',`
gen_require(`
type bin_t;
')
relabel_files_pattern($1,bin_t,bin_t)
')
########################################
##
## Mmap a bin file as executable.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_mmap_bin_files',`
gen_require(`
type bin_t;
')
allow $1 bin_t:dir search_dir_perms;
allow $1 bin_t:file { getattr read execute };
')
########################################
##
## Execute a file in a bin directory
## in the specified domain but do not
## do it automatically. This is an explicit
## transition, requiring the caller to use setexeccon().
##
##
##
## Execute a file in a bin directory
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## the userhelper policy.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the new process.
##
##
#
interface(`corecmd_bin_spec_domtrans',`
gen_require(`
type bin_t;
')
read_lnk_files_pattern($1,bin_t,bin_t)
domain_transition_pattern($1,bin_t,$2)
')
########################################
##
## Execute a file in a bin directory
## in the specified domain.
##
##
##
## Execute a file in a bin directory
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## the ssh-agent policy.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the new process.
##
##
#
interface(`corecmd_bin_domtrans',`
gen_require(`
type bin_t;
')
corecmd_bin_spec_domtrans($1,$2)
type_transition $1 bin_t:process $2;
')
########################################
##
## Search the contents of sbin directories. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_search_sbin',`
corecmd_search_bin($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.')
')
########################################
##
## Do not audit attempts to search
## sbin directories. (Deprecated)
##
##
##
## Domain to not audit.
##
##
#
interface(`corecmd_dontaudit_search_sbin',`
corecmd_dontaudit_search_bin($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_search_bin() instead.')
')
########################################
##
## List the contents of sbin directories. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_list_sbin',`
corecmd_list_bin($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_list_bin() instead.')
')
########################################
##
## Do not audit attempts to write
## sbin directories. (Deprecated)
##
##
##
## Domain to not audit.
##
##
#
interface(`corecmd_dontaudit_write_sbin_dirs',`
corecmd_dontaudit_write_bin_dirs($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_write_bin_dirs() instead.')
')
########################################
##
## Get the attributes of sbin files. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_getattr_sbin_files',`
corecmd_getattr_bin_files($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_getattr_bin_files() instead.')
')
########################################
##
## Do not audit attempts to get the attibutes
## of sbin files. (Deprecated)
##
##
##
## Domain to not audit.
##
##
#
interface(`corecmd_dontaudit_getattr_sbin_files',`
corecmd_dontaudit_getattr_bin_files($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_getattr_bin_files() instead.')
')
########################################
##
## Read files in sbin directories. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_read_sbin_files',`
corecmd_read_bin_files($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_files() instead.')
')
########################################
##
## Read symbolic links in sbin directories. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_read_sbin_symlinks',`
corecmd_read_bin_symlinks($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_symlinks() instead.')
')
########################################
##
## Read named pipes in sbin directories. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_read_sbin_pipes',`
corecmd_read_bin_pipes($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_pipes() instead.')
')
########################################
##
## Read named sockets in sbin directories. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_read_sbin_sockets',`
corecmd_read_bin_sockets($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_sockets() instead.')
')
########################################
##
## Execute generic programs in sbin directories,
## in the caller domain. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_exec_sbin',`
corecmd_exec_bin($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.')
')
########################################
##
## Create, read, write, and delete sbin files. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
interface(`corecmd_manage_sbin_files',`
corecmd_manage_bin_files($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_manage_bin_files() instead.')
')
########################################
##
## Relabel to and from the sbin type. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
interface(`corecmd_relabel_sbin_files',`
corecmd_relabel_bin_files($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_relabel_bin_files() instead.')
')
########################################
##
## Mmap a sbin file as executable. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
# cjp: added for prelink
interface(`corecmd_mmap_sbin_files',`
corecmd_mmap_bin_files($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_mmap_bin_files() instead.')
')
########################################
##
## Execute a file in a sbin directory
## in the specified domain. (Deprecated)
##
##
##
## Execute a file in a sbin directory
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested. (Deprecated)
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## the ssh-agent policy.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the new process.
##
##
#
interface(`corecmd_sbin_domtrans',`
corecmd_bin_domtrans($1,$2,$3)
refpolicywarn(`$0() has been deprecated, please use corecmd_bin_domtrans() instead.')
')
########################################
##
## Execute a file in a sbin directory
## in the specified domain but do not
## do it automatically. This is an explicit
## transition, requiring the caller to use setexeccon(). (Deprecated)
##
##
##
## Execute a file in a sbin directory
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
## domain. This is not suggested. (Deprecated)
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
## This interface was added to handle
## the userhelper policy.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the new process.
##
##
#
interface(`corecmd_sbin_spec_domtrans',`
corecmd_bin_spec_domtrans($1,$2,$3)
refpolicywarn(`$0() has been deprecated, please use corecmd_bin_spec_domtrans() instead.')
')
########################################
##
## Check if a shell is executable (DAC-wise).
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_check_exec_shell',`
gen_require(`
type bin_t, shell_exec_t;
')
list_dirs_pattern($1,bin_t,bin_t)
read_lnk_files_pattern($1,bin_t,bin_t)
allow $1 shell_exec_t:file execute;
')
########################################
##
## Execute a shell in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_exec_shell',`
gen_require(`
type bin_t, shell_exec_t;
')
list_dirs_pattern($1,bin_t,bin_t)
read_lnk_files_pattern($1,bin_t,bin_t)
can_exec($1,shell_exec_t)
')
########################################
##
## Execute ls in the caller domain. (Deprecated)
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_exec_ls',`
corecmd_exec_bin($1)
refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.')
')
########################################
##
## Execute a shell in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
##
## Execute a shell in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the shell process.
##
##
#
interface(`corecmd_shell_spec_domtrans',`
gen_require(`
type bin_t, shell_exec_t;
')
list_dirs_pattern($1,bin_t,bin_t)
read_lnk_files_pattern($1,bin_t,bin_t)
domain_transition_pattern($1,shell_exec_t,$2)
')
########################################
##
## Execute a shell in the specified domain.
##
##
##
## Execute a shell in the specified domain.
##
##
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the shell process.
##
##
#
interface(`corecmd_shell_domtrans',`
gen_require(`
type shell_exec_t;
')
corecmd_shell_spec_domtrans($1,$2)
type_transition $1 shell_exec_t:process $2;
')
########################################
##
## Execute chroot in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_exec_chroot',`
gen_require(`
type chroot_exec_t;
')
read_lnk_files_pattern($1,bin_t,bin_t)
can_exec($1,chroot_exec_t)
allow $1 self:capability sys_chroot;
')
########################################
##
## Get the attributes of all executable files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`corecmd_getattr_all_executables',`
gen_require(`
attribute exec_type;
type bin_t;
')
allow $1 bin_t:dir list_dir_perms;
getattr_files_pattern($1,bin_t,exec_type)
')
########################################
##
## Execute all executable files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`corecmd_exec_all_executables',`
gen_require(`
attribute exec_type;
type bin_t;
')
can_exec($1,exec_type)
list_dirs_pattern($1,bin_t,bin_t)
read_lnk_files_pattern($1,bin_t,exec_type)
')
########################################
##
## Create, read, write, and all executable files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`corecmd_manage_all_executables',`
gen_require(`
attribute exec_type;
type bin_t;
')
manage_files_pattern($1,bin_t,exec_type)
manage_lnk_files_pattern($1,bin_t,bin_t)
')
########################################
##
## Relabel to and from the bin type.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`corecmd_relabel_all_executables',`
gen_require(`
attribute exec_type;
type bin_t;
')
relabel_files_pattern($1,bin_t,exec_type)
')
########################################
##
## Mmap all executables as executable.
##
##
##
## Domain allowed access.
##
##
#
interface(`corecmd_mmap_all_executables',`
gen_require(`
attribute exec_type;
type bin_t;
')
mmap_files_pattern($1,bin_t,exec_type)
')