# Copyright (C) 2005 Tresys Technology, LLC

########################################
#
# corecommands_execute_general_programs(domain,[`optional']
#
define(`corecommands_execute_general_programs',`
requires_block_template(corecommands_execute_general_programs_depend,$2)
allow $1 bin_t:dir { getattr search read };
allow $1 bin_t:lnk_file { getattr read };
allow $1 bin_t:file { getattr read execute execute_no_trans };
')

define(`corecommands_execute_general_programs_depend',`
type bin_t;
class dir { getattr search read };
class lnk_file { getattr read };
class file { getattr read execute execute_no_trans };
')

########################################
#
# corecommands_execute_system_programs(domain,[`optional']
#
define(`corecommands_execute_system_programs',`
requires_block_template(corecommands_execute_system_programs_depend,$2)
allow $1 sbin_t:dir { getattr search read };
allow $1 sbin_t:lnk_file { getattr read };
allow $1 sbin_t:file { getattr read execute execute_no_trans };
')

define(`corecommands_execute_system_programs_depend',`
type sbin_t;
class dir { getattr search read };
class lnk_file { getattr read };
class file { getattr read execute execute_no_trans };
')

########################################
#
# corecommands_execute_shell(domain,[`optional']
#
define(`corecommands_execute_shell',`
requires_block_template(corecommands_execute_shell_depend,$2)
allow $1 bin_t:dir { getattr search read };
allow $1 bin_t:lnk_file { getattr read };
allow $1 shell_exec_t:file { getattr read execute execute_no_trans };
')

define(`corecommands_execute_shell_depend',`
type bin_t, shell_exec_t;
class dir { getattr search read };
class lnk_file { getattr read };
class file { getattr read execute execute_no_trans };
')

########################################
#
# corecommands_chroot(domain,[`optional']
#
define(`corecommands_chroot',`
requires_block_template(corecommands_chroot_depend,$2)
allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
# could go to a generic chroot priv:
allow $1 self:capability sys_chroot;
')

define(`corecommands_chroot_depend',`
type chroot_exec_t;
class file { getattr read execute execute_no_trans };
class capability sys_chroot;
')