223 lines
4.2 KiB
Plaintext
223 lines
4.2 KiB
Plaintext
## <module name="corecommands">
|
|
## <summary>
|
|
## Core policy for shells, and generic programs
|
|
## in /bin, /sbin, /usr/bin, and /usr/sbin.
|
|
## </summary>
|
|
|
|
#######################################
|
|
#
|
|
# corecmd_shell_entry_type(domain)
|
|
#
|
|
interface(`corecmd_shell_entry_type',`
|
|
gen_require(`
|
|
type shell_exec_t;
|
|
')
|
|
|
|
domain_entry_file($1,shell_exec_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# corecmd_search_bin(domain)
|
|
#
|
|
interface(`corecmd_search_bin',`
|
|
gen_require(`
|
|
type bin_t;
|
|
class dir search;
|
|
')
|
|
|
|
allow $1 bin_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# corecmd_list_bin(domain)
|
|
#
|
|
interface(`corecmd_list_bin',`
|
|
gen_require(`
|
|
type bin_t;
|
|
class dir r_dir_perms;
|
|
')
|
|
|
|
allow $1 bin_t:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# corecmd_exec_bin(domain)
|
|
#
|
|
interface(`corecmd_exec_bin',`
|
|
gen_require(`
|
|
type bin_t;
|
|
class dir r_dir_perms;
|
|
class lnk_file r_file_perms;
|
|
')
|
|
|
|
allow $1 bin_t:dir r_dir_perms;
|
|
allow $1 bin_t:lnk_file r_file_perms;
|
|
can_exec($1,bin_t)
|
|
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# corecmd_search_sbin(domain)
|
|
#
|
|
interface(`corecmd_search_sbin',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
class dir search;
|
|
')
|
|
|
|
allow $1 sbin_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# corecmd_list_sbin(domain)
|
|
#
|
|
interface(`corecmd_list_sbin',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
class dir r_dir_perms;
|
|
')
|
|
|
|
allow $1 sbin_t:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# corecmd_dontaudit_getattr_sbin_file(domain)
|
|
#
|
|
interface(`corecmd_dontaudit_getattr_sbin_file',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
class file getattr;
|
|
')
|
|
|
|
allow $1 sbin_t:file getattr;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# corecmd_exec_sbin(domain)
|
|
#
|
|
interface(`corecmd_exec_sbin',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
class dir r_dir_perms;
|
|
class lnk_file r_file_perms;
|
|
')
|
|
|
|
allow $1 sbin_t:dir r_dir_perms;
|
|
allow $1 sbin_t:lnk_file r_file_perms;
|
|
can_exec($1,sbin_t)
|
|
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# corecmd_exec_shell(domain)
|
|
#
|
|
interface(`corecmd_exec_shell',`
|
|
gen_require(`
|
|
type bin_t, shell_exec_t;
|
|
class dir r_dir_perms;
|
|
class lnk_file r_file_perms;
|
|
')
|
|
|
|
allow $1 bin_t:dir r_dir_perms;
|
|
allow $1 bin_t:lnk_file r_file_perms;
|
|
can_exec($1,shell_exec_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# corecmd_exec_ls(domain)
|
|
#
|
|
interface(`corecmd_exec_ls',`
|
|
gen_require(`
|
|
type bin_t, ls_exec_t;
|
|
class dir r_dir_perms;
|
|
class lnk_file r_file_perms;
|
|
')
|
|
|
|
allow $1 bin_t:dir r_dir_perms;
|
|
allow $1 bin_t:lnk_file r_file_perms;
|
|
can_exec($1,ls_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <interface name="corecmd_shell_spec_domtrans">
|
|
## <description>
|
|
## Execute a shell in the target domain. This
|
|
## is an explicit transition, requiring the
|
|
## caller to use setexeccon().
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## <parameter name="target_domain">
|
|
## The type of the shell process.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
interface(`corecmd_shell_spec_domtrans',`
|
|
gen_require(`
|
|
type bin_t, shell_exec_t;
|
|
class dir r_dir_perms;
|
|
class lnk_file r_file_perms;
|
|
class fd use;
|
|
class fifo_file rw_file_perms;
|
|
class process sigchld;
|
|
')
|
|
|
|
allow $1 bin_t:dir r_dir_perms;
|
|
allow $1 bin_t:lnk_file r_file_perms;
|
|
|
|
domain_trans($1,shell_exec_t,$2)
|
|
|
|
allow $1 $2:fd use;
|
|
allow $2 $1:fd use;
|
|
allow $2 $1:fifo_file rw_file_perms;
|
|
allow $2 $1:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <interface name="corecmd_domtrans_shell">
|
|
## <description>
|
|
## Execute a shell in the target domain.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## <parameter name="target_domain">
|
|
## The type of the shell process.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
interface(`corecmd_domtrans_shell',`
|
|
gen_require(`
|
|
type shell_exec_t;
|
|
')
|
|
|
|
corecmd_shell_spec_domtrans($1,$2)
|
|
type_transition $1 shell_exec_t:process $2;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# corecmd_chroot_exec_chroot(domain)
|
|
#
|
|
interface(`corecmd_chroot_exec_chroot',`
|
|
gen_require(`
|
|
type chroot_exec_t;
|
|
class capability sys_chroot;
|
|
')
|
|
|
|
can_exec($1,chroot_exec_t)
|
|
allow $1 self:capability sys_chroot;
|
|
')
|
|
|
|
## </module>
|