990 lines
19 KiB
Plaintext
990 lines
19 KiB
Plaintext
## <summary>
|
|
## Core policy for shells, and generic programs
|
|
## in /bin, /sbin, /usr/bin, and /usr/sbin.
|
|
## </summary>
|
|
## <required val="true">
|
|
## Contains the base bin and sbin directory types
|
|
## which need to be searched for the kernel to
|
|
## run init.
|
|
## </required>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make the specified type usable for files
|
|
## that are exectuables, such as binary programs.
|
|
## This does not include shared libraries.
|
|
## </summary>
|
|
## <param name="type">
|
|
## <summary>
|
|
## Type to be used for files.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_executable_file',`
|
|
gen_require(`
|
|
attribute exec_type;
|
|
')
|
|
|
|
typeattribute $1 exec_type;
|
|
|
|
files_type($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create a aliased type to generic bin files.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Create a aliased type to generic bin files.
|
|
## </p>
|
|
## <p>
|
|
## This is added to support targeted policy. Its
|
|
## use should be limited. It has no effect
|
|
## on the strict policy.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Alias type for bin_t.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_bin_alias',`
|
|
ifdef(`targeted_policy',`
|
|
gen_require(`
|
|
type bin_t;
|
|
')
|
|
|
|
typealias bin_t alias $1;
|
|
',`
|
|
errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make general progams in bin an entrypoint for
|
|
## the specified domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The domain for which bin_t is an entrypoint.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_bin_entry_type',`
|
|
gen_require(`
|
|
type bin_t;
|
|
')
|
|
|
|
domain_entry_file($1,bin_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make general progams in sbin an entrypoint for
|
|
## the specified domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The domain for which sbin programs are an entrypoint.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_sbin_entry_type',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
domain_entry_file($1,sbin_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make the shell an entrypoint for the specified domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The domain for which the shell is an entrypoint.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_shell_entry_type',`
|
|
gen_require(`
|
|
type shell_exec_t;
|
|
')
|
|
|
|
domain_entry_file($1,shell_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search the contents of bin directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_search_bin',`
|
|
gen_require(`
|
|
type bin_t;
|
|
')
|
|
|
|
allow $1 bin_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## List the contents of bin directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_list_bin',`
|
|
gen_require(`
|
|
type bin_t;
|
|
')
|
|
|
|
allow $1 bin_t:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the attributes of files in bin directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_getattr_bin_files',`
|
|
gen_require(`
|
|
type bin_t;
|
|
')
|
|
|
|
allow $1 bin_t:file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read files in bin directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_read_bin_files',`
|
|
gen_require(`
|
|
type bin_t;
|
|
')
|
|
|
|
allow $1 bin_t:dir search;
|
|
allow $1 bin_t:file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read symbolic links in bin directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_read_bin_symlinks',`
|
|
gen_require(`
|
|
type bin_t;
|
|
')
|
|
|
|
allow $1 bin_t:dir search;
|
|
allow $1 bin_t:lnk_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read pipes in bin directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_read_bin_pipes',`
|
|
gen_require(`
|
|
type bin_t;
|
|
')
|
|
|
|
allow $1 bin_t:dir search;
|
|
allow $1 bin_t:fifo_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read named sockets in bin directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_read_bin_sockets',`
|
|
gen_require(`
|
|
type bin_t;
|
|
')
|
|
|
|
allow $1 bin_t:dir search;
|
|
allow $1 bin_t:sock_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute generic programs in bin directories,
|
|
## in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_exec_bin',`
|
|
gen_require(`
|
|
type bin_t;
|
|
')
|
|
|
|
allow $1 bin_t:dir r_dir_perms;
|
|
allow $1 bin_t:lnk_file r_file_perms;
|
|
can_exec($1,bin_t)
|
|
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete bin files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_manage_bin_files',`
|
|
gen_require(`
|
|
type bin_t;
|
|
')
|
|
|
|
allow $1 bin_t:dir rw_dir_perms;
|
|
allow $1 bin_t:file manage_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel to and from the bin type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_relabel_bin_files',`
|
|
gen_require(`
|
|
type bin_t;
|
|
')
|
|
|
|
allow $1 bin_t:dir search_dir_perms;
|
|
allow $1 bin_t:file { relabelfrom relabelto };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Mmap a bin file as executable.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_mmap_bin_files',`
|
|
gen_require(`
|
|
type bin_t;
|
|
')
|
|
|
|
allow $1 bin_t:dir search_dir_perms;
|
|
allow $1 bin_t:file { getattr read execute };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a file in a bin directory
|
|
## in the specified domain but do not
|
|
## do it automatically. This is an explicit
|
|
## transition, requiring the caller to use setexeccon().
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Execute a file in a bin directory
|
|
## in the specified domain. This allows
|
|
## the specified domain to execute any file
|
|
## on these filesystems in the specified
|
|
## domain. This is not suggested.
|
|
## </p>
|
|
## <p>
|
|
## No interprocess communication (signals, pipes,
|
|
## etc.) is provided by this interface since
|
|
## the domains are not owned by this module.
|
|
## </p>
|
|
## <p>
|
|
## This interface was added to handle
|
|
## the userhelper policy.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="target_domain">
|
|
## <summary>
|
|
## The type of the new process.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_bin_spec_domtrans',`
|
|
gen_require(`
|
|
type bin_t;
|
|
')
|
|
|
|
allow $1 bin_t:dir search;
|
|
allow $1 bin_t:lnk_file { getattr read };
|
|
|
|
domain_trans($1,bin_t,$2)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a file in a bin directory
|
|
## in the specified domain.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Execute a file in a bin directory
|
|
## in the specified domain. This allows
|
|
## the specified domain to execute any file
|
|
## on these filesystems in the specified
|
|
## domain. This is not suggested.
|
|
## </p>
|
|
## <p>
|
|
## No interprocess communication (signals, pipes,
|
|
## etc.) is provided by this interface since
|
|
## the domains are not owned by this module.
|
|
## </p>
|
|
## <p>
|
|
## This interface was added to handle
|
|
## the ssh-agent policy.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="target_domain">
|
|
## <summary>
|
|
## The type of the new process.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_bin_domtrans',`
|
|
gen_require(`
|
|
type bin_t;
|
|
')
|
|
|
|
corecmd_bin_spec_domtrans($1,$2)
|
|
type_transition $1 bin_t:process $2;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search the contents of sbin directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_search_sbin',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
allow $1 sbin_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to search
|
|
## sbin directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_dontaudit_search_sbin',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
dontaudit $1 sbin_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## List the contents of sbin directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_list_sbin',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
allow $1 sbin_t:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the attributes of sbin files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_getattr_sbin_files',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
allow $1 sbin_t:file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to get the attibutes
|
|
## of sbin files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_dontaudit_getattr_sbin_files',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
dontaudit $1 sbin_t:file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read files in sbin directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_read_sbin_files',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
allow $1 sbin_t:dir search;
|
|
allow $1 sbin_t:file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read symbolic links in sbin directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_read_sbin_symlinks',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
allow $1 sbin_t:dir search;
|
|
allow $1 sbin_t:lnk_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read named pipes in sbin directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_read_sbin_pipes',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
allow $1 sbin_t:dir search;
|
|
allow $1 sbin_t:fifo_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read named sockets in sbin directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_read_sbin_sockets',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
allow $1 sbin_t:dir search;
|
|
allow $1 sbin_t:sock_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute generic programs in sbin directories,
|
|
## in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_exec_sbin',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
allow $1 sbin_t:dir r_dir_perms;
|
|
allow $1 sbin_t:lnk_file r_file_perms;
|
|
can_exec($1,sbin_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete sbin files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
# cjp: added for prelink
|
|
interface(`corecmd_manage_sbin_files',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
allow $1 sbin_t:dir rw_dir_perms;
|
|
allow $1 sbin_t:file manage_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel to and from the sbin type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
# cjp: added for prelink
|
|
interface(`corecmd_relabel_sbin_files',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
allow $1 sbin_t:dir search_dir_perms;
|
|
allow $1 sbin_t:file { relabelfrom relabelto };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Mmap a sbin file as executable.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
# cjp: added for prelink
|
|
interface(`corecmd_mmap_sbin_files',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
allow $1 sbin_t:dir search_dir_perms;
|
|
allow $1 sbin_t:file { getattr read execute };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a file in a sbin directory
|
|
## in the specified domain.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Execute a file in a sbin directory
|
|
## in the specified domain. This allows
|
|
## the specified domain to execute any file
|
|
## on these filesystems in the specified
|
|
## domain. This is not suggested.
|
|
## </p>
|
|
## <p>
|
|
## No interprocess communication (signals, pipes,
|
|
## etc.) is provided by this interface since
|
|
## the domains are not owned by this module.
|
|
## </p>
|
|
## <p>
|
|
## This interface was added to handle
|
|
## the ssh-agent policy.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="target_domain">
|
|
## <summary>
|
|
## The type of the new process.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_sbin_domtrans',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
allow $1 sbin_t:dir search;
|
|
allow $1 sbin_t:lnk_file { getattr read };
|
|
|
|
domain_auto_trans($1,sbin_t,$2)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a file in a sbin directory
|
|
## in the specified domain but do not
|
|
## do it automatically. This is an explicit
|
|
## transition, requiring the caller to use setexeccon().
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Execute a file in a sbin directory
|
|
## in the specified domain. This allows
|
|
## the specified domain to execute any file
|
|
## on these filesystems in the specified
|
|
## domain. This is not suggested.
|
|
## </p>
|
|
## <p>
|
|
## No interprocess communication (signals, pipes,
|
|
## etc.) is provided by this interface since
|
|
## the domains are not owned by this module.
|
|
## </p>
|
|
## <p>
|
|
## This interface was added to handle
|
|
## the userhelper policy.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="target_domain">
|
|
## <summary>
|
|
## The type of the new process.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_sbin_spec_domtrans',`
|
|
gen_require(`
|
|
type sbin_t;
|
|
')
|
|
|
|
allow $1 sbin_t:dir search;
|
|
allow $1 sbin_t:lnk_file { getattr read };
|
|
|
|
domain_trans($1,sbin_t,$2)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Check if a shell is executable (DAC-wise).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_check_exec_shell',`
|
|
gen_require(`
|
|
type bin_t, shell_exec_t;
|
|
')
|
|
|
|
allow $1 bin_t:dir r_dir_perms;
|
|
allow $1 bin_t:lnk_file r_file_perms;
|
|
allow $1 shell_exec_t:file execute;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a shell in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_exec_shell',`
|
|
gen_require(`
|
|
type bin_t, shell_exec_t;
|
|
')
|
|
|
|
allow $1 bin_t:dir r_dir_perms;
|
|
allow $1 bin_t:lnk_file r_file_perms;
|
|
can_exec($1,shell_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute ls in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_exec_ls',`
|
|
gen_require(`
|
|
type bin_t, ls_exec_t;
|
|
')
|
|
|
|
allow $1 bin_t:dir r_dir_perms;
|
|
allow $1 bin_t:lnk_file r_file_perms;
|
|
can_exec($1,ls_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a shell in the target domain. This
|
|
## is an explicit transition, requiring the
|
|
## caller to use setexeccon().
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Execute a shell in the target domain. This
|
|
## is an explicit transition, requiring the
|
|
## caller to use setexeccon().
|
|
## </p>
|
|
## <p>
|
|
## No interprocess communication (signals, pipes,
|
|
## etc.) is provided by this interface since
|
|
## the domains are not owned by this module.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="target_domain">
|
|
## <summary>
|
|
## The type of the shell process.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_shell_spec_domtrans',`
|
|
gen_require(`
|
|
type bin_t, shell_exec_t;
|
|
')
|
|
|
|
allow $1 bin_t:dir r_dir_perms;
|
|
allow $1 bin_t:lnk_file r_file_perms;
|
|
|
|
domain_trans($1,shell_exec_t,$2)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a shell in the specified domain.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Execute a shell in the specified domain.
|
|
## </p>
|
|
## <p>
|
|
## No interprocess communication (signals, pipes,
|
|
## etc.) is provided by this interface since
|
|
## the domains are not owned by this module.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="target_domain">
|
|
## <summary>
|
|
## The type of the shell process.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_shell_domtrans',`
|
|
gen_require(`
|
|
type shell_exec_t;
|
|
')
|
|
|
|
corecmd_shell_spec_domtrans($1,$2)
|
|
type_transition $1 shell_exec_t:process $2;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute chroot in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_exec_chroot',`
|
|
gen_require(`
|
|
type chroot_exec_t;
|
|
')
|
|
|
|
can_exec($1,chroot_exec_t)
|
|
allow $1 self:capability sys_chroot;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute all executable files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_exec_all_executables',`
|
|
gen_require(`
|
|
attribute exec_type;
|
|
type bin_t, sbin_t;
|
|
')
|
|
|
|
can_exec($1,exec_type)
|
|
allow $1 { bin_t sbin_t }:dir list_dir_perms;
|
|
allow $1 { bin_t sbin_t }:lnk_file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and all executable files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_manage_all_executables',`
|
|
gen_require(`
|
|
attribute exec_type;
|
|
type bin_t, sbin_t;
|
|
')
|
|
|
|
allow $1 exec_type:file manage_file_perms;
|
|
allow $1 { bin_t sbin_t }:dir rw_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel to and from the bin type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_relabel_all_executables',`
|
|
gen_require(`
|
|
attribute exec_type;
|
|
')
|
|
|
|
allow $1 exec_type:file { relabelfrom relabelto };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Mmap all executables as executable.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corecmd_mmap_all_executables',`
|
|
gen_require(`
|
|
attribute exec_type;
|
|
')
|
|
|
|
allow $1 exec_type:file { getattr read execute };
|
|
')
|