rpms / selinux-policy

Clone
Source Code
GIT

Blame refpolicy/policy/modules/system/corecommands.if

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   aa40608fbedf1cc3c421e19e166426d7271ceef7
  2.   refpolicy
  3.   policy
  4.   modules
  5.   system
  6.   corecommands.if
Blob History Raw
Chris PeBenito 3000a3 
## <module name="corecommands" layer="system">
Chris PeBenito 3000a3 
## <summary>
Chris PeBenito 3000a3 
##	Core policy for shells, and generic programs
Chris PeBenito 3000a3 
##	in /bin, /sbin, /usr/bin, and /usr/sbin.
Chris PeBenito 3000a3 
## </summary>
Chris PeBenito e181fe
Chris PeBenito 07efe9 
#######################################
Chris PeBenito 07efe9 
#
Chris PeBenito c5b5a7 
# corecommands_make_shell_entrypoint(domain)
Chris PeBenito 07efe9 
#
Chris PeBenito 07efe9 
define(`corecommands_make_shell_entrypoint',`
Chris PeBenito bd202f 
requires_block_template(`$0'_depend)
Chris PeBenito 07efe9 
domain_make_entrypoint_file($1,shell_exec_t)
Chris PeBenito 07efe9 
')
Chris PeBenito 07efe9
Chris PeBenito 07efe9 
define(`corecommands_make_shell_entrypoint_depend',`
Chris PeBenito 07efe9 
type shell_exec_t;
Chris PeBenito 07efe9 
')
Chris PeBenito 07efe9
Chris PeBenito b4cd15 
########################################
Chris PeBenito b4cd15 
#
Chris PeBenito 075c4f 
# corecommands_search_general_programs_directory(domain)
Chris PeBenito 075c4f 
#
Chris PeBenito 075c4f 
define(`corecommands_search_general_programs_directory',`
Chris PeBenito 075c4f 
requires_block_template(`$0'_depend)
Chris PeBenito 075c4f 
allow $1 bin_t:dir search;
Chris PeBenito 075c4f 
')
Chris PeBenito 075c4f
Chris PeBenito 075c4f 
define(`corecommands_search_general_programs_directory_depend',`
Chris PeBenito 075c4f 
type bin_t;
Chris PeBenito 075c4f 
class dir search;
Chris PeBenito 075c4f 
')
Chris PeBenito 075c4f
Chris PeBenito 075c4f 
########################################
Chris PeBenito 075c4f 
#
Chris PeBenito 075c4f 
# corecommands_read_general_programs_directory(domain)
Chris PeBenito 075c4f 
#
Chris PeBenito 075c4f 
define(`corecommands_read_general_programs_directory',`
Chris PeBenito 075c4f 
requires_block_template(`$0'_depend)
Chris PeBenito 075c4f 
allow $1 bin_t:dir { getattr search read };
Chris PeBenito 075c4f 
')
Chris PeBenito 075c4f
Chris PeBenito 075c4f 
define(`corecommands_read_general_programs_directory_depend',`
Chris PeBenito 075c4f 
type bin_t;
Chris PeBenito 075c4f 
class dir { getattr search read };
Chris PeBenito 075c4f 
')
Chris PeBenito 075c4f
Chris PeBenito 075c4f 
########################################
Chris PeBenito 075c4f 
#
Chris PeBenito c5b5a7 
# corecommands_execute_general_programs(domain)
Chris PeBenito b4cd15 
#
Chris PeBenito b4cd15 
define(`corecommands_execute_general_programs',`
Chris PeBenito bd202f 
requires_block_template(`$0'_depend)
Chris PeBenito b4cd15 
allow $1 bin_t:dir { getattr search read };
Chris PeBenito b4cd15 
allow $1 bin_t:lnk_file { getattr read };
Chris PeBenito 4bf4ed 
allow $1 bin_t:file { getattr read ioctl lock execute execute_no_trans };
Chris PeBenito b4cd15 
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15 
define(`corecommands_execute_general_programs_depend',`
Chris PeBenito b4cd15 
type bin_t;
Chris PeBenito b4cd15 
class dir { getattr search read };
Chris PeBenito b4cd15 
class lnk_file { getattr read };
Chris PeBenito 4bf4ed 
class file { getattr read ioctl lock execute execute_no_trans };
Chris PeBenito b4cd15 
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15 
########################################
Chris PeBenito b4cd15 
#
Chris PeBenito 075c4f 
# corecommands_search_system_programs_directory(domain)
Chris PeBenito 075c4f 
#
Chris PeBenito 075c4f 
define(`corecommands_search_system_programs_directory',`
Chris PeBenito 075c4f 
requires_block_template(`$0'_depend)
Chris PeBenito 075c4f 
allow $1 sbin_t:dir search;
Chris PeBenito 075c4f 
')
Chris PeBenito 075c4f
Chris PeBenito 075c4f 
define(`corecommands_search_system_programs_directory_depend',`
Chris PeBenito 075c4f 
type sbin_t;
Chris PeBenito 075c4f 
class dir search;
Chris PeBenito 075c4f 
')
Chris PeBenito 075c4f
Chris PeBenito 075c4f 
########################################
Chris PeBenito 075c4f 
#
Chris PeBenito 075c4f 
# corecommands_read_system_programs_directory(domain)
Chris PeBenito 075c4f 
#
Chris PeBenito 075c4f 
define(`corecommands_read_system_programs_directory',`
Chris PeBenito 075c4f 
requires_block_template(`$0'_depend)
Chris PeBenito 4bf4ed 
allow $1 sbin_t:dir r_dir_perms;
Chris PeBenito 075c4f 
')
Chris PeBenito 075c4f
Chris PeBenito 075c4f 
define(`corecommands_read_system_programs_directory_depend',`
Chris PeBenito 075c4f 
type sbin_t;
Chris PeBenito 4bf4ed 
class dir r_dir_perms;
Chris PeBenito 075c4f 
')
Chris PeBenito 075c4f
Chris PeBenito 075c4f 
########################################
Chris PeBenito 075c4f 
#
Chris PeBenito f5c42b 
# corecommands_ignore_get_system_programs_attributes(domain)
Chris PeBenito f5c42b 
#
Chris PeBenito f5c42b 
define(`corecommands_ignore_get_system_programs_attributes',`
Chris PeBenito f5c42b 
requires_block_template(`$0'_depend)
Chris PeBenito f5c42b 
allow $1 sbin_t:file getattr;
Chris PeBenito f5c42b 
')
Chris PeBenito f5c42b
Chris PeBenito f5c42b 
define(`corecommands_ignore_get_system_programs_attributes_depend',`
Chris PeBenito f5c42b 
type sbin_t;
Chris PeBenito f5c42b 
class file getattr;
Chris PeBenito f5c42b 
')
Chris PeBenito f5c42b
Chris PeBenito f5c42b 
########################################
Chris PeBenito f5c42b 
#
Chris PeBenito c5b5a7 
# corecommands_execute_system_programs(domain)
Chris PeBenito b4cd15 
#
Chris PeBenito b4cd15 
define(`corecommands_execute_system_programs',`
Chris PeBenito bd202f 
requires_block_template(`$0'_depend)
Chris PeBenito b4cd15 
allow $1 sbin_t:dir { getattr search read };
Chris PeBenito b4cd15 
allow $1 sbin_t:lnk_file { getattr read };
Chris PeBenito 4bf4ed 
allow $1 sbin_t:file { getattr read ioctl lock execute execute_no_trans };
Chris PeBenito b4cd15 
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15 
define(`corecommands_execute_system_programs_depend',`
Chris PeBenito b4cd15 
type sbin_t;
Chris PeBenito b4cd15 
class dir { getattr search read };
Chris PeBenito b4cd15 
class lnk_file { getattr read };
Chris PeBenito 4bf4ed 
class file { getattr read ioctl lock execute execute_no_trans };
Chris PeBenito b4cd15 
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15 
########################################
Chris PeBenito b4cd15 
#
Chris PeBenito c5b5a7 
# corecommands_execute_shell(domain)
Chris PeBenito b4cd15 
#
Chris PeBenito b4cd15 
define(`corecommands_execute_shell',`
Chris PeBenito bd202f 
requires_block_template(`$0'_depend)
Chris PeBenito 4bf4ed 
allow $1 bin_t:dir r_dir_perms;
Chris PeBenito b4cd15 
allow $1 bin_t:lnk_file { getattr read };
Chris PeBenito 4bf4ed 
allow $1 shell_exec_t:file { getattr read lock ioctl execute execute_no_trans };
Chris PeBenito b4cd15 
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15 
define(`corecommands_execute_shell_depend',`
Chris PeBenito b4cd15 
type bin_t, shell_exec_t;
Chris PeBenito 4bf4ed 
class dir r_dir_perms;
Chris PeBenito b4cd15 
class lnk_file { getattr read };
Chris PeBenito 4bf4ed 
class file { getattr read lock ioctl execute execute_no_trans };
Chris PeBenito b4cd15 
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15 
########################################
Chris PeBenito f5c42b 
#
Chris PeBenito f5c42b 
# corecommands_execute_ls(domain)
Chris PeBenito f5c42b 
#
Chris PeBenito f5c42b 
define(`corecommands_execute_ls',`
Chris PeBenito f5c42b 
requires_block_template(`$0'_depend)
Chris PeBenito 4bf4ed 
allow $1 bin_t:dir r_dir_perms;
Chris PeBenito f5c42b 
allow $1 bin_t:lnk_file { getattr read };
Chris PeBenito 4bf4ed 
allow $1 ls_exec_t:file { getattr read lock ioctl execute execute_no_trans };
Chris PeBenito f5c42b 
')
Chris PeBenito f5c42b
Chris PeBenito f5c42b 
define(`corecommands_execute_shell_depend',`
Chris PeBenito f5c42b 
type bin_t, ls_exec_t;
Chris PeBenito 4bf4ed 
class dir r_dir_perms;
Chris PeBenito f5c42b 
class lnk_file { getattr read };
Chris PeBenito 4bf4ed 
class file { getattr read lock ioctl execute execute_no_trans };
Chris PeBenito f5c42b 
')
Chris PeBenito f5c42b
Chris PeBenito f5c42b 
########################################
Chris PeBenito 4bf4ed 
## <interface name="corecommands_shell_explicit_transition">
Chris PeBenito 3000a3 
##	<description>
Chris PeBenito 4bf4ed 
##		Execute a shell in the target domain.  This
Chris PeBenito 4bf4ed 
##		is an explicit transition, requiring the
Chris PeBenito 4bf4ed 
##		caller to use setexeccon().
Chris PeBenito 3000a3 
##	</description>
Chris PeBenito 3000a3 
##	<parameter name="domain">
Chris PeBenito 3000a3 
##		The type of the process performing this action.
Chris PeBenito 3000a3 
##	</parameter>
Chris PeBenito 3000a3 
##	<parameter name="target_domain">
Chris PeBenito 3000a3 
##		The type of the shell process.
Chris PeBenito 3000a3 
##	</parameter>
Chris PeBenito 3000a3 
##	<infoflow type="write" weight="10"/>
Chris PeBenito 3000a3 
## </interface>
Chris PeBenito 075c4f 
#
Chris PeBenito 4bf4ed 
define(`corecommands_shell_explicit_transition',`
Chris PeBenito 075c4f 
requires_block_template(`$0'_depend)
Chris PeBenito 075c4f 
allow $1 bin_t:dir { getattr search read };
Chris PeBenito 075c4f 
allow $1 bin_t:lnk_file { getattr read };
Chris PeBenito 075c4f 
allow $1 shell_exec_t:file { getattr read execute };
Chris PeBenito 3000a3 
allow $1 $2:process transition;
Chris PeBenito 3000a3 
dontaudit $1 $2:process { noatsecure siginh rlimitinh };
Chris PeBenito 4bf4ed 
allow $1 $2:fd use;
Chris PeBenito 4bf4ed 
allow $2 $1:fd use;
Chris PeBenito 4bf4ed 
allow $2 $1:fifo_file rw_file_perms;
Chris PeBenito 4bf4ed 
allow $2 $1:process sigchld;
Chris PeBenito 075c4f 
')
Chris PeBenito 075c4f
Chris PeBenito 4bf4ed 
define(`corecommands_shell_explicit_transition_depend',`
Chris PeBenito 075c4f 
type bin_t, shell_exec_t;
Chris PeBenito 075c4f 
class dir { getattr search read };
Chris PeBenito 075c4f 
class lnk_file { getattr read };
Chris PeBenito 075c4f 
class file { getattr read execute };
Chris PeBenito 4bf4ed 
class process { transition noatsecure siginh rlimitinh sigchld };
Chris PeBenito 4bf4ed 
class fd use;
Chris PeBenito 4bf4ed 
class fifo_file rw_file_perms;
Chris PeBenito 4bf4ed 
')
Chris PeBenito 4bf4ed
Chris PeBenito 4bf4ed 
########################################
Chris PeBenito 4bf4ed 
## <interface name="corecommands_shell_transition">
Chris PeBenito 4bf4ed 
##	<description>
Chris PeBenito 4bf4ed 
##		Execute a shell in the target domain.
Chris PeBenito 4bf4ed 
##	</description>
Chris PeBenito 4bf4ed 
##	<parameter name="domain">
Chris PeBenito 4bf4ed 
##		The type of the process performing this action.
Chris PeBenito 4bf4ed 
##	</parameter>
Chris PeBenito 4bf4ed 
##	<parameter name="target_domain">
Chris PeBenito 4bf4ed 
##		The type of the shell process.
Chris PeBenito 4bf4ed 
##	</parameter>
Chris PeBenito 4bf4ed 
##	<infoflow type="write" weight="10"/>
Chris PeBenito 4bf4ed 
## </interface>
Chris PeBenito 4bf4ed 
#
Chris PeBenito 4bf4ed 
define(`corecommands_shell_transition',`
Chris PeBenito 4bf4ed 
requires_block_template(`$0'_depend)
Chris PeBenito 4bf4ed 
corecommands_shell_explicit_transition($1,$2)
Chris PeBenito 4bf4ed 
type_transition $1 shell_exec_t:process $2;
Chris PeBenito 4bf4ed 
')
Chris PeBenito 4bf4ed
Chris PeBenito 4bf4ed 
define(`corecommands_shell_transition_depend',`
Chris PeBenito 4bf4ed 
type shell_exec_t;
Chris PeBenito 075c4f 
')
Chris PeBenito 075c4f
Chris PeBenito 075c4f 
########################################
Chris PeBenito 075c4f 
#
Chris PeBenito c5b5a7 
# corecommands_chroot(domain)
Chris PeBenito b4cd15 
#
Chris PeBenito b4cd15 
define(`corecommands_chroot',`
Chris PeBenito bd202f 
requires_block_template(`$0'_depend)
Chris PeBenito b4cd15 
allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
Chris PeBenito b4cd15 
# could go to a generic chroot priv:
Chris PeBenito b4cd15 
allow $1 self:capability sys_chroot;
Chris PeBenito b4cd15 
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15 
define(`corecommands_chroot_depend',`
Chris PeBenito b4cd15 
type chroot_exec_t;
Chris PeBenito b4cd15 
class file { getattr read execute execute_no_trans };
Chris PeBenito b4cd15 
class capability sys_chroot;
Chris PeBenito b4cd15 
')
Chris PeBenito 3000a3
Chris PeBenito 3000a3 
## </module>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation