## ## Core policy for shells, and generic programs ## in /bin, /sbin, /usr/bin, and /usr/sbin. ## ## ## Contains the base bin and sbin directory types ## which need to be searched for the kernel to ## run init. ## ######################################## ## ## Make the specified type usable for files ## that are exectuables, such as binary programs. ## This does not include shared libraries. ## ## ## ## Type to be used for files. ## ## # interface(`corecmd_executable_file',` gen_require(` attribute exec_type; ') typeattribute $1 exec_type; files_type($1) ') ######################################## ## ## Create a aliased type to generic bin files. (Deprecated) ## ## ##

## Create a aliased type to generic bin files. (Deprecated) ##

##

## This is added to support targeted policy. Its ## use should be limited. It has no effect ## on the strict policy. ##

##
## ## ## Alias type for bin_t. ## ## # interface(`corecmd_bin_alias',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Make general progams in bin an entrypoint for ## the specified domain. ## ## ## ## The domain for which bin_t is an entrypoint. ## ## # interface(`corecmd_bin_entry_type',` gen_require(` type bin_t; ') domain_entry_file($1, bin_t) ') ######################################## ## ## Make general progams in sbin an entrypoint for ## the specified domain. (Deprecated) ## ## ## ## The domain for which sbin programs are an entrypoint. ## ## # interface(`corecmd_sbin_entry_type',` corecmd_bin_entry_type($1) refpolicywarn(`$0() has been deprecated, please use corecmd_bin_entry_type() instead.') ') ######################################## ## ## Make the shell an entrypoint for the specified domain. ## ## ## ## The domain for which the shell is an entrypoint. ## ## # interface(`corecmd_shell_entry_type',` gen_require(` type shell_exec_t; ') domain_entry_file($1, shell_exec_t) ') ######################################## ## ## Search the contents of bin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_search_bin',` gen_require(` type bin_t; ') search_dirs_pattern($1, bin_t, bin_t) ') ######################################## ## ## Do not audit attempts to search the contents of bin directories. ## ## ## ## Domain to not audit. ## ## # interface(`corecmd_dontaudit_search_bin',` gen_require(` type bin_t; ') dontaudit $1 bin_t:dir search_dir_perms; ') ######################################## ## ## List the contents of bin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_list_bin',` gen_require(` type bin_t; ') list_dirs_pattern($1, bin_t, bin_t) ') ######################################## ## ## Do not audit attempts to write bin directories. ## ## ## ## Domain to not audit. ## ## # interface(`corecmd_dontaudit_write_bin_dirs',` gen_require(` type bin_t; ') dontaudit $1 bin_t:dir write; ') ######################################## ## ## Do not audit attempts to write bin files. ## ## ## ## Domain to not audit. ## ## # interface(`corecmd_dontaudit_write_bin_files',` gen_require(` type bin_t; ') dontaudit $1 bin_t:file write; ') ######################################## ## ## Get the attributes of files in bin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_getattr_bin_files',` gen_require(` type bin_t; ') getattr_files_pattern($1, bin_t, bin_t) ') ######################################## ## ## Get the attributes of files in bin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_dontaudit_getattr_bin_files',` gen_require(` type bin_t; ') dontaudit $1 bin_t:dir search_dir_perms; dontaudit $1 bin_t:file getattr_file_perms; ') ######################################## ## ## Read files in bin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_bin_files',` gen_require(` type bin_t; ') read_files_pattern($1, bin_t, bin_t) ') ######################################## ## ## Read symbolic links in bin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_bin_symlinks',` gen_require(` type bin_t; ') read_lnk_files_pattern($1, bin_t, bin_t) ') ######################################## ## ## Read pipes in bin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_bin_pipes',` gen_require(` type bin_t; ') read_fifo_files_pattern($1, bin_t, bin_t) ') ######################################## ## ## Read named sockets in bin directories. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_bin_sockets',` gen_require(` type bin_t; ') read_sock_files_pattern($1, bin_t, bin_t) ') ######################################## ## ## Execute generic programs in bin directories, ## in the caller domain. ## ## ##

## Allow the specified domain to execute generic programs ## in system bin directories (/bin, /sbin, /usr/bin, ## /usr/sbin) a without domain transition. ##

##

## Typically, this interface should be used when the domain ## executes general system progams within the privileges ## of the source domain. Some examples of these programs ## are ls, cp, sed, python, and tar. This does not include ## shells, such as bash. ##

##

## Related interface: ##

## ##
## ## ## Domain allowed access. ## ## # interface(`corecmd_exec_bin',` gen_require(` type bin_t; ') read_lnk_files_pattern($1, bin_t, bin_t) list_dirs_pattern($1, bin_t, bin_t) can_exec($1, bin_t) ') ######################################## ## ## Create, read, write, and delete bin files. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_manage_bin_files',` gen_require(` type bin_t; ') manage_files_pattern($1, bin_t, bin_t) ') ######################################## ## ## Relabel to and from the bin type. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_relabel_bin_files',` gen_require(` type bin_t; ') relabel_files_pattern($1, bin_t, bin_t) ') ######################################## ## ## Mmap a bin file as executable. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_mmap_bin_files',` gen_require(` type bin_t; ') mmap_files_pattern($1, bin_t, bin_t) ') ######################################## ## ## Execute a file in a bin directory ## in the specified domain but do not ## do it automatically. This is an explicit ## transition, requiring the caller to use setexeccon(). ## ## ##

## Execute a file in a bin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the userhelper policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # interface(`corecmd_bin_spec_domtrans',` gen_require(` type bin_t; ') read_lnk_files_pattern($1, bin_t, bin_t) domain_transition_pattern($1, bin_t, $2) ') ######################################## ## ## Execute a file in a bin directory ## in the specified domain. ## ## ##

## Execute a file in a bin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the ssh-agent policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # interface(`corecmd_bin_domtrans',` gen_require(` type bin_t; ') corecmd_bin_spec_domtrans($1, $2) type_transition $1 bin_t:process $2; ') ######################################## ## ## Search the contents of sbin directories. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_search_sbin',` corecmd_search_bin($1) refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.') ') ######################################## ## ## Do not audit attempts to search ## sbin directories. (Deprecated) ## ## ## ## Domain to not audit. ## ## # interface(`corecmd_dontaudit_search_sbin',` corecmd_dontaudit_search_bin($1) refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_search_bin() instead.') ') ######################################## ## ## List the contents of sbin directories. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_list_sbin',` corecmd_list_bin($1) refpolicywarn(`$0() has been deprecated, please use corecmd_list_bin() instead.') ') ######################################## ## ## Do not audit attempts to write ## sbin directories. (Deprecated) ## ## ## ## Domain to not audit. ## ## # interface(`corecmd_dontaudit_write_sbin_dirs',` corecmd_dontaudit_write_bin_dirs($1) refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_write_bin_dirs() instead.') ') ######################################## ## ## Get the attributes of sbin files. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_getattr_sbin_files',` corecmd_getattr_bin_files($1) refpolicywarn(`$0() has been deprecated, please use corecmd_getattr_bin_files() instead.') ') ######################################## ## ## Do not audit attempts to get the attibutes ## of sbin files. (Deprecated) ## ## ## ## Domain to not audit. ## ## # interface(`corecmd_dontaudit_getattr_sbin_files',` corecmd_dontaudit_getattr_bin_files($1) refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_getattr_bin_files() instead.') ') ######################################## ## ## Read files in sbin directories. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_sbin_files',` corecmd_read_bin_files($1) refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_files() instead.') ') ######################################## ## ## Read symbolic links in sbin directories. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_sbin_symlinks',` corecmd_read_bin_symlinks($1) refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_symlinks() instead.') ') ######################################## ## ## Read named pipes in sbin directories. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_sbin_pipes',` corecmd_read_bin_pipes($1) refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_pipes() instead.') ') ######################################## ## ## Read named sockets in sbin directories. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_read_sbin_sockets',` corecmd_read_bin_sockets($1) refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_sockets() instead.') ') ######################################## ## ## Execute generic programs in sbin directories, ## in the caller domain. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_exec_sbin',` corecmd_exec_bin($1) refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.') ') ######################################## ## ## Create, read, write, and delete sbin files. (Deprecated) ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink interface(`corecmd_manage_sbin_files',` corecmd_manage_bin_files($1) refpolicywarn(`$0() has been deprecated, please use corecmd_manage_bin_files() instead.') ') ######################################## ## ## Relabel to and from the sbin type. (Deprecated) ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink interface(`corecmd_relabel_sbin_files',` corecmd_relabel_bin_files($1) refpolicywarn(`$0() has been deprecated, please use corecmd_relabel_bin_files() instead.') ') ######################################## ## ## Mmap a sbin file as executable. (Deprecated) ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink interface(`corecmd_mmap_sbin_files',` corecmd_mmap_bin_files($1) refpolicywarn(`$0() has been deprecated, please use corecmd_mmap_bin_files() instead.') ') ######################################## ## ## Execute a file in a sbin directory ## in the specified domain. (Deprecated) ## ## ##

## Execute a file in a sbin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. (Deprecated) ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the ssh-agent policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # interface(`corecmd_sbin_domtrans',` corecmd_bin_domtrans($1, $2) refpolicywarn(`$0() has been deprecated, please use corecmd_bin_domtrans() instead.') ') ######################################## ## ## Execute a file in a sbin directory ## in the specified domain but do not ## do it automatically. This is an explicit ## transition, requiring the caller to use setexeccon(). (Deprecated) ## ## ##

## Execute a file in a sbin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. (Deprecated) ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the userhelper policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # interface(`corecmd_sbin_spec_domtrans',` corecmd_bin_spec_domtrans($1, $2) refpolicywarn(`$0() has been deprecated, please use corecmd_bin_spec_domtrans() instead.') ') ######################################## ## ## Check if a shell is executable (DAC-wise). ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_check_exec_shell',` gen_require(` type bin_t, shell_exec_t; ') list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, bin_t) allow $1 shell_exec_t:file execute; ') ######################################## ## ## Execute shells in the caller domain. ## ## ##

## Allow the specified domain to execute shells without ## a domain transition. ##

##

## Typically, this interface should be used when the domain ## executes shells within the privileges ## of the source domain. Some examples of these programs ## are bash, tcsh, and zsh. ##

##

## Related interface: ##

## ##
## ## ## Domain allowed access. ## ## # interface(`corecmd_exec_shell',` gen_require(` type bin_t, shell_exec_t; ') list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, bin_t) can_exec($1, shell_exec_t) ') ######################################## ## ## Execute ls in the caller domain. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_exec_ls',` corecmd_exec_bin($1) refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.') ') ######################################## ## ## Execute a shell in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ##

## Execute a shell in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the shell process. ## ## # interface(`corecmd_shell_spec_domtrans',` gen_require(` type bin_t, shell_exec_t; ') list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, bin_t) domain_transition_pattern($1, shell_exec_t, $2) ') ######################################## ## ## Execute a shell in the specified domain. ## ## ##

## Execute a shell in the specified domain. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the shell process. ## ## # interface(`corecmd_shell_domtrans',` gen_require(` type shell_exec_t; ') corecmd_shell_spec_domtrans($1, $2) type_transition $1 shell_exec_t:process $2; ') ######################################## ## ## Execute chroot in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_exec_chroot',` gen_require(` type chroot_exec_t; ') read_lnk_files_pattern($1, bin_t, bin_t) can_exec($1, chroot_exec_t) allow $1 self:capability sys_chroot; ') ######################################## ## ## Get the attributes of all executable files. ## ## ## ## Domain allowed access. ## ## ## # interface(`corecmd_getattr_all_executables',` gen_require(` attribute exec_type; type bin_t; ') allow $1 bin_t:dir list_dir_perms; getattr_files_pattern($1, bin_t, exec_type) ') ######################################## ## ## Read all executable files. ## ## ## ## Domain allowed access. ## ## ## # interface(`corecmd_read_all_executables',` gen_require(` attribute exec_type; ') read_files_pattern($1, exec_type, exec_type) ') ######################################## ## ## Execute all executable files. ## ## ## ## Domain allowed access. ## ## ## # interface(`corecmd_exec_all_executables',` gen_require(` attribute exec_type; type bin_t; ') can_exec($1, exec_type) list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, exec_type) ') ######################################## ## ## Do not audit attempts to execute all executables. ## ## ## ## Domain to not audit. ## ## # interface(`corecmd_dontaudit_exec_all_executables',` gen_require(` attribute exec_type; ') dontaudit $1 exec_type:file { execute execute_no_trans }; ') ######################################## ## ## Create, read, write, and all executable files. ## ## ## ## Domain allowed access. ## ## ## # interface(`corecmd_manage_all_executables',` gen_require(` attribute exec_type; type bin_t; ') manage_dirs_pattern($1, bin_t, exec_type) manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') ######################################## ## ## Relabel to and from the bin type. ## ## ## ## Domain allowed access. ## ## ## # interface(`corecmd_relabel_all_executables',` gen_require(` attribute exec_type; type bin_t; ') relabel_files_pattern($1, bin_t, exec_type) ') ######################################## ## ## Mmap all executables as executable. ## ## ## ## Domain allowed access. ## ## # interface(`corecmd_mmap_all_executables',` gen_require(` attribute exec_type; type bin_t; ') mmap_files_pattern($1, bin_t, exec_type) ')