## Core policy for shells, and generic programs ## in /bin, /sbin, /usr/bin, and /usr/sbin. ##

## ## Contains the base bin and sbin directory types ## which need to be searched for the kernel to ## run init. ## ######################################## ##

## Make the specified type usable for files ## that are exectuables, such as binary programs. ## This does not include shared libraries. ##

## ##

## Type to be used for files. ##

## # interface(`corecmd_executable_file',` gen_require(` attribute exec_type; ') typeattribute $1 exec_type; files_type($1) ') ######################################## ##

## Make general progams in bin an entrypoint for ## the specified domain. ##

## ##

## The domain for which bin_t is an entrypoint. ##

## # interface(`corecmd_bin_entry_type',` gen_require(` type bin_t; ') domain_entry_file($1, bin_t) ') ######################################## ##

## Make the shell an entrypoint for the specified domain. ##

## ##

## The domain for which the shell is an entrypoint. ##

## # interface(`corecmd_shell_entry_type',` gen_require(` type shell_exec_t; ') domain_entry_file($1, shell_exec_t) ') ######################################## ##

## Search the contents of bin directories. ## Also allow to read a possible /bin->/usr/bin symlink. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_search_bin',` gen_require(` type bin_t; ') read_lnk_files_pattern($1, bin_t, bin_t) files_search_usr($1) ') ######################################## ##

## Do not audit attempts to search the contents of bin directories. ##

## ##

## Domain to not audit. ##

## # interface(`corecmd_dontaudit_search_bin',` gen_require(` type bin_t; ') dontaudit $1 bin_t:dir search_dir_perms; ') ######################################## ##

## List the contents of bin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_list_bin',` gen_require(` type bin_t; ') corecmd_search_bin($1) list_dirs_pattern($1, bin_t, bin_t) ') ######################################## ##

## Do not audit attempts to write bin directories. ##

## ##

## Domain to not audit. ##

## # interface(`corecmd_dontaudit_write_bin_dirs',` gen_require(` type bin_t; ') dontaudit $1 bin_t:dir write; ') ######################################## ##

## Get the attributes of files in bin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_getattr_bin_files',` gen_require(` type bin_t; ') corecmd_search_bin($1) getattr_files_pattern($1, bin_t, bin_t) ') ######################################## ##

## Do not audit attempts to get the attributes of files in bin directories. ##

## ##

## Domain to not audit. ##

## # interface(`corecmd_dontaudit_getattr_bin_files',` gen_require(` type bin_t; ') dontaudit $1 bin_t:dir search_dir_perms; dontaudit $1 bin_t:file getattr_file_perms; ') ######################################## ##

## Check if files in bin directories are executable (DAC-wise) ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_check_exec_bin_files',` gen_require(` type bin_t; ') allow $1 bin_t:dir search_dir_perms; allow $1 bin_t:file { execute getattr }; ') ######################################## ##

## Read files in bin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_read_bin_files',` gen_require(` type bin_t; ') corecmd_search_bin($1) read_files_pattern($1, bin_t, bin_t) ') ######################################## ##

## Do not audit attempts to write bin files. ##

## ##

## Domain to not audit. ##

## # interface(`corecmd_dontaudit_write_bin_files',` gen_require(` type bin_t; ') dontaudit $1 bin_t:file write; ') ######################################## ##

## Read symbolic links in bin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_read_bin_symlinks',` refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.') gen_require(` type bin_t; ') corecmd_search_bin($1) ') ######################################## ##

## Read pipes in bin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_read_bin_pipes',` gen_require(` type bin_t; ') corecmd_search_bin($1) read_fifo_files_pattern($1, bin_t, bin_t) ') ######################################## ##

## Read named sockets in bin directories. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_read_bin_sockets',` gen_require(` type bin_t; ') corecmd_search_bin($1) read_sock_files_pattern($1, bin_t, bin_t) ') ######################################## ##

## Execute generic programs in bin directories, ## in the caller domain. ##

## ##

## Allow the specified domain to execute generic programs ## in system bin directories (/bin, /sbin, /usr/bin, ## /usr/sbin) a without domain transition. ##

## Typically, this interface should be used when the domain ## executes general system progams within the privileges ## of the source domain. Some examples of these programs ## are ls, cp, sed, python, and tar. This does not include ## shells, such as bash. ##

## Related interface: ##

corecmd_exec_shell()

## ## ##

## Domain allowed access. ##

## # interface(`corecmd_exec_bin',` gen_require(` type bin_t; ') corecmd_list_bin($1) can_exec($1, bin_t) ') ######################################## ##

## Create, read, write, and delete bin files. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_manage_bin_files',` gen_require(` type bin_t; ') corecmd_search_bin($1) manage_files_pattern($1, bin_t, bin_t) ') ######################################## ##

## Relabel to and from the bin type. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_relabel_bin_files',` gen_require(` type bin_t; ') corecmd_search_bin($1) relabel_files_pattern($1, bin_t, bin_t) ') ######################################## ##

## Mmap a bin file as executable. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_mmap_bin_files',` gen_require(` type bin_t; ') corecmd_search_bin($1) mmap_exec_files_pattern($1, bin_t, bin_t) ') ######################################## ##

## Execute a file in a bin directory ## in the specified domain but do not ## do it automatically. This is an explicit ## transition, requiring the caller to use setexeccon(). ##

## ##

## Execute a file in a bin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

## This interface was added to handle ## the userhelper policy. ##

## ## ##

## Domain allowed to transition. ##

## ## ##

## The type of the new process. ##

## # interface(`corecmd_bin_spec_domtrans',` gen_require(` type bin_t; ') corecmd_search_bin($1) domain_transition_pattern($1, bin_t, $2) ') ######################################## ##

## Execute a file in a bin directory ## in the specified domain. ##

## ##

## Execute a file in a bin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

## This interface was added to handle ## the ssh-agent policy. ##

## ## ##

## Domain allowed to transition. ##

## ## ##

## The type of the new process. ##

## # interface(`corecmd_bin_domtrans',` gen_require(` type bin_t; ') corecmd_bin_spec_domtrans($1, $2) type_transition $1 bin_t:process $2; ') ######################################## ##

## Check if a shell is executable (DAC-wise). ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_check_exec_shell',` gen_require(` type bin_t, shell_exec_t; ') corecmd_list_bin($1) allow $1 shell_exec_t:file execute; ') ######################################## ##

## Execute shells in the caller domain. ##

## ##

## Allow the specified domain to execute shells without ## a domain transition. ##

## Typically, this interface should be used when the domain ## executes shells within the privileges ## of the source domain. Some examples of these programs ## are bash, tcsh, and zsh. ##

## Related interface: ##

corecmd_exec_bin()

## ## ##

## Domain allowed access. ##

## # interface(`corecmd_exec_shell',` gen_require(` type bin_t, shell_exec_t; ') corecmd_list_bin($1) can_exec($1, shell_exec_t) ') ######################################## ##

## Execute a shell in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ##

## ##

## Execute a shell in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

## ## ##

## Domain allowed to transition. ##

## ## ##

## The type of the shell process. ##

## # interface(`corecmd_shell_spec_domtrans',` gen_require(` type bin_t, shell_exec_t; ') corecmd_list_bin($1) domain_transition_pattern($1, shell_exec_t, $2) ') ######################################## ##

## Execute a shell in the specified domain. ##

## ##

## Execute a shell in the specified domain. ##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

## ## ##

## Domain allowed to transition. ##

## ## ##

## The type of the shell process. ##

## # interface(`corecmd_shell_domtrans',` gen_require(` type shell_exec_t; ') corecmd_shell_spec_domtrans($1, $2) type_transition $1 shell_exec_t:process $2; ') ######################################## ##

## Execute chroot in the caller domain. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_exec_chroot',` gen_require(` type chroot_exec_t; ') corecmd_search_bin($1) can_exec($1, chroot_exec_t) allow $1 self:capability sys_chroot; ') ######################################## ##

## Get the attributes of all executable files. ##

## ##

## Domain allowed access. ##

## ## # interface(`corecmd_getattr_all_executables',` gen_require(` attribute exec_type; type bin_t; ') corecmd_list_bin($1) getattr_files_pattern($1, bin_t, exec_type) ') ######################################## ##

## Read all executable files. ##

## ##

## Domain allowed access. ##

## ## # interface(`corecmd_read_all_executables',` gen_require(` attribute exec_type; ') corecmd_search_bin($1) read_files_pattern($1, exec_type, exec_type) ') ######################################## ##

## Execute all executable files. ##

## ##

## Domain allowed access. ##

## ## # interface(`corecmd_exec_all_executables',` gen_require(` attribute exec_type; type bin_t; ') corecmd_list_bin($1) can_exec($1, exec_type) read_lnk_files_pattern($1, bin_t, exec_type) ') ######################################## ##

## Do not audit attempts to execute all executables. ##

## ##

## Domain to not audit. ##

## # interface(`corecmd_dontaudit_exec_all_executables',` gen_require(` attribute exec_type; ') dontaudit $1 exec_type:file { execute execute_no_trans }; ') ######################################## ##

## Create, read, write, and all executable files. ##

## ##

## Domain allowed access. ##

## ## # interface(`corecmd_manage_all_executables',` gen_require(` attribute exec_type; type bin_t; ') corecmd_search_bin($1) manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') ######################################## ##

## Relabel to and from the bin type. ##

## ##

## Domain allowed access. ##

## ## # interface(`corecmd_relabel_all_executables',` gen_require(` attribute exec_type; type bin_t; ') corecmd_search_bin($1) relabel_files_pattern($1, bin_t, exec_type) ') ######################################## ##

## Mmap all executables as executable. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_mmap_all_executables',` gen_require(` attribute exec_type; type bin_t; ') corecmd_search_bin($1) mmap_exec_files_pattern($1, bin_t, exec_type) ') # Now starts gentoo specific but cannot use ifdef_distro gentoo here ######################################## ##

## Relabel to and from the bin type. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_relabel_bin_dirs',` gen_require(` type bin_t; ') relabel_dirs_pattern($1, bin_t, bin_t) ') ######################################## ##

## Relabel to and from the bin type. ##

## ##

## Domain allowed access. ##

## # interface(`corecmd_relabel_bin_lnk_files',` gen_require(` type bin_t; ') relabel_lnk_files_pattern($1, bin_t, bin_t) ')