Layer: kernel

Module: corecommands

Interfaces

Description:

Core policy for shells, and generic programs in /bin, /sbin, /usr/bin, and /usr/sbin.

This module is required to be included in all policies.

Interfaces:

corecmd_bin_domtrans( domain , target_domain )
Summary

Execute a file in a bin directory in the specified domain.

Description

Execute a file in a bin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested.

No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.

This interface was added to handle the ssh-agent policy.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

target_domain

The type of the new process.

corecmd_bin_entry_type( domain )
Summary

Make general programs in bin an entrypoint for the specified domain.

Parameters
Parameter:Description:
domain

The domain for which bin_t is an entrypoint.

corecmd_bin_spec_domtrans( domain , target_domain )
Summary

Execute a file in a bin directory in the specified domain but do not do it automatically. This is an explicit transition, requiring the caller to use setexeccon().

Description

Execute a file in a bin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested.

No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.

This interface was added to handle the userhelper policy.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

target_domain

The type of the new process.

corecmd_check_exec_bin_files( domain )
Summary

Check if files in bin directories are executable (DAC-wise)

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_check_exec_shell( domain )
Summary

Check if a shell is executable (DAC-wise).

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_dontaudit_exec_all_executables( domain )
Summary

Do not audit attempts to execute all executables.

Parameters
Parameter:Description:
domain

Domain to not audit.

corecmd_dontaudit_getattr_bin_files( domain )
Summary

Do not audit attempts to get the attributes of files in bin directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

corecmd_dontaudit_search_bin( domain )
Summary

Do not audit attempts to search the contents of bin directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

corecmd_dontaudit_write_bin_dirs( domain )
Summary

Do not audit attempts to write bin directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

corecmd_dontaudit_write_bin_files( domain )
Summary

Do not audit attempts to write bin files.

Parameters
Parameter:Description:
domain

Domain to not audit.

corecmd_exec_all_executables( domain )
Summary

Execute all executable files.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_exec_bin( domain )
Summary

Execute generic programs in bin directories, in the caller domain.

Description

Allow the specified domain to execute generic programs in system bin directories (/bin, /sbin, /usr/bin, /usr/sbin) a without domain transition.

Typically, this interface should be used when the domain executes general system programs within the privileges of the source domain. Some examples of these programs are ls, cp, sed, python, and tar. This does not include shells, such as bash.

Related interface:

  • corecmd_exec_shell()

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_exec_chroot( domain )
Summary

Execute chroot in the caller domain.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_exec_shell( domain )
Summary

Execute shells in the caller domain.

Description

Allow the specified domain to execute shells without a domain transition.

Typically, this interface should be used when the domain executes shells within the privileges of the source domain. Some examples of these programs are bash, tcsh, and zsh.

Related interface:

  • corecmd_exec_bin()

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_executable_file( type )
Summary

Make the specified type usable for files that are executables, such as binary programs. This does not include shared libraries.

Parameters
Parameter:Description:
type

Type to be used for files.

corecmd_getattr_all_executables( domain )
Summary

Get the attributes of all executable files.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_getattr_bin_files( domain )
Summary

Get the attributes of files in bin directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_list_bin( domain )
Summary

List the contents of bin directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_manage_all_executables( domain )
Summary

Create, read, write, and all executable files.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_manage_bin_files( domain )
Summary

Create, read, write, and delete bin files.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_mmap_all_executables( domain )
Summary

Mmap all executables as executable.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_mmap_bin_files( domain )
Summary

Mmap a bin file as executable.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_read_all_executables( domain )
Summary

Read all executable files.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_read_bin_files( domain )
Summary

Read files in bin directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_read_bin_pipes( domain )
Summary

Read pipes in bin directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_read_bin_sockets( domain )
Summary

Read named sockets in bin directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_relabel_all_executables( domain )
Summary

Relabel to and from the bin type.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_relabel_bin_files( domain )
Summary

Relabel to and from the bin type.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_search_bin( domain )
Summary

Search the contents of bin directories. Also allow to read a possible /bin->/usr/bin symlink.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_shell_domtrans( domain , target_domain )
Summary

Execute a shell in the specified domain.

Description

Execute a shell in the specified domain.

No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

target_domain

The type of the shell process.

corecmd_shell_entry_type( domain )
Summary

Make the shell an entrypoint for the specified domain.

Parameters
Parameter:Description:
domain

The domain for which the shell is an entrypoint.

corecmd_shell_spec_domtrans( domain , target_domain )
Summary

Execute a shell in the target domain. This is an explicit transition, requiring the caller to use setexeccon().

Description

Execute a shell in the target domain. This is an explicit transition, requiring the caller to use setexeccon().

No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

target_domain

The type of the shell process.

corecmd_watch_bin_dirs( domain )
Summary

Watch bin directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

Return