[selinux-policy: 1699/3172] Merge sbin_t and ls_exec_t into bin_t.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:31:51 UTC 2010
commit 8021cb4f63f3f60c49207df54236f09704cf58f0
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Mar 23 23:24:59 2007 +0000
Merge sbin_t and ls_exec_t into bin_t.
Changelog | 1 +
policy/modules/admin/acct.if | 4 +-
policy/modules/admin/acct.te | 1 -
policy/modules/admin/amanda.te | 1 -
policy/modules/admin/apt.te | 1 -
policy/modules/admin/certwatch.if | 2 +-
policy/modules/admin/consoletype.if | 4 +-
policy/modules/admin/ddcprobe.te | 3 +-
policy/modules/admin/dmesg.if | 5 +-
policy/modules/admin/logrotate.te | 2 -
policy/modules/admin/logwatch.te | 4 -
policy/modules/admin/mrtg.te | 1 -
policy/modules/admin/portage.if | 1 -
policy/modules/admin/portage.te | 3 -
policy/modules/admin/prelink.if | 2 +-
policy/modules/admin/prelink.te | 1 -
policy/modules/admin/su.if | 1 -
policy/modules/admin/sudo.if | 2 +-
policy/modules/admin/sxid.te | 1 -
policy/modules/admin/tmpreaper.if | 2 +-
policy/modules/admin/tripwire.te | 2 +-
policy/modules/admin/updfstab.if | 2 +-
policy/modules/admin/updfstab.te | 2 -
policy/modules/admin/usermanage.if | 4 +-
policy/modules/admin/usermanage.te | 9 -
policy/modules/admin/vbetool.if | 2 +-
policy/modules/apps/ethereal.if | 2 +-
policy/modules/apps/evolution.if | 2 +-
policy/modules/apps/games.if | 1 -
policy/modules/apps/loadkeys.te | 1 -
policy/modules/apps/mozilla.if | 1 -
policy/modules/apps/screen.if | 5 -
policy/modules/apps/thunderbird.if | 3 +-
policy/modules/apps/uml.if | 1 -
policy/modules/apps/userhelper.if | 3 -
policy/modules/apps/usernetctl.te | 2 -
policy/modules/apps/yam.if | 2 +-
policy/modules/kernel/corecommands.fc | 42 +++---
policy/modules/kernel/corecommands.if | 233 +++++++++++++----------------
policy/modules/kernel/corecommands.te | 18 +--
policy/modules/kernel/kernel.te | 2 +-
policy/modules/services/aide.if | 2 +-
policy/modules/services/amavis.te | 1 -
policy/modules/services/apache.if | 4 +-
policy/modules/services/apache.te | 1 -
policy/modules/services/arpwatch.te | 2 +-
policy/modules/services/asterisk.te | 2 +-
policy/modules/services/automount.if | 4 +-
policy/modules/services/automount.te | 1 -
policy/modules/services/bind.te | 2 +-
policy/modules/services/ccs.te | 4 +-
policy/modules/services/cipe.te | 1 -
policy/modules/services/courier.te | 4 +-
policy/modules/services/cron.if | 1 -
policy/modules/services/cron.te | 4 +-
policy/modules/services/cups.te | 3 -
policy/modules/services/cvs.te | 1 -
policy/modules/services/dbus.if | 5 -
policy/modules/services/dbus.te | 9 +-
policy/modules/services/dcc.if | 6 +-
policy/modules/services/ddclient.if | 2 +-
policy/modules/services/dhcp.te | 1 -
policy/modules/services/distcc.te | 2 +-
policy/modules/services/fail2ban.te | 1 -
policy/modules/services/finger.te | 1 -
policy/modules/services/ftp.if | 2 +-
policy/modules/services/ftp.te | 4 -
policy/modules/services/gatekeeper.te | 2 +-
policy/modules/services/i18n_input.te | 1 -
policy/modules/services/inetd.if | 2 +-
policy/modules/services/inetd.te | 2 +-
policy/modules/services/inn.te | 2 -
policy/modules/services/ircd.te | 2 +-
policy/modules/services/kerberos.te | 1 -
policy/modules/services/lpd.te | 2 -
policy/modules/services/mta.if | 3 +-
policy/modules/services/nagios.te | 1 -
policy/modules/services/networkmanager.te | 2 -
policy/modules/services/nis.if | 1 -
policy/modules/services/nis.te | 1 -
policy/modules/services/nscd.if | 2 +-
policy/modules/services/nsd.te | 1 -
policy/modules/services/ntp.if | 4 +-
policy/modules/services/ntp.te | 2 -
policy/modules/services/oav.if | 2 +-
policy/modules/services/oddjob.te | 1 -
policy/modules/services/openvpn.te | 1 -
policy/modules/services/pegasus.te | 1 -
policy/modules/services/postfix.if | 4 -
policy/modules/services/postfix.te | 7 -
policy/modules/services/postgresql.te | 2 -
policy/modules/services/postgrey.te | 1 -
policy/modules/services/ppp.if | 4 +-
policy/modules/services/ppp.te | 1 -
policy/modules/services/procmail.te | 2 -
policy/modules/services/qmail.if | 4 +-
policy/modules/services/qmail.te | 8 +-
policy/modules/services/radius.te | 1 -
policy/modules/services/remotelogin.te | 5 -
policy/modules/services/rhgb.te | 1 -
policy/modules/services/ricci.te | 8 +-
policy/modules/services/rlogin.if | 2 +-
policy/modules/services/rpc.te | 1 -
policy/modules/services/rshd.te | 1 -
policy/modules/services/samba.te | 2 +-
policy/modules/services/sendmail.te | 1 -
policy/modules/services/setroubleshoot.te | 1 -
policy/modules/services/snmp.te | 1 -
policy/modules/services/spamassassin.if | 10 --
policy/modules/services/spamassassin.te | 1 -
policy/modules/services/squid.if | 2 +-
policy/modules/services/squid.te | 1 -
policy/modules/services/ssh.if | 2 -
policy/modules/services/sysstat.te | 1 -
policy/modules/services/tcpd.te | 1 -
policy/modules/services/telnet.te | 2 +-
policy/modules/services/ucspitcp.te | 1 -
policy/modules/services/uptime.te | 1 -
policy/modules/services/uucp.te | 4 +-
policy/modules/services/uwimap.if | 2 +-
policy/modules/services/watchdog.te | 1 -
policy/modules/services/xfs.te | 1 -
policy/modules/services/xprint.te | 2 -
policy/modules/services/xserver.if | 1 -
policy/modules/services/xserver.te | 1 -
policy/modules/system/authlogin.if | 2 +-
policy/modules/system/authlogin.te | 2 +-
policy/modules/system/daemontools.te | 3 -
policy/modules/system/fstools.if | 2 +-
policy/modules/system/fstools.te | 5 -
policy/modules/system/getty.if | 2 +-
policy/modules/system/getty.te | 1 -
policy/modules/system/hotplug.if | 4 +-
policy/modules/system/hotplug.te | 2 -
policy/modules/system/init.if | 2 +-
policy/modules/system/init.te | 1 -
policy/modules/system/ipsec.te | 1 -
policy/modules/system/iptables.if | 4 +-
policy/modules/system/libraries.if | 2 +-
policy/modules/system/locallogin.te | 5 -
policy/modules/system/logging.if | 2 +-
policy/modules/system/logging.te | 1 -
policy/modules/system/lvm.if | 2 +-
policy/modules/system/lvm.te | 6 +-
policy/modules/system/modutils.if | 12 +-
policy/modules/system/modutils.te | 3 -
policy/modules/system/mount.te | 1 -
policy/modules/system/netlabel.if | 2 +-
policy/modules/system/raid.if | 2 +-
policy/modules/system/raid.te | 1 -
policy/modules/system/selinuxutil.if | 16 +-
policy/modules/system/selinuxutil.te | 1 -
policy/modules/system/setrans.te | 2 +-
policy/modules/system/sysnetwork.if | 8 +-
policy/modules/system/sysnetwork.te | 1 -
policy/modules/system/userdomain.if | 43 ++----
policy/modules/system/userdomain.te | 2 +-
policy/modules/system/xen.te | 2 -
158 files changed, 241 insertions(+), 482 deletions(-)
---
diff --git a/Changelog b/Changelog
index 6c6c609..67a18ef 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Merge sbin_t and ls_exec_t into bin_t.
- Remove disable_trans booleans.
- Output different header sets for kernel and userland from flask headers.
- Marked the pax class as deprecated, changed it to userland so
diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if
index 7fa62c3..77b6200 100644
--- a/policy/modules/admin/acct.if
+++ b/policy/modules/admin/acct.if
@@ -15,7 +15,7 @@ interface(`acct_domtrans',`
type acct_t, acct_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,acct_exec_t,acct_t)
')
@@ -34,7 +34,7 @@ interface(`acct_exec',`
type acct_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1,acct_exec_t)
')
diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te
index 1e53451..0529bb8 100644
--- a/policy/modules/admin/acct.te
+++ b/policy/modules/admin/acct.te
@@ -44,7 +44,6 @@ fs_getattr_xattr_fs(acct_t)
term_dontaudit_use_console(acct_t)
-corecmd_search_sbin(acct_t)
corecmd_exec_bin(acct_t)
corecmd_exec_shell(acct_t)
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index 6dc9b92..b6ada7d 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -145,7 +145,6 @@ files_getattr_all_pipes(amanda_t)
files_getattr_all_sockets(amanda_t)
corecmd_exec_shell(amanda_t)
-corecmd_exec_sbin(amanda_t)
corecmd_exec_bin(amanda_t)
libs_use_ld_so(amanda_t)
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index e0fa44a..3a3ba9d 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -71,7 +71,6 @@ kernel_read_kernel_sysctls(apt_t)
# to launch dpkg-preconfigure
corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
-corecmd_exec_sbin(apt_t)
corenet_non_ipsec_sendrecv(apt_t)
corenet_tcp_sendrecv_all_if(apt_t)
diff --git a/policy/modules/admin/certwatch.if b/policy/modules/admin/certwatch.if
index 88ea0ba..535fdd7 100644
--- a/policy/modules/admin/certwatch.if
+++ b/policy/modules/admin/certwatch.if
@@ -16,7 +16,7 @@ interface(`certwatch_domtrans',`
')
files_search_usr($1)
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,certwatch_exec_t,certwatch_t)
')
diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
index 665fab9..8a71957 100644
--- a/policy/modules/admin/consoletype.if
+++ b/policy/modules/admin/consoletype.if
@@ -17,7 +17,7 @@ interface(`consoletype_domtrans',`
type consoletype_t, consoletype_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,consoletype_exec_t,consoletype_t)
')
@@ -68,6 +68,6 @@ interface(`consoletype_exec',`
type consoletype_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1,consoletype_exec_t)
')
diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te
index 67982aa..4b22c6b 100644
--- a/policy/modules/admin/ddcprobe.te
+++ b/policy/modules/admin/ddcprobe.te
@@ -26,9 +26,8 @@ kernel_change_ring_buffer_level(ddcprobe_t)
files_search_kernel_modules(ddcprobe_t)
-corecmd_list_sbin(ddcprobe_t)
corecmd_list_bin(ddcprobe_t)
-corecmd_exec_sbin(ddcprobe_t)
+corecmd_exec_bin(ddcprobe_t)
dev_read_urand(ddcprobe_t)
dev_read_raw_memory(ddcprobe_t)
diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
index e1bc978..dc2a3b6 100644
--- a/policy/modules/admin/dmesg.if
+++ b/policy/modules/admin/dmesg.if
@@ -23,7 +23,7 @@ interface(`dmesg_domtrans',`
type dmesg_t, dmesg_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domain_auto_trans($1,dmesg_exec_t,dmesg_t)
allow $1 dmesg_t:fd use;
@@ -54,8 +54,7 @@ interface(`dmesg_exec',`
type dmesg_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1,dmesg_exec_t)
')
')
-
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 797d07f..6fb2b1a 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -83,9 +83,7 @@ auth_manage_login_records(logrotate_t)
# Run helper programs.
corecmd_exec_bin(logrotate_t)
-corecmd_exec_sbin(logrotate_t)
corecmd_exec_shell(logrotate_t)
-corecmd_exec_ls(logrotate_t)
domain_signal_all_domains(logrotate_t)
domain_use_interactive_fds(logrotate_t)
diff --git a/policy/modules/admin/logwatch.te b/policy/modules/admin/logwatch.te
index 2ab7def..e318417 100644
--- a/policy/modules/admin/logwatch.te
+++ b/policy/modules/admin/logwatch.te
@@ -45,12 +45,8 @@ kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
-corecmd_read_sbin_symlinks(logwatch_t)
-corecmd_read_sbin_files(logwatch_t)
corecmd_exec_bin(logwatch_t)
-corecmd_exec_sbin(logwatch_t)
corecmd_exec_shell(logwatch_t)
-corecmd_exec_ls(logwatch_t)
dev_read_urand(logwatch_t)
dev_search_sysfs(logwatch_t)
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 6dc3ac3..5ec21f4 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -61,7 +61,6 @@ kernel_read_network_state(mrtg_t)
kernel_read_kernel_sysctls(mrtg_t)
corecmd_exec_bin(mrtg_t)
-corecmd_exec_sbin(mrtg_t)
corecmd_exec_shell(mrtg_t)
corenet_non_ipsec_sendrecv(mrtg_t)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index b4bde15..f486c97 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -241,7 +241,6 @@ interface(`portage_fetch_domain',`
kernel_read_kernel_sysctls($1)
corecmd_exec_bin($1)
- corecmd_exec_sbin($1)
corenet_non_ipsec_sendrecv($1)
corenet_tcp_sendrecv_generic_if($1)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index be4fd8f..4335d44 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -88,11 +88,8 @@ kernel_read_system_state(gcc_config_t)
kernel_read_kernel_sysctls(gcc_config_t)
corecmd_exec_shell(gcc_config_t)
-corecmd_exec_ls(gcc_config_t)
corecmd_exec_bin(gcc_config_t)
-corecmd_exec_sbin(gcc_config_t)
corecmd_manage_bin_files(gcc_config_t)
-corecmd_read_sbin_symlinks(gcc_config_t)
files_manage_etc_files(gcc_config_t)
files_rw_etc_runtime_files(gcc_config_t)
diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
index 406b489..78151ee 100644
--- a/policy/modules/admin/prelink.if
+++ b/policy/modules/admin/prelink.if
@@ -15,7 +15,7 @@ interface(`prelink_domtrans',`
type prelink_t, prelink_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1, prelink_exec_t, prelink_t)
')
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index dcca666..f016c72 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -55,7 +55,6 @@ kernel_dontaudit_search_sysctl(prelink_t)
corecmd_manage_all_executables(prelink_t)
corecmd_relabel_all_executables(prelink_t)
corecmd_mmap_all_executables(prelink_t)
-corecmd_read_sbin_symlinks(prelink_t)
corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index b6f6a84..1cab503 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -208,7 +208,6 @@ template(`su_per_role_template',`
auth_use_nsswitch($1_su_t)
corecmd_search_bin($1_su_t)
- corecmd_search_sbin($1_su_t)
domain_use_interactive_fds($1_su_t)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 249c3fc..f3dfaa4 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -94,7 +94,7 @@ template(`sudo_per_role_template',`
# sudo stores a token in the pam_pid directory
auth_manage_pam_pid($1_sudo_t)
- corecmd_read_sbin_symlinks($1_sudo_t)
+ corecmd_read_bin_symlinks($1_sudo_t)
corecmd_getattr_all_executables($1_sudo_t)
domain_use_interactive_fds($1_sudo_t)
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
index 08b5738..ea0bde2 100644
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
@@ -40,7 +40,6 @@ kernel_read_system_state(sxid_t)
kernel_read_kernel_sysctls(sxid_t)
corecmd_exec_bin(sxid_t)
-corecmd_exec_sbin(sxid_t)
corecmd_exec_shell(sxid_t)
corenet_non_ipsec_sendrecv(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.if b/policy/modules/admin/tmpreaper.if
index d43b117..1fc0d7a 100644
--- a/policy/modules/admin/tmpreaper.if
+++ b/policy/modules/admin/tmpreaper.if
@@ -16,6 +16,6 @@ interface(`tmpreaper_exec',`
')
files_search_usr($1)
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1,tmpreaper_exec_t)
')
diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te
index 04def15..ba03126 100644
--- a/policy/modules/admin/tripwire.te
+++ b/policy/modules/admin/tripwire.te
@@ -74,7 +74,7 @@ kernel_getattr_message_if(tripwire_t)
kernel_read_kernel_sysctls(tripwire_t)
corecmd_exec_shell(tripwire_t)
-corecmd_exec_sbin(tripwire_t)
+corecmd_exec_bin(tripwire_t)
domain_use_interactive_fds(tripwire_t)
diff --git a/policy/modules/admin/updfstab.if b/policy/modules/admin/updfstab.if
index f902aab..d96bd07 100644
--- a/policy/modules/admin/updfstab.if
+++ b/policy/modules/admin/updfstab.if
@@ -16,6 +16,6 @@ interface(`updfstab_domtrans',`
')
files_search_usr($1)
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,updfstab_exec_t,updfstab_t)
')
diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te
index 8f423ab..df44c1f 100644
--- a/policy/modules/admin/updfstab.te
+++ b/policy/modules/admin/updfstab.te
@@ -53,8 +53,6 @@ storage_write_scsi_generic(updfstab_t)
term_dontaudit_use_console(updfstab_t)
corecmd_exec_bin(updfstab_t)
-corecmd_exec_sbin(updfstab_t)
-corecmd_exec_ls(updfstab_t)
domain_use_interactive_fds(updfstab_t)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 7d0a394..df6cfed 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -67,7 +67,7 @@ interface(`usermanage_domtrans_groupadd',`
')
files_search_usr($1)
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,groupadd_exec_t,groupadd_t)
')
@@ -226,7 +226,7 @@ interface(`usermanage_domtrans_useradd',`
')
files_search_usr($1)
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,useradd_exec_t,useradd_t)
')
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 9e37d63..01c02fe 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -101,9 +101,6 @@ dev_read_urand(chfn_t)
auth_domtrans_chk_passwd(chfn_t)
auth_dontaudit_read_shadow(chfn_t)
-# can exec /sbin/unix_chkpwd
-corecmd_search_bin(chfn_t)
-corecmd_search_sbin(chfn_t)
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
@@ -170,7 +167,6 @@ files_read_etc_runtime_files(crack_t)
files_read_usr_files(crack_t)
corecmd_exec_bin(crack_t)
-corecmd_dontaudit_search_sbin(crack_t)
libs_use_ld_so(crack_t)
libs_use_shared_libs(crack_t)
@@ -233,7 +229,6 @@ libs_use_shared_libs(groupadd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(groupadd_t)
-corecmd_exec_sbin(groupadd_t)
logging_send_syslog_msg(groupadd_t)
@@ -401,10 +396,7 @@ auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-# allow checking if a shell is executable
-corecmd_check_exec_shell(sysadm_passwd_t)
# allow vipw to exec the editor
-corecmd_search_sbin(sysadm_passwd_t)
corecmd_exec_bin(sysadm_passwd_t)
corecmd_exec_shell(sysadm_passwd_t)
files_read_usr_files(sysadm_passwd_t)
@@ -470,7 +462,6 @@ kernel_read_kernel_sysctls(useradd_t)
corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
-corecmd_exec_sbin(useradd_t)
domain_use_interactive_fds(useradd_t)
diff --git a/policy/modules/admin/vbetool.if b/policy/modules/admin/vbetool.if
index c5faff5..180732c 100644
--- a/policy/modules/admin/vbetool.if
+++ b/policy/modules/admin/vbetool.if
@@ -15,6 +15,6 @@ interface(`vbetool_domtrans',`
type vbetool_t, vbetool_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,vbetool_exec_t,vbetool_t)
')
diff --git a/policy/modules/apps/ethereal.if b/policy/modules/apps/ethereal.if
index 2a2e86d..ed8d897 100644
--- a/policy/modules/apps/ethereal.if
+++ b/policy/modules/apps/ethereal.if
@@ -76,7 +76,7 @@ template(`ethereal_per_role_template',`
# Re-execute itself (why?)
can_exec($1_ethereal_t, ethereal_exec_t)
- corecmd_search_sbin($1_ethereal_t)
+ corecmd_search_bin($1_ethereal_t)
# /home/.ethereal
manage_dirs_pattern($1_ethereal_t,$1_ethereal_home_t,$1_ethereal_home_t)
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index 17c8b79..dee79e0 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -187,7 +187,7 @@ template(`evolution_per_role_template',`
corecmd_exec_shell($1_evolution_t)
# Run various programs
corecmd_exec_bin($1_evolution_t)
- corecmd_exec_sbin($1_evolution_t)
+ corecmd_exec_bin($1_evolution_t)
corenet_non_ipsec_sendrecv($1_evolution_t)
corenet_tcp_sendrecv_generic_if($1_evolution_t)
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
index 3337616..dedbd6d 100644
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@@ -90,7 +90,6 @@ template(`games_per_role_template',`
kernel_read_system_state($1_games_t)
corecmd_exec_bin($1_games_t)
- corecmd_exec_sbin($1_games_t)
corenet_non_ipsec_sendrecv($1_games_t)
corenet_tcp_sendrecv_generic_if($1_games_t)
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index 6cc288b..80669fe 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -34,7 +34,6 @@ ifdef(`targeted_policy',`
corecmd_exec_bin(loadkeys_t)
corecmd_exec_shell(loadkeys_t)
- corecmd_search_sbin(loadkeys_t)
files_read_etc_files(loadkeys_t)
files_read_etc_runtime_files(loadkeys_t)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 2d2990d..4261617 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -115,7 +115,6 @@ template(`mozilla_per_role_template',`
kernel_read_system_state($1_mozilla_t)
kernel_read_net_sysctls($1_mozilla_t)
- corecmd_search_sbin($1_mozilla_t)
# Look for plugins
corecmd_list_bin($1_mozilla_t)
# for bash - old mozilla binary
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index ad5c105..79b57a2 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -107,11 +107,6 @@ template(`screen_per_role_template',`
corecmd_read_bin_symlinks($1_screen_t)
corecmd_read_bin_pipes($1_screen_t)
corecmd_read_bin_sockets($1_screen_t)
- corecmd_list_sbin($1_screen_t)
- corecmd_read_sbin_symlinks($1_screen_t)
- corecmd_read_sbin_files($1_screen_t)
- corecmd_read_sbin_pipes($1_screen_t)
- corecmd_read_sbin_sockets($1_screen_t)
# Revert to the user domain when a shell is executed.
corecmd_shell_domtrans($1_screen_t,$2)
corecmd_bin_domtrans($1_screen_t,$2)
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index 38bde70..7edcec6 100644
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -101,9 +101,8 @@ template(`thunderbird_per_role_template',`
kernel_read_net_sysctls($1_thunderbird_t)
kernel_read_system_state($1_thunderbird_t)
- corecmd_exec_shell($1_thunderbird_t)
# Startup shellscript
- corecmd_search_sbin($1_thunderbird_t)
+ corecmd_exec_shell($1_thunderbird_t)
corenet_non_ipsec_sendrecv($1_thunderbird_t)
corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index efa6b07..8a662d4 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -151,7 +151,6 @@ template(`uml_per_role_template',`
# for xterm
corecmd_exec_bin($1_uml_t)
- corecmd_exec_sbin($1_uml_t)
corenet_non_ipsec_sendrecv($1_uml_t)
corenet_tcp_sendrecv_generic_if($1_uml_t)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
index 100f140..dac7b45 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -88,7 +88,6 @@ template(`userhelper_per_role_template',`
corecmd_exec_shell($1_userhelper_t)
# By default, revert to the calling domain when a program is executed
corecmd_bin_domtrans($1_userhelper_t,$2)
- corecmd_sbin_domtrans($1_userhelper_t,$2)
# Inherit descriptors from the current session.
domain_use_interactive_fds($1_userhelper_t)
@@ -152,7 +151,6 @@ template(`userhelper_per_role_template',`
userdom_use_unpriv_users_fds($1_userhelper_t)
# Allow $1_userhelper_t to transition to user domains.
userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
- userdom_sbin_spec_domtrans_unpriv_users($1_userhelper_t)
userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
ifdef(`distro_redhat',`
@@ -165,7 +163,6 @@ template(`userhelper_per_role_template',`
tunable_policy(`! secure_mode',`
#if we are not in secure mode then we can transition to sysadm_t
userdom_bin_spec_domtrans_sysadm($1_userhelper_t)
- userdom_sbin_spec_domtrans_sysadm($1_userhelper_t)
userdom_entry_spec_domtrans_sysadm($1_userhelper_t)
')
diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te
index e45c4a7..f2bcebf 100644
--- a/policy/modules/apps/usernetctl.te
+++ b/policy/modules/apps/usernetctl.te
@@ -37,8 +37,6 @@ kernel_read_kernel_sysctls(usernetctl_t)
corecmd_list_bin(usernetctl_t)
corecmd_exec_bin(usernetctl_t)
-corecmd_list_sbin(usernetctl_t)
-corecmd_exec_sbin(usernetctl_t)
corecmd_exec_shell(usernetctl_t)
domain_dontaudit_read_all_domains_state(usernetctl_t)
diff --git a/policy/modules/apps/yam.if b/policy/modules/apps/yam.if
index cb13e77..0b56313 100644
--- a/policy/modules/apps/yam.if
+++ b/policy/modules/apps/yam.if
@@ -15,7 +15,7 @@ interface(`yam_domtrans',`
type yam_t, yam_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,yam_exec_t,yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index e112a5d..068d138 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -8,7 +8,6 @@
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
-/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -16,17 +15,17 @@
#
# /dev
#
-/dev/MAKEDEV -- gen_context(system_u:object_r:sbin_t,s0)
+/dev/MAKEDEV -- gen_context(system_u:object_r:bin_t,s0)
#
# /emul
#
ifdef(`distro_redhat',`
/emul/ia32-linux/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/emul/ia32-linux/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+/emul/ia32-linux/sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/emul/ia32-linux/usr(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/emul/ia32-linux/usr(/.*)?/Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/emul/ia32-linux/usr(/.*)?/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+/emul/ia32-linux/usr(/.*)?/sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/emul/ia32-linux/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
')
@@ -37,14 +36,14 @@ ifdef(`distro_redhat',`
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
-/etc/hotplug/.*agent -- gen_context(system_u:object_r:sbin_t,s0)
-/etc/hotplug/.*rc -- gen_context(system_u:object_r:sbin_t,s0)
-/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:sbin_t,s0)
-/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:sbin_t,s0)
+/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
+/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
+/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
+/etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0)
/etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
-/etc/netplug\.d(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
@@ -82,7 +81,7 @@ ifdef(`targeted_policy',`
#
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
-/lib/udev/scsi_id -- gen_context(system_u:object_r:sbin_t,s0)
+/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo',`
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -94,10 +93,10 @@ ifdef(`distro_gentoo',`
#
# /sbin
#
-/sbin -d gen_context(system_u:object_r:sbin_t,s0)
-/sbin/.* gen_context(system_u:object_r:sbin_t,s0)
-/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:sbin_t,s0)
-/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:sbin_t,s0)
+/sbin -d gen_context(system_u:object_r:bin_t,s0)
+/sbin/.* gen_context(system_u:object_r:bin_t,s0)
+/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
+/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
#
# /opt
@@ -106,7 +105,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo',`
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
@@ -122,8 +121,8 @@ ifdef(`distro_gentoo',`
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
-/usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
@@ -136,7 +135,7 @@ ifdef(`distro_gentoo',`
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
+/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -148,9 +147,9 @@ ifdef(`distro_gentoo',`
/usr/lib(64)?/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:sbin_t,s0)
+/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:sbin_t,s0)
+/usr/lib(64)?/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
@@ -164,7 +163,7 @@ ifdef(`distro_gentoo',`
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
+/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -245,7 +244,6 @@ ifdef(`distro_suse', `
/var/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/var/ftp/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9c7095c..cb69796 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -84,7 +84,7 @@ interface(`corecmd_bin_entry_type',`
########################################
## <summary>
## Make general progams in sbin an entrypoint for
-## the specified domain.
+## the specified domain. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -93,11 +93,8 @@ interface(`corecmd_bin_entry_type',`
## </param>
#
interface(`corecmd_sbin_entry_type',`
- gen_require(`
- type sbin_t;
- ')
-
- domain_entry_file($1,sbin_t)
+ corecmd_bin_entry_type($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_bin_entry_type() instead.')
')
########################################
@@ -138,6 +135,24 @@ interface(`corecmd_search_bin',`
########################################
## <summary>
+## Do not audit attempts to search the contents of bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_dontaudit_search_bin',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ dontaudit $1 bin_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## List the contents of bin directories.
## </summary>
## <param name="domain">
@@ -156,6 +171,24 @@ interface(`corecmd_list_bin',`
########################################
## <summary>
+## Do not auidt attempts to write bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_dontaudit_write_bin_dirs',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ dontaudit $1 bin_t:dir write;
+')
+
+########################################
+## <summary>
## Get the attributes of files in bin directories.
## </summary>
## <param name="domain">
@@ -410,7 +443,7 @@ interface(`corecmd_bin_domtrans',`
########################################
## <summary>
-## Search the contents of sbin directories.
+## Search the contents of sbin directories. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -419,17 +452,14 @@ interface(`corecmd_bin_domtrans',`
## </param>
#
interface(`corecmd_search_sbin',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:dir search_dir_perms;
+ corecmd_search_bin($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.')
')
########################################
## <summary>
## Do not audit attempts to search
-## sbin directories.
+## sbin directories. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -438,16 +468,13 @@ interface(`corecmd_search_sbin',`
## </param>
#
interface(`corecmd_dontaudit_search_sbin',`
- gen_require(`
- type sbin_t;
- ')
-
- dontaudit $1 sbin_t:dir search_dir_perms;
+ corecmd_dontaudit_search_bin($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_search_bin() instead.')
')
########################################
## <summary>
-## List the contents of sbin directories.
+## List the contents of sbin directories. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -456,17 +483,14 @@ interface(`corecmd_dontaudit_search_sbin',`
## </param>
#
interface(`corecmd_list_sbin',`
- gen_require(`
- type sbin_t;
- ')
-
- list_dirs_pattern($1,sbin_t,sbin_t)
+ corecmd_list_bin($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_list_bin() instead.')
')
########################################
## <summary>
## Do not audit attempts to write
-## sbin directories.
+## sbin directories. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -475,16 +499,13 @@ interface(`corecmd_list_sbin',`
## </param>
#
interface(`corecmd_dontaudit_write_sbin_dirs',`
- gen_require(`
- type sbin_t;
- ')
-
- dontaudit $1 sbin_t:dir write;
+ corecmd_dontaudit_write_bin_dirs($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_write_bin_dirs() instead.')
')
########################################
## <summary>
-## Get the attributes of sbin files.
+## Get the attributes of sbin files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -493,17 +514,14 @@ interface(`corecmd_dontaudit_write_sbin_dirs',`
## </param>
#
interface(`corecmd_getattr_sbin_files',`
- gen_require(`
- type sbin_t;
- ')
-
- getattr_files_pattern($1,sbin_t,sbin_t)
+ corecmd_getattr_bin_files($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_getattr_bin_files() instead.')
')
########################################
## <summary>
## Do not audit attempts to get the attibutes
-## of sbin files.
+## of sbin files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -512,16 +530,13 @@ interface(`corecmd_getattr_sbin_files',`
## </param>
#
interface(`corecmd_dontaudit_getattr_sbin_files',`
- gen_require(`
- type sbin_t;
- ')
-
- dontaudit $1 sbin_t:file getattr;
+ corecmd_dontaudit_getattr_bin_files($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_getattr_bin_files() instead.')
')
########################################
## <summary>
-## Read files in sbin directories.
+## Read files in sbin directories. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -530,16 +545,13 @@ interface(`corecmd_dontaudit_getattr_sbin_files',`
## </param>
#
interface(`corecmd_read_sbin_files',`
- gen_require(`
- type sbin_t;
- ')
-
- read_files_pattern($1,sbin_t,sbin_t)
+ corecmd_read_bin_files($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_files() instead.')
')
########################################
## <summary>
-## Read symbolic links in sbin directories.
+## Read symbolic links in sbin directories. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -548,16 +560,13 @@ interface(`corecmd_read_sbin_files',`
## </param>
#
interface(`corecmd_read_sbin_symlinks',`
- gen_require(`
- type sbin_t;
- ')
-
- read_lnk_files_pattern($1,sbin_t,sbin_t)
+ corecmd_read_bin_symlinks($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_symlinks() instead.')
')
########################################
## <summary>
-## Read named pipes in sbin directories.
+## Read named pipes in sbin directories. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -566,16 +575,13 @@ interface(`corecmd_read_sbin_symlinks',`
## </param>
#
interface(`corecmd_read_sbin_pipes',`
- gen_require(`
- type sbin_t;
- ')
-
- read_fifo_files_pattern($1,sbin_t,sbin_t)
+ corecmd_read_bin_pipes($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_pipes() instead.')
')
########################################
## <summary>
-## Read named sockets in sbin directories.
+## Read named sockets in sbin directories. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -584,17 +590,14 @@ interface(`corecmd_read_sbin_pipes',`
## </param>
#
interface(`corecmd_read_sbin_sockets',`
- gen_require(`
- type sbin_t;
- ')
-
- read_sock_files_pattern($1,sbin_t,sbin_t)
+ corecmd_read_bin_sockets($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_sockets() instead.')
')
########################################
## <summary>
## Execute generic programs in sbin directories,
-## in the caller domain.
+## in the caller domain. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -603,18 +606,13 @@ interface(`corecmd_read_sbin_sockets',`
## </param>
#
interface(`corecmd_exec_sbin',`
- gen_require(`
- type sbin_t;
- ')
-
- list_dirs_pattern($1,sbin_t,sbin_t)
- read_lnk_files_pattern($1,sbin_t,sbin_t)
- can_exec($1,sbin_t)
+ corecmd_exec_bin($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.')
')
########################################
## <summary>
-## Create, read, write, and delete sbin files.
+## Create, read, write, and delete sbin files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -624,16 +622,13 @@ interface(`corecmd_exec_sbin',`
#
# cjp: added for prelink
interface(`corecmd_manage_sbin_files',`
- gen_require(`
- type sbin_t;
- ')
-
- manage_files_pattern($1,sbin_t,sbin_t)
+ corecmd_manage_bin_files($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_manage_bin_files() instead.')
')
########################################
## <summary>
-## Relabel to and from the sbin type.
+## Relabel to and from the sbin type. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -643,16 +638,13 @@ interface(`corecmd_manage_sbin_files',`
#
# cjp: added for prelink
interface(`corecmd_relabel_sbin_files',`
- gen_require(`
- type sbin_t;
- ')
-
- relabel_files_pattern($1,sbin_t,sbin_t)
+ corecmd_relabel_bin_files($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_relabel_bin_files() instead.')
')
########################################
## <summary>
-## Mmap a sbin file as executable.
+## Mmap a sbin file as executable. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -662,18 +654,14 @@ interface(`corecmd_relabel_sbin_files',`
#
# cjp: added for prelink
interface(`corecmd_mmap_sbin_files',`
- gen_require(`
- type sbin_t;
- ')
-
- allow $1 sbin_t:dir search_dir_perms;
- allow $1 sbin_t:file { getattr read execute };
+ corecmd_mmap_bin_files($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_mmap_bin_files() instead.')
')
########################################
## <summary>
## Execute a file in a sbin directory
-## in the specified domain.
+## in the specified domain. (Deprecated)
## </summary>
## <desc>
## <p>
@@ -681,7 +669,7 @@ interface(`corecmd_mmap_sbin_files',`
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
-## domain. This is not suggested.
+## domain. This is not suggested. (Deprecated)
## </p>
## <p>
## No interprocess communication (signals, pipes,
@@ -705,12 +693,8 @@ interface(`corecmd_mmap_sbin_files',`
## </param>
#
interface(`corecmd_sbin_domtrans',`
- gen_require(`
- type sbin_t;
- ')
-
- read_lnk_files_pattern($1,sbin_t,sbin_t)
- domain_auto_transition_pattern($1,sbin_t,$2)
+ corecmd_bin_domtrans($1,$2,$3)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_bin_domtrans() instead.')
')
########################################
@@ -718,7 +702,7 @@ interface(`corecmd_sbin_domtrans',`
## Execute a file in a sbin directory
## in the specified domain but do not
## do it automatically. This is an explicit
-## transition, requiring the caller to use setexeccon().
+## transition, requiring the caller to use setexeccon(). (Deprecated)
## </summary>
## <desc>
## <p>
@@ -726,7 +710,7 @@ interface(`corecmd_sbin_domtrans',`
## in the specified domain. This allows
## the specified domain to execute any file
## on these filesystems in the specified
-## domain. This is not suggested.
+## domain. This is not suggested. (Deprecated)
## </p>
## <p>
## No interprocess communication (signals, pipes,
@@ -750,12 +734,8 @@ interface(`corecmd_sbin_domtrans',`
## </param>
#
interface(`corecmd_sbin_spec_domtrans',`
- gen_require(`
- type sbin_t;
- ')
-
- read_lnk_files_pattern($1,sbin_t,sbin_t)
- domain_transition_pattern($1,sbin_t,$2)
+ corecmd_bin_spec_domtrans($1,$2,$3)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_bin_spec_domtrans() instead.')
')
########################################
@@ -800,7 +780,7 @@ interface(`corecmd_exec_shell',`
########################################
## <summary>
-## Execute ls in the caller domain.
+## Execute ls in the caller domain. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -809,13 +789,8 @@ interface(`corecmd_exec_shell',`
## </param>
#
interface(`corecmd_exec_ls',`
- gen_require(`
- type bin_t, ls_exec_t;
- ')
-
- list_dirs_pattern($1,bin_t,bin_t)
- read_lnk_files_pattern($1,bin_t,bin_t)
- can_exec($1,ls_exec_t)
+ corecmd_exec_bin($1)
+ refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.')
')
########################################
@@ -925,11 +900,11 @@ interface(`corecmd_exec_chroot',`
interface(`corecmd_getattr_all_executables',`
gen_require(`
attribute exec_type;
- type bin_t, sbin_t;
+ type bin_t;
')
- allow $1 { bin_t sbin_t }:dir list_dir_perms;
- getattr_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
+ allow $1 bin_t:dir list_dir_perms;
+ getattr_files_pattern($1,bin_t,exec_type)
')
########################################
@@ -946,12 +921,12 @@ interface(`corecmd_getattr_all_executables',`
interface(`corecmd_exec_all_executables',`
gen_require(`
attribute exec_type;
- type bin_t, sbin_t;
+ type bin_t;
')
can_exec($1,exec_type)
- list_dirs_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
- read_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
+ list_dirs_pattern($1,bin_t,bin_t)
+ read_lnk_files_pattern($1,bin_t,exec_type)
')
########################################
@@ -968,11 +943,11 @@ interface(`corecmd_exec_all_executables',`
interface(`corecmd_manage_all_executables',`
gen_require(`
attribute exec_type;
- type bin_t, sbin_t;
+ type bin_t;
')
- manage_files_pattern($1,{ bin_t sbin_t },exec_type)
- manage_lnk_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
+ manage_files_pattern($1,bin_t,exec_type)
+ manage_lnk_files_pattern($1,bin_t,bin_t)
')
########################################
@@ -989,9 +964,10 @@ interface(`corecmd_manage_all_executables',`
interface(`corecmd_relabel_all_executables',`
gen_require(`
attribute exec_type;
+ type bin_t;
')
- allow $1 exec_type:file relabel_file_perms;
+ relabel_files_pattern($1,bin_t,exec_type)
')
########################################
@@ -1007,7 +983,8 @@ interface(`corecmd_relabel_all_executables',`
interface(`corecmd_mmap_all_executables',`
gen_require(`
attribute exec_type;
+ type bin_t;
')
- allow $1 exec_type:file { getattr read execute };
+ mmap_files_pattern($1,bin_t,exec_type)
')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 2bf8ae0..288e15d 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands,1.5.3)
+policy_module(corecommands,1.5.4)
########################################
#
@@ -12,24 +12,12 @@ policy_module(corecommands,1.5.3)
attribute exec_type;
#
-# bin_t is the type of files in the system bin directories.
+# bin_t is the type of files in the system bin/sbin directories.
#
-type bin_t;
+type bin_t alias { ls_exec_t sbin_t };
corecmd_executable_file(bin_t)
#
-# sbin_t is the type of files in the system sbin directories.
-#
-type sbin_t;
-corecmd_executable_file(sbin_t)
-
-#
-# ls_exec_t is the type of the ls program.
-#
-type ls_exec_t;
-corecmd_executable_file(ls_exec_t)
-
-#
# shell_exec_t is the type of user shells such as /bin/bash.
#
type shell_exec_t;
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 81d2a2a..1e6bbcf 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -230,7 +230,7 @@ selinux_load_policy(kernel_t)
term_use_console(kernel_t)
corecmd_exec_shell(kernel_t)
-corecmd_list_sbin(kernel_t)
+corecmd_list_bin(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
corecmd_exec_bin(kernel_t)
diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
index 2e5f50d..7f602c5 100644
--- a/policy/modules/services/aide.if
+++ b/policy/modules/services/aide.if
@@ -15,7 +15,7 @@ interface(`aide_domtrans',`
type aide_t, aide_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,aide_exec_t,aide_t)
')
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index 219112e..5013665 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -97,7 +97,6 @@ kernel_dontaudit_read_system_state(amavis_t)
# find perl
corecmd_exec_bin(amavis_t)
-corecmd_search_sbin(amavis_t)
corenet_non_ipsec_sendrecv(amavis_t)
corenet_tcp_sendrecv_all_if(amavis_t)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 5b38902..f20bbc8 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -392,7 +392,7 @@ interface(`apache_domtrans',`
type httpd_t, httpd_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,httpd_exec_t,httpd_t)
')
@@ -593,7 +593,7 @@ interface(`apache_domtrans_helper',`
type httpd_helper_t, httpd_helper_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,httpd_helper_exec_t,httpd_helper_t)
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index abfc256..c11832c 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -238,7 +238,6 @@ auth_use_nsswitch(httpd_t)
# execute perl
corecmd_exec_bin(httpd_t)
-corecmd_exec_sbin(httpd_t)
corecmd_exec_shell(httpd_t)
domain_use_interactive_fds(httpd_t)
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index 892edc9..cfba06b 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -63,7 +63,7 @@ dev_read_sysfs(arpwatch_t)
fs_getattr_all_fs(arpwatch_t)
fs_search_auto_mountpoints(arpwatch_t)
-corecmd_read_sbin_symlinks(arpwatch_t)
+corecmd_read_bin_symlinks(arpwatch_t)
domain_use_interactive_fds(arpwatch_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index 04200a5..b2098dd 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -80,7 +80,7 @@ kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
corecmd_exec_bin(asterisk_t)
-corecmd_search_sbin(asterisk_t)
+corecmd_search_bin(asterisk_t)
corenet_non_ipsec_sendrecv(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
index ac6cf1b..6306fbd 100644
--- a/policy/modules/services/automount.if
+++ b/policy/modules/services/automount.if
@@ -15,7 +15,7 @@ interface(`automount_domtrans',`
type automount_t, automount_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1, automount_exec_t, automount_t)
')
@@ -34,7 +34,7 @@ interface(`automount_exec_config',`
type automount_etc_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1,automount_etc_t)
')
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index dc1b5d3..4e11797 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -73,7 +73,6 @@ files_unmount_all_file_type_fs(automount_t)
fs_mount_all_fs(automount_t)
fs_unmount_all_fs(automount_t)
-corecmd_exec_sbin(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index d710098..cec18b0 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -117,7 +117,7 @@ dev_read_rand(named_t)
fs_getattr_all_fs(named_t)
fs_search_auto_mountpoints(named_t)
-corecmd_search_sbin(named_t)
+corecmd_search_bin(named_t)
dev_read_urand(named_t)
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 0bc9fb4..4d1557c 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -64,7 +64,7 @@ files_pid_filetrans(ccs_t,ccs_var_run_t, { dir file sock_file })
kernel_read_kernel_sysctls(ccs_t)
-corecmd_list_sbin(ccs_t)
+corecmd_list_bin(ccs_t)
corecmd_exec_bin(ccs_t)
corenet_non_ipsec_sendrecv(ccs_t)
@@ -97,7 +97,7 @@ miscfiles_read_localization(ccs_t)
sysnet_dns_name_resolve(ccs_t)
ifdef(`hide_broken_symptoms', `
- corecmd_dontaudit_write_sbin_dirs(ccs_t)
+ corecmd_dontaudit_write_bin_dirs(ccs_t)
files_manage_isid_type_files(ccs_t)
')
diff --git a/policy/modules/services/cipe.te b/policy/modules/services/cipe.te
index 3212495..c1c1bc3 100644
--- a/policy/modules/services/cipe.te
+++ b/policy/modules/services/cipe.te
@@ -28,7 +28,6 @@ kernel_read_system_state(ciped_t)
corecmd_exec_shell(ciped_t)
corecmd_exec_bin(ciped_t)
-corecmd_exec_sbin(ciped_t)
corenet_non_ipsec_sendrecv(ciped_t)
corenet_udp_sendrecv_generic_if(ciped_t)
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 6a8d8dc..2ff586c 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -50,7 +50,7 @@ allow courier_authdaemon_t courier_tcpd_t:fd use;
allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
-corecmd_search_sbin(courier_authdaemon_t)
+corecmd_search_bin(courier_authdaemon_t)
# for SSP
dev_read_urand(courier_authdaemon_t)
@@ -116,7 +116,7 @@ manage_files_pattern(courier_tcpd_t,courier_var_lib_t,courier_var_lib_t)
manage_lnk_files_pattern(courier_tcpd_t,courier_var_lib_t,courier_var_lib_t)
files_search_var_lib(courier_tcpd_t)
-corecmd_search_sbin(courier_tcpd_t)
+corecmd_search_bin(courier_tcpd_t)
corenet_tcp_bind_all_nodes(courier_tcpd_t)
corenet_tcp_bind_pop_port(courier_tcpd_t)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 1c56bb1..b7fab36 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -214,7 +214,6 @@ template(`cron_per_role_template',`
# Run helper programs as the user domain
corecmd_bin_domtrans($1_crontab_t,$2)
- corecmd_sbin_domtrans($1_crontab_t,$2)
corecmd_shell_domtrans($1_crontab_t,$2)
domain_use_interactive_fds($1_crontab_t)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 38e8983..bb08029 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -117,8 +117,8 @@ fs_search_auto_mountpoints(crond_t)
auth_domtrans_chk_passwd(crond_t)
corecmd_exec_shell(crond_t)
-corecmd_list_sbin(crond_t)
-corecmd_read_sbin_symlinks(crond_t)
+corecmd_list_bin(crond_t)
+corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 0e1bb40..e4dd9c3 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -182,7 +182,6 @@ auth_dontaudit_read_pam_pid(cupsd_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_shell(cupsd_t)
corecmd_exec_bin(cupsd_t)
-corecmd_exec_sbin(cupsd_t)
domain_use_interactive_fds(cupsd_t)
@@ -357,7 +356,6 @@ fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
corecmd_exec_bin(cupsd_config_t)
-corecmd_exec_sbin(cupsd_config_t)
corecmd_exec_shell(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
@@ -596,7 +594,6 @@ fs_search_auto_mountpoints(hplip_t)
# for python
corecmd_exec_bin(hplip_t)
-corecmd_search_sbin(hplip_t)
domain_use_interactive_fds(hplip_t)
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index c45ec7f..35ddd02 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -62,7 +62,6 @@ fs_getattr_xattr_fs(cvs_t)
auth_domtrans_chk_passwd(cvs_t)
corecmd_exec_bin(cvs_t)
-corecmd_exec_sbin(cvs_t)
corecmd_exec_shell(cvs_t)
files_read_etc_files(cvs_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 02a89a7..caae921 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -108,11 +108,6 @@ template(`dbus_per_role_template',`
corecmd_read_bin_files($1_dbusd_t)
corecmd_read_bin_pipes($1_dbusd_t)
corecmd_read_bin_sockets($1_dbusd_t)
- corecmd_list_sbin($1_dbusd_t)
- corecmd_read_sbin_symlinks($1_dbusd_t)
- corecmd_read_sbin_files($1_dbusd_t)
- corecmd_read_sbin_pipes($1_dbusd_t)
- corecmd_read_sbin_sockets($1_dbusd_t)
corenet_non_ipsec_sendrecv($1_dbusd_t)
corenet_tcp_sendrecv_all_if($1_dbusd_t)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 27d83f1..f778563 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -76,16 +76,9 @@ auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
corecmd_list_bin(system_dbusd_t)
-corecmd_read_bin_symlinks(system_dbusd_t)
-corecmd_read_bin_files(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
-corecmd_list_sbin(system_dbusd_t)
-corecmd_read_sbin_symlinks(system_dbusd_t)
-corecmd_read_sbin_files(system_dbusd_t)
-corecmd_read_sbin_pipes(system_dbusd_t)
-corecmd_read_sbin_sockets(system_dbusd_t)
-corecmd_exec_sbin(system_dbusd_t)
+corecmd_exec_bin(system_dbusd_t)
domain_use_interactive_fds(system_dbusd_t)
diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
index 867ee4c..1717921 100644
--- a/policy/modules/services/dcc.if
+++ b/policy/modules/services/dcc.if
@@ -15,7 +15,7 @@ interface(`dcc_domtrans_cdcc',`
type cdcc_t, cdcc_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,cdcc_exec_t,cdcc_t)
')
@@ -66,7 +66,7 @@ interface(`dcc_domtrans_client',`
type dcc_client_t, dcc_client_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,dcc_client_exec_t,dcc_client_t)
')
@@ -117,7 +117,7 @@ interface(`dcc_domtrans_dbclean',`
type dcc_dbclean_t, dcc_dbclean_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,dcc_dbclean_exec_t,dcc_dbclean_t)
')
diff --git a/policy/modules/services/ddclient.if b/policy/modules/services/ddclient.if
index 1afdd21..06d54c7 100644
--- a/policy/modules/services/ddclient.if
+++ b/policy/modules/services/ddclient.if
@@ -15,6 +15,6 @@ interface(`ddclient_domtrans',`
type ddclient_t, ddclient_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1, ddclient_exec_t, ddclient_t)
')
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index 62a6892..81fdde9 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -79,7 +79,6 @@ fs_getattr_all_fs(dhcpd_t)
fs_search_auto_mountpoints(dhcpd_t)
corecmd_exec_bin(dhcpd_t)
-corecmd_exec_sbin(dhcpd_t)
domain_use_interactive_fds(dhcpd_t)
diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te
index e3e25e8..9723b93 100644
--- a/policy/modules/services/distcc.te
+++ b/policy/modules/services/distcc.te
@@ -61,7 +61,7 @@ fs_getattr_all_fs(distccd_t)
fs_search_auto_mountpoints(distccd_t)
corecmd_exec_bin(distccd_t)
-corecmd_read_sbin_symlinks(distccd_t)
+corecmd_read_bin_symlinks(distccd_t)
domain_use_interactive_fds(distccd_t)
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index 1a45537..360a251 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -38,7 +38,6 @@ files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file)
kernel_read_system_state(fail2ban_t)
-corecmd_search_sbin(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index f7b44ec..f5480a6 100644
--- a/policy/modules/services/finger.te
+++ b/policy/modules/services/finger.te
@@ -68,7 +68,6 @@ term_getattr_all_user_ptys(fingerd_t)
auth_read_lastlog(fingerd_t)
corecmd_exec_bin(fingerd_t)
-corecmd_exec_sbin(fingerd_t)
corecmd_exec_shell(fingerd_t)
domain_use_interactive_fds(fingerd_t)
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index 954a746..31585d1 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -85,7 +85,7 @@ interface(`ftp_check_exec',`
type ftpd_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
allow $1 ftpd_exec_t:file x_file_perms;
')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index f4e0a1b..3138f0c 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -86,10 +86,6 @@ dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t)
corecmd_exec_bin(ftpd_t)
-corecmd_exec_sbin(ftpd_t)
-# Execute /bin/ls (can comment this out for proftpd)
-# also may need rules to allow tar etc...
-corecmd_exec_ls(ftpd_t)
corenet_non_ipsec_sendrecv(ftpd_t)
corenet_tcp_sendrecv_all_if(ftpd_t)
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
index 3cb6590..1ee2fd5 100644
--- a/policy/modules/services/gatekeeper.te
+++ b/policy/modules/services/gatekeeper.te
@@ -51,7 +51,7 @@ files_pid_filetrans(gatekeeper_t,gatekeeper_var_run_t,file)
kernel_read_system_state(gatekeeper_t)
kernel_read_kernel_sysctls(gatekeeper_t)
-corecmd_list_sbin(gatekeeper_t)
+corecmd_list_bin(gatekeeper_t)
corenet_non_ipsec_sendrecv(gatekeeper_t)
corenet_tcp_sendrecv_generic_if(gatekeeper_t)
diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te
index 1eadc3f..84f45a8 100644
--- a/policy/modules/services/i18n_input.te
+++ b/policy/modules/services/i18n_input.te
@@ -55,7 +55,6 @@ dev_read_sysfs(i18n_input_t)
fs_getattr_all_fs(i18n_input_t)
fs_search_auto_mountpoints(i18n_input_t)
-corecmd_search_sbin(i18n_input_t)
corecmd_search_bin(i18n_input_t)
corecmd_exec_bin(i18n_input_t)
diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
index b5e88d5..1353392 100644
--- a/policy/modules/services/inetd.if
+++ b/policy/modules/services/inetd.if
@@ -164,7 +164,7 @@ interface(`inetd_domtrans_child',`
type inetd_child_t, inetd_child_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,inetd_child_exec_t,inetd_child_t)
')
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index d3846af..c746cd4 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -118,7 +118,7 @@ selinux_compute_create_context(inetd_t)
# Run other daemons in the inetd_child_t domain.
corecmd_search_bin(inetd_t)
-corecmd_read_sbin_symlinks(inetd_t)
+corecmd_read_bin_symlinks(inetd_t)
domain_use_interactive_fds(inetd_t)
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index 698a75f..a89e978 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -84,8 +84,6 @@ fs_search_auto_mountpoints(innd_t)
corecmd_exec_bin(innd_t)
corecmd_exec_shell(innd_t)
-corecmd_search_sbin(innd_t)
-corecmd_read_sbin_symlinks(innd_t)
domain_use_interactive_fds(innd_t)
diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te
index 32789b6..761d77a 100644
--- a/policy/modules/services/ircd.te
+++ b/policy/modules/services/ircd.te
@@ -48,7 +48,7 @@ files_pid_filetrans(ircd_t,ircd_var_run_t,file)
kernel_read_system_state(ircd_t)
kernel_read_kernel_sysctls(ircd_t)
-corecmd_search_sbin(ircd_t)
+corecmd_search_bin(ircd_t)
corenet_non_ipsec_sendrecv(ircd_t)
corenet_tcp_sendrecv_generic_if(ircd_t)
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index faa3779..a384b13 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -183,7 +183,6 @@ kernel_read_proc_symlinks(krb5kdc_t)
kernel_read_network_state(krb5kdc_t)
kernel_search_network_sysctl(krb5kdc_t)
-corecmd_exec_sbin(krb5kdc_t)
corecmd_exec_bin(krb5kdc_t)
corenet_non_ipsec_sendrecv(krb5kdc_t)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 8f329e0..5d74d24 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -80,7 +80,6 @@ dev_append_printer(checkpc_t)
# This is less desirable, but checkpc demands /bin/bash and /bin/chown:
corecmd_exec_shell(checkpc_t)
corecmd_exec_bin(checkpc_t)
-corecmd_search_sbin(checkpc_t)
domain_use_interactive_fds(checkpc_t)
@@ -170,7 +169,6 @@ fs_search_auto_mountpoints(lpd_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_bin(lpd_t)
-corecmd_exec_sbin(lpd_t)
corecmd_exec_shell(lpd_t)
domain_use_interactive_fds(lpd_t)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 768578b..c527eee 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -81,7 +81,6 @@ template(`mta_base_mail_template',`
corenet_sendrecv_smtp_client_packets($1_mail_t)
corecmd_exec_bin($1_mail_t)
- corecmd_search_sbin($1_mail_t)
files_read_etc_files($1_mail_t)
files_search_spool($1_mail_t)
@@ -497,7 +496,7 @@ interface(`mta_sendmail_domtrans',`
')
files_search_usr($1)
- corecmd_read_sbin_symlinks($1)
+ corecmd_read_bin_symlinks($1)
domain_auto_trans($1,sendmail_exec_t,$2)
')
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index d3aa61b..7946bb9 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -195,7 +195,6 @@ kernel_read_kernel_sysctls(nrpe_t)
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
-corecmd_exec_ls(nrpe_t)
dev_read_sysfs(nrpe_t)
dev_read_urand(nrpe_t)
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index eb61623..f85bade 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -71,8 +71,6 @@ selinux_dontaudit_search_fs(NetworkManager_t)
corecmd_exec_shell(NetworkManager_t)
corecmd_exec_bin(NetworkManager_t)
-corecmd_exec_sbin(NetworkManager_t)
-corecmd_exec_ls(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
domain_read_confined_domains_state(NetworkManager_t)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index 1634307..0c8612f 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -241,6 +241,5 @@ interface(`nis_domtrans_ypxfr',`
')
corecmd_search_bin($1)
- corecmd_search_sbin($1)
domtrans_pattern($1,ypxfr_exec_t,ypxfr_t)
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index 5c03ae2..d3d5186 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -180,7 +180,6 @@ auth_etc_filetrans_shadow(yppasswdd_t)
corecmd_exec_bin(yppasswdd_t)
corecmd_exec_shell(yppasswdd_t)
-corecmd_search_sbin(yppasswdd_t)
domain_use_interactive_fds(yppasswdd_t)
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
index 80d8f6d..7412c97 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -33,7 +33,7 @@ interface(`nscd_domtrans',`
type nscd_t, nscd_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,nscd_exec_t,nscd_t)
')
diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
index f633719..0151d27 100644
--- a/policy/modules/services/nsd.te
+++ b/policy/modules/services/nsd.te
@@ -146,7 +146,6 @@ can_exec(nsd_crond_t,nsd_exec_t)
kernel_read_system_state(nsd_crond_t)
corecmd_exec_bin(nsd_crond_t)
-corecmd_exec_sbin(nsd_crond_t)
corecmd_exec_shell(nsd_crond_t)
corenet_non_ipsec_sendrecv(nsd_crond_t)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index 8752184..ab5a15f 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -31,7 +31,7 @@ interface(`ntp_domtrans',`
type ntpd_t, ntpd_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,ntpd_exec_t,ntpd_t)
')
@@ -50,6 +50,6 @@ interface(`ntp_domtrans_ntpdate',`
type ntpd_t, ntpdate_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
')
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index f10d484..9cdb6b9 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -85,8 +85,6 @@ fs_search_auto_mountpoints(ntpd_t)
auth_use_nsswitch(ntpd_t)
corecmd_exec_bin(ntpd_t)
-corecmd_exec_sbin(ntpd_t)
-corecmd_exec_ls(ntpd_t)
corecmd_exec_shell(ntpd_t)
domain_use_interactive_fds(ntpd_t)
diff --git a/policy/modules/services/oav.if b/policy/modules/services/oav.if
index 5e08305..cf56dfb 100644
--- a/policy/modules/services/oav.if
+++ b/policy/modules/services/oav.if
@@ -15,7 +15,7 @@ interface(`oav_domtrans_update',`
type oav_update_t, oav_update_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,oav_update_exec_t,oav_update_t)
')
diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
index ccb8423..7e8a9d4 100644
--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
@@ -38,7 +38,6 @@ files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file })
kernel_read_system_state(oddjob_t)
-corecmd_exec_sbin(oddjob_t)
corecmd_exec_bin(oddjob_t)
corecmd_exec_shell(oddjob_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 8bd4fca..27ad69e 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -51,7 +51,6 @@ kernel_read_network_state(openvpn_t)
kernel_read_system_state(openvpn_t)
corecmd_exec_bin(openvpn_t)
-corecmd_exec_sbin(openvpn_t)
corecmd_exec_shell(openvpn_t)
corenet_non_ipsec_sendrecv(openvpn_t)
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index 54a35ee..341ba02 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -84,7 +84,6 @@ corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
-corecmd_exec_sbin(pegasus_t)
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index fe1defd..a40154a 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -69,10 +69,6 @@ template(`postfix_domain_template',`
term_dontaudit_use_console(postfix_$1_t)
- corecmd_list_bin(postfix_$1_t)
- corecmd_list_sbin(postfix_$1_t)
- corecmd_read_bin_symlinks(postfix_$1_t)
- corecmd_read_sbin_symlinks(postfix_$1_t)
corecmd_exec_shell(postfix_$1_t)
files_read_etc_files(postfix_$1_t)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 694a8cc..b8caa7a 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -151,8 +151,6 @@ corenet_sendrecv_all_client_packets(postfix_master_t)
# for a find command
selinux_dontaudit_search_fs(postfix_master_t)
-corecmd_exec_ls(postfix_master_t)
-corecmd_exec_sbin(postfix_master_t)
corecmd_exec_shell(postfix_master_t)
corecmd_exec_bin(postfix_master_t)
@@ -326,11 +324,6 @@ corecmd_read_bin_symlinks(postfix_map_t)
corecmd_read_bin_files(postfix_map_t)
corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
-corecmd_list_sbin(postfix_map_t)
-corecmd_read_sbin_symlinks(postfix_map_t)
-corecmd_read_sbin_files(postfix_map_t)
-corecmd_read_sbin_pipes(postfix_map_t)
-corecmd_read_sbin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
files_read_usr_files(postfix_map_t)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 9e99350..64366be 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -104,8 +104,6 @@ fs_search_auto_mountpoints(postgresql_t)
term_use_controlling_term(postgresql_t)
corecmd_exec_bin(postgresql_t)
-corecmd_exec_ls(postgresql_t)
-corecmd_exec_sbin(postgresql_t)
corecmd_exec_shell(postgresql_t)
domain_dontaudit_list_all_domains_state(postgresql_t)
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index e3f35dc..a7a3f47 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -45,7 +45,6 @@ kernel_read_kernel_sysctls(postgrey_t)
# for perl
corecmd_search_bin(postgrey_t)
-corecmd_search_sbin(postgrey_t)
corenet_non_ipsec_sendrecv(postgrey_t)
corenet_tcp_sendrecv_generic_if(postgrey_t)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
index 036f91e..9a2883c 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -89,7 +89,7 @@ interface(`ppp_domtrans',`
type pppd_t, pppd_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1, pppd_exec_t, pppd_t)
')
@@ -153,7 +153,7 @@ interface(`ppp_exec',`
type pppd_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1, pppd_exec_t)
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index e59eaa8..7b7d00a 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -133,7 +133,6 @@ term_create_pty(pppd_t,pppd_devpts_t)
# allow running ip-up and ip-down scripts and running chat.
corecmd_exec_bin(pppd_t)
-corecmd_exec_sbin(pppd_t)
corecmd_exec_shell(pppd_t)
domain_use_interactive_fds(pppd_t)
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index 77d5437..ccd8fac 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -55,8 +55,6 @@ auth_use_nsswitch(procmail_t)
corecmd_exec_bin(procmail_t)
corecmd_exec_shell(procmail_t)
-corecmd_dontaudit_search_sbin(procmail_t)
-corecmd_exec_ls(procmail_t)
files_read_etc_files(procmail_t)
files_read_etc_runtime_files(procmail_t)
diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
index 6cb2442..4c90a54 100644
--- a/policy/modules/services/qmail.if
+++ b/policy/modules/services/qmail.if
@@ -113,7 +113,7 @@ interface(`qmail_domtrans_inject',`
ifdef(`distro_debian',`
files_search_usr($1)
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
',`
files_search_var($1)
corecmd_search_bin($1)
@@ -140,7 +140,7 @@ interface(`qmail_domtrans_queue',`
ifdef(`distro_debian',`
files_search_usr($1)
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
',`
files_search_var($1)
corecmd_search_bin($1)
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index 96ee18a..67bfb6b 100644
--- a/policy/modules/services/qmail.te
+++ b/policy/modules/services/qmail.te
@@ -80,7 +80,6 @@ allow qmail_inject_t self:process signal_perms;
allow qmail_inject_t qmail_queue_exec_t:file read;
corecmd_search_bin(qmail_inject_t)
-corecmd_search_sbin(qmail_inject_t)
files_search_var(qmail_inject_t)
@@ -109,7 +108,6 @@ allow qmail_local_t qmail_spool_t:file read_file_perms;
kernel_read_system_state(qmail_local_t)
corecmd_exec_shell(qmail_local_t)
-corecmd_search_sbin(qmail_local_t)
files_read_etc_files(qmail_local_t)
files_read_etc_runtime_files(qmail_local_t)
@@ -135,7 +133,7 @@ allow qmail_lspawn_t qmail_local_exec_t:file read;
read_files_pattern(qmail_lspawn_t,qmail_spool_t,qmail_spool_t)
-corecmd_search_sbin(qmail_lspawn_t)
+corecmd_search_bin(qmail_lspawn_t)
files_read_etc_files(qmail_lspawn_t)
files_search_pids(qmail_lspawn_t)
@@ -202,7 +200,6 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read;
rw_files_pattern(qmail_rspawn_t,qmail_spool_t,qmail_spool_t)
corecmd_search_bin(qmail_rspawn_t)
-corecmd_search_sbin(qmail_rspawn_t)
########################################
#
@@ -276,7 +273,6 @@ allow qmail_start_t self:process signal_perms;
can_exec(qmail_start_t, qmail_start_exec_t)
corecmd_search_bin(qmail_start_t)
-corecmd_search_sbin(qmail_start_t)
files_search_var(qmail_start_t)
@@ -298,7 +294,7 @@ optional_policy(`
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
-corecmd_search_sbin(qmail_tcp_env_t)
+corecmd_search_bin(qmail_tcp_env_t)
sysnet_read_config(qmail_tcp_env_t)
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index 80c95df..f537a45 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -84,7 +84,6 @@ auth_domtrans_chk_passwd(radiusd_t)
corecmd_exec_bin(radiusd_t)
corecmd_exec_shell(radiusd_t)
-corecmd_search_sbin(radiusd_t)
domain_use_interactive_fds(radiusd_t)
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
index b5c10ba..bd2d695 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
@@ -57,16 +57,11 @@ auth_manage_pam_console_data(remote_login_t)
auth_domtrans_pam_console(remote_login_t)
corecmd_list_bin(remote_login_t)
-corecmd_list_sbin(remote_login_t)
corecmd_read_bin_symlinks(remote_login_t)
-corecmd_read_sbin_symlinks(remote_login_t)
# cjp: these are probably not needed:
corecmd_read_bin_files(remote_login_t)
corecmd_read_bin_pipes(remote_login_t)
corecmd_read_bin_sockets(remote_login_t)
-corecmd_read_sbin_files(remote_login_t)
-corecmd_read_sbin_pipes(remote_login_t)
-corecmd_read_sbin_sockets(remote_login_t)
domain_read_all_entry_files(remote_login_t)
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index a09c821..6d2fe69 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -42,7 +42,6 @@ kernel_read_kernel_sysctls(rhgb_t)
kernel_read_system_state(rhgb_t)
corecmd_exec_bin(rhgb_t)
-corecmd_exec_sbin(rhgb_t)
corecmd_exec_shell(rhgb_t)
corenet_non_ipsec_sendrecv(rhgb_t)
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index acba016..1645dff 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -119,7 +119,6 @@ files_pid_filetrans(ricci_t,ricci_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(ricci_t)
corecmd_exec_bin(ricci_t)
-corecmd_exec_sbin(ricci_t)
corenet_non_ipsec_sendrecv(ricci_t)
corenet_tcp_sendrecv_all_if(ricci_t)
@@ -170,7 +169,7 @@ optional_policy(`
optional_policy(`
# Needed so oddjob can run halt/reboot on behalf of ricci
- corecmd_sbin_entry_type(ricci_t)
+ corecmd_bin_entry_type(ricci_t)
term_dontaudit_search_ptys(ricci_t)
init_exec(ricci_t)
init_telinit(ricci_t)
@@ -208,7 +207,6 @@ kernel_read_kernel_sysctls(ricci_modcluster_t)
kernel_read_system_state(ricci_modcluster_t)
corecmd_exec_shell(ricci_modcluster_t)
-corecmd_exec_sbin(ricci_modcluster_t)
corecmd_exec_bin(ricci_modcluster_t)
domain_dontaudit_read_all_domains_state(ricci_modcluster_t)
@@ -290,7 +288,6 @@ kernel_read_kernel_sysctls(ricci_modclusterd_t)
kernel_read_system_state(ricci_modclusterd_t)
corecmd_exec_bin(ricci_modclusterd_t)
-corecmd_exec_sbin(ricci_modclusterd_t)
corenet_tcp_sendrecv_all_if(ricci_modclusterd_t)
corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t)
@@ -346,7 +343,6 @@ kernel_read_kernel_sysctls(ricci_modlog_t)
kernel_read_system_state(ricci_modlog_t)
corecmd_exec_bin(ricci_modlog_t)
-corecmd_exec_sbin(ricci_modlog_t)
domain_dontaudit_read_all_domains_state(ricci_modlog_t)
@@ -408,7 +404,6 @@ allow ricci_modservice_t self:process setsched;
kernel_read_kernel_sysctls(ricci_modservice_t)
kernel_read_system_state(ricci_modservice_t)
-corecmd_exec_sbin(ricci_modservice_t)
corecmd_exec_bin(ricci_modservice_t)
corecmd_exec_shell(ricci_modservice_t)
@@ -457,7 +452,6 @@ create_files_pattern(ricci_modstorage_t,ricci_modstorage_lock_t,ricci_modstorage
files_lock_filetrans(ricci_modstorage_t,ricci_modstorage_lock_t,file)
corecmd_exec_bin(ricci_modstorage_t)
-corecmd_exec_sbin(ricci_modstorage_t)
dev_read_sysfs(ricci_modstorage_t)
dev_read_urand(ricci_modstorage_t)
diff --git a/policy/modules/services/rlogin.if b/policy/modules/services/rlogin.if
index 27bb997..98f7016 100644
--- a/policy/modules/services/rlogin.if
+++ b/policy/modules/services/rlogin.if
@@ -15,6 +15,6 @@ interface(`rlogin_domtrans',`
type rlogind_t, rlogind_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,rlogind_exec_t,rlogind_t)
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 25d59ad..e21f3e7 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -132,7 +132,6 @@ kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
-corecmd_search_sbin(gssd_t)
corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
index e814bd3..1dbe9c0 100644
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
@@ -46,7 +46,6 @@ selinux_compute_user_contexts(rshd_t)
auth_domtrans_chk_passwd(rshd_t)
corecmd_read_bin_symlinks(rshd_t)
-corecmd_read_sbin_symlinks(rshd_t)
files_list_home(rshd_t)
files_read_etc_files(rshd_t)
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 15fe80b..b2a5004 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -542,7 +542,7 @@ kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
kernel_read_network_state(swat_t)
-corecmd_search_sbin(swat_t)
+corecmd_search_bin(swat_t)
corenet_non_ipsec_sendrecv(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index 308423f..f5c3780 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -69,7 +69,6 @@ term_dontaudit_use_console(sendmail_t)
# for piping mail to a command
corecmd_exec_shell(sendmail_t)
-corecmd_search_sbin(sendmail_t)
domain_use_interactive_fds(sendmail_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index ea141e6..b3edf56 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -55,7 +55,6 @@ kernel_read_kernel_sysctls(setroubleshootd_t)
kernel_read_system_state(setroubleshootd_t)
kernel_read_network_state(setroubleshootd_t)
-corecmd_exec_sbin(setroubleshootd_t)
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index ae554a8..8234000 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -56,7 +56,6 @@ kernel_read_system_state(snmpd_t)
kernel_read_network_state(snmpd_t)
corecmd_exec_bin(snmpd_t)
-corecmd_exec_sbin(snmpd_t)
corecmd_exec_shell(snmpd_t)
corenet_non_ipsec_sendrecv(snmpd_t)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 304224e..186838f 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -115,11 +115,6 @@ template(`spamassassin_per_role_template',`
corecmd_read_bin_files($1_spamc_t)
corecmd_read_bin_pipes($1_spamc_t)
corecmd_read_bin_sockets($1_spamc_t)
- corecmd_list_sbin($1_spamc_t)
- corecmd_read_sbin_symlinks($1_spamc_t)
- corecmd_read_sbin_files($1_spamc_t)
- corecmd_read_sbin_pipes($1_spamc_t)
- corecmd_read_sbin_sockets($1_spamc_t)
domain_use_interactive_fds($1_spamc_t)
@@ -231,11 +226,6 @@ template(`spamassassin_per_role_template',`
corecmd_read_bin_files($1_spamassassin_t)
corecmd_read_bin_pipes($1_spamassassin_t)
corecmd_read_bin_sockets($1_spamassassin_t)
- corecmd_list_sbin($1_spamassassin_t)
- corecmd_read_sbin_symlinks($1_spamassassin_t)
- corecmd_read_sbin_files($1_spamassassin_t)
- corecmd_read_sbin_pipes($1_spamassassin_t)
- corecmd_read_sbin_sockets($1_spamassassin_t)
domain_use_interactive_fds($1_spamassassin_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index b1a6f39..2a8e3a4 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -106,7 +106,6 @@ fs_search_auto_mountpoints(spamd_t)
auth_dontaudit_read_shadow(spamd_t)
corecmd_exec_bin(spamd_t)
-corecmd_search_sbin(spamd_t)
domain_use_interactive_fds(spamd_t)
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index 465bb04..4769c23 100644
--- a/policy/modules/services/squid.if
+++ b/policy/modules/services/squid.if
@@ -15,7 +15,7 @@ interface(`squid_domtrans',`
type squid_t, squid_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,squid_exec_t,squid_t)
')
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index 89a9e5c..18ebdd8 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -103,7 +103,6 @@ term_dontaudit_getattr_pty_dirs(squid_t)
# to allow running programs from /usr/lib/squid (IE unlinkd)
corecmd_exec_bin(squid_t)
-corecmd_exec_sbin(squid_t)
corecmd_exec_shell(squid_t)
domain_use_interactive_fds(squid_t)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 2299734..b22317c 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -124,8 +124,6 @@ template(`ssh_basic_client_template',`
# run helper programs - needed eg for x11-ssh-askpass
corecmd_exec_shell($1_ssh_t)
corecmd_exec_bin($1_ssh_t)
- corecmd_list_sbin($1_ssh_t)
- corecmd_read_sbin_symlinks($1_ssh_t)
domain_use_interactive_fds($1_ssh_t)
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index 7f4e907..68f4f8b 100644
--- a/policy/modules/services/sysstat.te
+++ b/policy/modules/services/sysstat.te
@@ -35,7 +35,6 @@ kernel_read_kernel_sysctls(sysstat_t)
kernel_read_fs_sysctls(sysstat_t)
kernel_read_rpc_sysctls(sysstat_t)
-corecmd_dontaudit_search_sbin(sysstat_t)
corecmd_exec_bin(sysstat_t)
dev_read_urand(sysstat_t)
diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te
index ce7592d..a16ccc5 100644
--- a/policy/modules/services/tcpd.te
+++ b/policy/modules/services/tcpd.te
@@ -32,7 +32,6 @@ fs_getattr_xattr_fs(tcpd_t)
# Run other daemons in the inetd child domain.
corecmd_search_bin(tcpd_t)
-corecmd_search_sbin(tcpd_t)
files_read_etc_files(tcpd_t)
# no good reason for files_dontaudit_search_var, probably nscd
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index 9f46dc1..766cde6 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -63,7 +63,7 @@ fs_getattr_xattr_fs(telnetd_t)
auth_rw_login_records(telnetd_t)
-corecmd_search_sbin(telnetd_t)
+corecmd_search_bin(telnetd_t)
files_read_etc_files(telnetd_t)
files_read_etc_runtime_files(telnetd_t)
diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te
index 04650f7..a93f147 100644
--- a/policy/modules/services/ucspitcp.te
+++ b/policy/modules/services/ucspitcp.te
@@ -56,7 +56,6 @@ allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
allow ucspitcp_t self:udp_socket create_socket_perms;
corecmd_search_bin(ucspitcp_t)
-corecmd_search_sbin(ucspitcp_t)
# base networking:
corenet_non_ipsec_sendrecv(ucspitcp_t)
diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te
index d75f44b..f88b08b 100644
--- a/policy/modules/services/uptime.te
+++ b/policy/modules/services/uptime.te
@@ -44,7 +44,6 @@ kernel_read_system_state(uptimed_t)
kernel_read_kernel_sysctls(uptimed_t)
corecmd_exec_shell(uptimed_t)
-corecmd_search_sbin(uptimed_t)
dev_read_sysfs(uptimed_t)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index e84f3e2..415b610 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -82,7 +82,7 @@ dev_read_urand(uucpd_t)
fs_getattr_xattr_fs(uucpd_t)
-corecmd_exec_sbin(uucpd_t)
+corecmd_exec_bin(uucpd_t)
files_read_etc_files(uucpd_t)
files_search_home(uucpd_t)
@@ -120,7 +120,7 @@ allow uux_t self:fifo_file { getattr write };
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)
-corecmd_exec_sbin(uux_t)
+corecmd_exec_bin(uux_t)
files_read_etc_files(uux_t)
diff --git a/policy/modules/services/uwimap.if b/policy/modules/services/uwimap.if
index 276996c..3623f97 100644
--- a/policy/modules/services/uwimap.if
+++ b/policy/modules/services/uwimap.if
@@ -15,6 +15,6 @@ interface(`uwimap_domtrans',`
type imapd_t, imapd_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,imapd_exec_t,imapd_t)
')
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index 1e0956d..ee6778a 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -39,7 +39,6 @@ kernel_read_system_state(watchdog_t)
kernel_read_kernel_sysctls(watchdog_t)
kernel_unmount_proc(watchdog_t)
-corecmd_search_sbin(watchdog_t)
# for orderly shutdown
corecmd_exec_shell(watchdog_t)
diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te
index af11aae..9de200b 100644
--- a/policy/modules/services/xfs.te
+++ b/policy/modules/services/xfs.te
@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(xfs_t)
kernel_read_system_state(xfs_t)
corecmd_list_bin(xfs_t)
-corecmd_list_sbin(xfs_t)
dev_read_sysfs(xfs_t)
dev_read_urand(xfs_t)
diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te
index fc84b65..6421f78 100644
--- a/policy/modules/services/xprint.te
+++ b/policy/modules/services/xprint.te
@@ -31,8 +31,6 @@ kernel_read_system_state(xprint_t)
kernel_read_kernel_sysctls(xprint_t)
corecmd_exec_bin(xprint_t)
-corecmd_exec_sbin(xprint_t)
-corecmd_exec_ls(xprint_t)
corecmd_exec_shell(xprint_t)
corenet_non_ipsec_sendrecv(xprint_t)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 88d68f3..7101195 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -91,7 +91,6 @@ template(`xserver_common_domain_template',`
kernel_write_proc_files($1_xserver_t)
# Run helper programs in $1_xserver_t.
- corecmd_search_sbin($1_xserver_t)
corecmd_exec_bin($1_xserver_t)
corecmd_exec_shell($1_xserver_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index abc53f8..4c299e2 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -158,7 +158,6 @@ kernel_read_network_state(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-corecmd_exec_sbin(xdm_t)
corenet_non_ipsec_sendrecv(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 46a75e9..351eab6 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -324,7 +324,7 @@ interface(`auth_domtrans_chk_passwd',`
allow $1 self:capability audit_control;
send_audit_msgs_pattern($1)
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
dontaudit $1 shadow_t:file { getattr read };
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index a9c8840..0b5fc82 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -253,7 +253,7 @@ optional_policy(`
allow system_chkpwd_t shadow_t:file { getattr read };
-corecmd_search_sbin(system_chkpwd_t)
+corecmd_search_bin(system_chkpwd_t)
domain_dontaudit_use_interactive_fds(system_chkpwd_t)
diff --git a/policy/modules/system/daemontools.te b/policy/modules/system/daemontools.te
index 5c41123..58a78de 100644
--- a/policy/modules/system/daemontools.te
+++ b/policy/modules/system/daemontools.te
@@ -71,9 +71,7 @@ can_exec(svc_run_t svc_run_exec_t)
kernel_read_system_state(svc_run_t)
corecmd_exec_bin(svc_run_t)
-corecmd_exec_sbin(svc_run_t)
corecmd_exec_shell(svc_run_t)
-corecmd_exec_ls(svc_run_t)
files_read_etc_files(svc_run_t)
files_read_etc_runtime_files(svc_run_t)
@@ -107,7 +105,6 @@ allow svc_start_t self:unix_stream_socket create_socket_perms;
can_exec(svc_start_t svc_start_exec_t)
-corecmd_read_sbin_symlinks(svc_start_t)
corecmd_exec_bin(svc_start_t)
corecmd_exec_shell(svc_start_t)
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 01a5a77..34d07e8 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -15,7 +15,7 @@ interface(`fstools_domtrans',`
type fsadm_t, fsadm_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,fsadm_exec_t,fsadm_t)
')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 4f91934..fd15a4f 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -109,9 +109,7 @@ storage_swapon_fixed_disk(fsadm_t)
term_use_console(fsadm_t)
corecmd_list_bin(fsadm_t)
-corecmd_list_sbin(fsadm_t)
corecmd_read_bin_symlinks(fsadm_t)
-corecmd_read_sbin_symlinks(fsadm_t)
#RedHat bug #201164
corecmd_exec_shell(fsadm_t)
@@ -119,9 +117,6 @@ corecmd_exec_shell(fsadm_t)
corecmd_read_bin_files(fsadm_t)
corecmd_read_bin_pipes(fsadm_t)
corecmd_read_bin_sockets(fsadm_t)
-corecmd_read_sbin_files(fsadm_t)
-corecmd_read_sbin_pipes(fsadm_t)
-corecmd_read_sbin_sockets(fsadm_t)
domain_use_interactive_fds(fsadm_t)
diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
index a49363d..bd8ead4 100644
--- a/policy/modules/system/getty.if
+++ b/policy/modules/system/getty.if
@@ -15,7 +15,7 @@ interface(`getty_domtrans',`
type getty_t, getty_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,getty_exec_t,getty_t)
')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index e59d0d8..b16d03a 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -80,7 +80,6 @@ term_dontaudit_use_console(getty_t)
auth_rw_login_records(getty_t)
corecmd_search_bin(getty_t)
-corecmd_search_sbin(getty_t)
corecmd_read_bin_symlinks(getty_t)
files_rw_generic_pids(getty_t)
diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
index 9d1b4a0..3741a18 100644
--- a/policy/modules/system/hotplug.if
+++ b/policy/modules/system/hotplug.if
@@ -18,7 +18,7 @@ interface(`hotplug_domtrans',`
type hotplug_t, hotplug_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,hotplug_exec_t,hotplug_t)
')
@@ -37,7 +37,7 @@ interface(`hotplug_exec',`
type hotplug_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1,hotplug_exec_t)
')
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index 381f23f..739e496 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -74,8 +74,6 @@ storage_setattr_removable_dev(hotplug_t)
corecmd_exec_bin(hotplug_t)
corecmd_exec_shell(hotplug_t)
-corecmd_exec_sbin(hotplug_t)
-corecmd_exec_ls(hotplug_t)
domain_use_interactive_fds(hotplug_t)
# for ps
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 59a38e4..af854cb 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -283,7 +283,7 @@ interface(`init_exec',`
type init_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1,init_exec_t)
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c5ee4d9..d92065f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -104,7 +104,6 @@ kernel_share_state(init_t)
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
-corecmd_exec_sbin(init_t)
dev_read_sysfs(init_t)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index d796b43..2b7ec22 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -228,7 +228,6 @@ term_use_console(ipsec_mgmt_t)
term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
# the default updown script wants to run route
-corecmd_exec_sbin(ipsec_mgmt_t)
# the ipsec wrapper wants to run /usr/bin/logger (should we put
# it in its own domain?)
corecmd_exec_bin(ipsec_mgmt_t)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 85f258d..4054491 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -15,7 +15,7 @@ interface(`iptables_domtrans',`
type iptables_t, iptables_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,iptables_exec_t,iptables_t)
')
@@ -66,6 +66,6 @@ interface(`iptables_exec',`
type iptables_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1,iptables_exec_t)
')
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index ad0bea8..d6236bc 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -15,7 +15,7 @@ interface(`libs_domtrans_ldconfig',`
type ldconfig_t, ldconfig_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,ldconfig_exec_t,ldconfig_t)
')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 690ab11..e73a4c8 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -104,16 +104,11 @@ auth_manage_pam_console_data(local_login_t)
auth_domtrans_pam_console(local_login_t)
corecmd_list_bin(local_login_t)
-corecmd_list_sbin(local_login_t)
corecmd_read_bin_symlinks(local_login_t)
-corecmd_read_sbin_symlinks(local_login_t)
# cjp: these are probably not needed:
corecmd_read_bin_files(local_login_t)
corecmd_read_bin_pipes(local_login_t)
corecmd_read_bin_sockets(local_login_t)
-corecmd_read_sbin_files(local_login_t)
-corecmd_read_sbin_pipes(local_login_t)
-corecmd_read_sbin_sockets(local_login_t)
domain_read_all_entry_files(local_login_t)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 44f6b5a..e7a4d72 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -217,7 +217,7 @@ interface(`logging_domtrans_syslog',`
type syslogd_t, syslogd_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,syslogd_exec_t,syslogd_t)
')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 0252080..2d0364a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -136,7 +136,6 @@ selinux_search_fs(auditctl_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
-corecmd_exec_sbin(auditd_t)
corecmd_exec_bin(auditd_t)
corecmd_exec_shell(auditd_t)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 515f94d..adfa5ae 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -15,7 +15,7 @@ interface(`lvm_domtrans',`
type lvm_t, lvm_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1, lvm_exec_t, lvm_t)
')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 006a284..cf771cf 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -67,9 +67,7 @@ kernel_search_debugfs(clvmd_t)
kernel_dontaudit_getattr_core_if(clvmd_t)
corecmd_exec_shell(clvmd_t)
-corecmd_read_bin_symlinks(clvmd_t)
-corecmd_getattr_sbin_files(clvmd_t)
-corecmd_read_sbin_symlinks(clvmd_t)
+corecmd_getattr_bin_files(clvmd_t)
corenet_non_ipsec_sendrecv(clvmd_t)
corenet_tcp_sendrecv_all_if(clvmd_t)
@@ -257,7 +255,7 @@ storage_manage_fixed_disk(lvm_t)
term_getattr_all_user_ttys(lvm_t)
term_list_ptys(lvm_t)
-corecmd_exec_sbin(lvm_t)
+corecmd_exec_bin(lvm_t)
domain_use_interactive_fds(lvm_t)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 3dea9a1..89f7ed6 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -81,7 +81,7 @@ interface(`modutils_domtrans_insmod_uncond',`
type insmod_t, insmod_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1, insmod_exec_t, insmod_t)
')
@@ -154,7 +154,7 @@ interface(`modutils_exec_insmod',`
type insmod_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1, insmod_exec_t)
')
@@ -173,7 +173,7 @@ interface(`modutils_domtrans_depmod',`
type depmod_t, depmod_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1, depmod_exec_t, depmod_t)
')
@@ -223,7 +223,7 @@ interface(`modutils_exec_depmod',`
type depmod_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1, depmod_exec_t)
')
@@ -242,7 +242,7 @@ interface(`modutils_domtrans_update_mods',`
type update_modules_t, update_modules_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1, update_modules_exec_t, update_modules_t)
')
@@ -292,6 +292,6 @@ interface(`modutils_exec_update_mods',`
type update_modules_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1, update_modules_exec_t)
')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 3236e4f..8bf4cb5 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -83,7 +83,6 @@ dev_mount_usbfs(insmod_t)
fs_getattr_xattr_fs(insmod_t)
corecmd_exec_bin(insmod_t)
-corecmd_exec_sbin(insmod_t)
corecmd_exec_shell(insmod_t)
domain_signal_all_domains(insmod_t)
@@ -186,7 +185,6 @@ fs_getattr_xattr_fs(depmod_t)
term_use_console(depmod_t)
corecmd_search_bin(depmod_t)
-corecmd_search_sbin(depmod_t)
domain_use_interactive_fds(depmod_t)
@@ -264,7 +262,6 @@ files_read_etc_files(update_modules_t)
files_exec_etc_files(update_modules_t)
corecmd_exec_bin(update_modules_t)
-corecmd_exec_sbin(update_modules_t)
corecmd_exec_shell(update_modules_t)
libs_use_ld_so(update_modules_t)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 16f3014..1d09528 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -70,7 +70,6 @@ fs_read_tmpfs_symlinks(mount_t)
term_use_all_terms(mount_t)
# required for mount.smbfs
-corecmd_exec_sbin(mount_t)
corecmd_exec_bin(mount_t)
domain_use_interactive_fds(mount_t)
diff --git a/policy/modules/system/netlabel.if b/policy/modules/system/netlabel.if
index 93f472d..7c48ce5 100644
--- a/policy/modules/system/netlabel.if
+++ b/policy/modules/system/netlabel.if
@@ -15,7 +15,7 @@ interface(`netlabel_domtrans_mgmt',`
type netlabel_mgmt_t, netlabel_mgmt_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,netlabel_mgmt_exec_t,netlabel_mgmt_t)
')
diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
index cfe72e8..849f921 100644
--- a/policy/modules/system/raid.if
+++ b/policy/modules/system/raid.if
@@ -15,7 +15,7 @@ interface(`raid_domtrans_mdadm',`
type mdadm_t, mdadm_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,mdadm_exec_t,mdadm_t)
')
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 9004d7f..8d60608 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -51,7 +51,6 @@ term_dontaudit_list_ptys(mdadm_t)
# Helper program access
corecmd_exec_bin(mdadm_t)
-corecmd_exec_sbin(mdadm_t)
corecmd_exec_shell(mdadm_t)
domain_use_interactive_fds(mdadm_t)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 72725a1..0dcc740 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -89,7 +89,7 @@ interface(`seutil_domtrans_loadpolicy',`
type load_policy_t, load_policy_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,load_policy_exec_t,load_policy_t)
')
@@ -141,7 +141,7 @@ interface(`seutil_exec_loadpolicy',`
type load_policy_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1,load_policy_exec_t)
')
@@ -160,7 +160,7 @@ interface(`seutil_read_loadpolicy',`
type load_policy_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
allow $1 load_policy_exec_t:file read_file_perms;
')
@@ -307,7 +307,7 @@ interface(`seutil_domtrans_restorecon',`
type restorecon_t, restorecon_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,restorecon_exec_t,restorecon_t)
')
@@ -360,7 +360,7 @@ interface(`seutil_exec_restorecon',`
type restorecon_t, restorecon_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1,restorecon_exec_t)
')
@@ -380,7 +380,7 @@ interface(`seutil_domtrans_runinit',`
')
files_search_usr($1)
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,run_init_exec_t,run_init_t)
')
@@ -525,7 +525,7 @@ interface(`seutil_domtrans_setfiles',`
')
files_search_usr($1)
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1,setfiles_exec_t,setfiles_t)
')
@@ -578,7 +578,7 @@ interface(`seutil_exec_setfiles',`
')
files_search_usr($1)
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1,setfiles_exec_t)
')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 952d2ef..f843dd4 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -572,7 +572,6 @@ kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)
corecmd_exec_bin(semanage_t)
-corecmd_exec_sbin(semanage_t)
dev_read_urand(semanage_t)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 5b36eb1..0c39344 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -34,7 +34,7 @@ allow setrans_t self:unix_dgram_socket create_socket_perms;
allow setrans_t self:netlink_selinux_socket create_socket_perms;
can_exec(setrans_t, setrans_exec_t)
-corecmd_search_sbin(setrans_t)
+corecmd_search_bin(setrans_t)
# create unix domain socket in /var
manage_files_pattern(setrans_t,setrans_var_run_t,setrans_var_run_t)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 3a0ba46..5b9c2cd 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -15,7 +15,7 @@ interface(`sysnet_domtrans_dhcpc',`
type dhcpc_t, dhcpc_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1, dhcpc_exec_t, dhcpc_t)
')
@@ -327,7 +327,7 @@ interface(`sysnet_domtrans_ifconfig',`
type ifconfig_t, ifconfig_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
')
@@ -359,7 +359,7 @@ interface(`sysnet_run_ifconfig',`
type ifconfig_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
sysnet_domtrans_ifconfig($1)
role $2 types ifconfig_t;
allow ifconfig_t $3:chr_file rw_term_perms;
@@ -380,7 +380,7 @@ interface(`sysnet_exec_ifconfig',`
type ifconfig_exec_t;
')
- corecmd_search_sbin($1)
+ corecmd_search_bin($1)
can_exec($1,ifconfig_exec_t)
')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 81aeafd..d289896 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -113,7 +113,6 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
corecmd_exec_bin(dhcpc_t)
-corecmd_exec_sbin(dhcpc_t)
corecmd_exec_shell(dhcpc_t)
domain_use_interactive_fds(dhcpc_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 2361425..46425d7 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -34,7 +34,6 @@ template(`userdom_base_user_template',`
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
- corecmd_sbin_entry_type($1_t)
domain_user_exemption_target($1_t)
role $1_r types $1_t;
allow system_r $1_r;
@@ -515,8 +514,6 @@ template(`userdom_exec_generic_pgms_template',`
')
corecmd_exec_bin($1_t)
- corecmd_exec_sbin($1_t)
- corecmd_exec_ls($1_t)
')
#######################################
@@ -3926,14 +3923,8 @@ interface(`userdom_bin_spec_domtrans_unpriv_users',`
## </param>
#
interface(`userdom_sbin_spec_domtrans_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
-
- corecmd_sbin_spec_domtrans($1,unpriv_userdomain)
- allow unpriv_userdomain $1:fd use;
- allow unpriv_userdomain $1:fifo_file rw_file_perms;
- allow unpriv_userdomain $1:process sigchld;
+ userdom_bin_spec_domtrans_unpriv_users($1)
+ refpolicywarn(`$0() has been deprecated, please use userdom_bin_spec_domtrans_unpriv_users() instead.')
')
########################################
@@ -4008,7 +3999,7 @@ interface(`userdom_bin_spec_domtrans_sysadm',`
########################################
## <summary>
-## Execute a generic sbin program in the sysadm domain.
+## Execute a generic sbin program in the sysadm domain. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -4017,14 +4008,8 @@ interface(`userdom_bin_spec_domtrans_sysadm',`
## </param>
#
interface(`userdom_sbin_spec_domtrans_sysadm',`
- gen_require(`
- type sysadm_t;
- ')
-
- corecmd_sbin_spec_domtrans($1,sysadm_t)
- allow sysadm_t $1:fd use;
- allow sysadm_t $1:fifo_file rw_file_perms;
- allow sysadm_t $1:process sigchld;
+ userdom_bin_spec_domtrans_sysadm($1)
+ refpolicywarn(`$0() has been deprecated, please use userdom_bin_spec_domtrans_sysadm() instead.')
')
########################################
@@ -4054,12 +4039,12 @@ interface(`userdom_entry_spec_domtrans_sysadm',`
## <summary>
## Allow sysadm to execute a generic bin program in
## a specified domain. This is an explicit transition,
-## requiring the caller to use setexeccon().
+## requiring the caller to use setexeccon(). (Deprecated)
## </summary>
## <desc>
## <p>
## Allow sysadm to execute a generic bin program in
-## a specified domain.
+## a specified domain. (Deprecated)
## </p>
## <p>
## This is a interface to support third party modules
@@ -4088,12 +4073,12 @@ interface(`userdom_sysadm_bin_spec_domtrans_to',`
## <summary>
## Allow sysadm to execute a generic sbin program in
## a specified domain. This is an explicit transition,
-## requiring the caller to use setexeccon().
+## requiring the caller to use setexeccon(). (Deprecated)
## </summary>
## <desc>
## <p>
## Allow sysadm to execute a generic sbin program in
-## a specified domain.
+## a specified domain. (Deprecated)
## </p>
## <p>
## This is a interface to support third party modules
@@ -4108,14 +4093,8 @@ interface(`userdom_sysadm_bin_spec_domtrans_to',`
## </param>
#
interface(`userdom_sysadm_sbin_spec_domtrans_to',`
- gen_require(`
- type sysadm_t;
- ')
-
- corecmd_sbin_spec_domtrans(sysadm_t, $1)
- allow $1 sysadm_t:fd use;
- allow $1 sysadm_t:fifo_file rw_file_perms;
- allow $1 sysadm_t:process sigchld;
+ userdom_sysadm_bin_spec_domtrans_to($1)
+ refpolicywarn(`$0() has been deprecated, please use userdom_sysadm_bin_spec_domtrans_to() instead.')
')
########################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 1e5a0b4..d3fa84e 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,2.1.1)
+policy_module(userdomain,2.1.2)
gen_require(`
role sysadm_r, staff_r, user_r;
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index bbc7bda..c0e0ee0 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -129,7 +129,6 @@ kernel_read_xen_state(xend_t)
kernel_rw_net_sysctls(xend_t)
kernel_read_network_state(xend_t)
-corecmd_exec_sbin(xend_t)
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
@@ -325,7 +324,6 @@ kernel_read_xen_state(xm_t)
kernel_write_xen_state(xm_t)
corecmd_exec_bin(xm_t)
-corecmd_exec_sbin(xm_t)
corenet_tcp_sendrecv_generic_if(xm_t)
corenet_tcp_sendrecv_all_nodes(xm_t)
More information about the scm-commits
mailing list