Layer: kernel

Module: corecommands

Interfaces

Description:

Core policy for shells, and generic programs in /bin, /sbin, /usr/bin, and /usr/sbin.

This module is required to be included in all policies.


Interfaces:

corecmd_bin_alias( domain )
Summary

Create a aliased type to generic bin files. (Deprecated)

Description

Create a aliased type to generic bin files. (Deprecated)

This is added to support targeted policy. Its use should be limited. It has no effect on the strict policy.

Parameters
Parameter:Description:
domain

Alias type for bin_t.

corecmd_bin_domtrans( domain , target_domain )
Summary

Execute a file in a bin directory in the specified domain.

Description

Execute a file in a bin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested.

No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.

This interface was added to handle the ssh-agent policy.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

target_domain

The type of the new process.

corecmd_bin_entry_type( domain )
Summary

Make general progams in bin an entrypoint for the specified domain.

Parameters
Parameter:Description:
domain

The domain for which bin_t is an entrypoint.

corecmd_bin_spec_domtrans( domain , target_domain )
Summary

Execute a file in a bin directory in the specified domain but do not do it automatically. This is an explicit transition, requiring the caller to use setexeccon().

Description

Execute a file in a bin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested.

No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.

This interface was added to handle the userhelper policy.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

target_domain

The type of the new process.

corecmd_check_exec_shell( domain )
Summary

Check if a shell is executable (DAC-wise).

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_dontaudit_exec_all_executables( domain )
Summary

Do not audit attempts to execute all executables.

Parameters
Parameter:Description:
domain

Domain to not audit.

corecmd_dontaudit_getattr_bin_files( domain )
Summary

Get the attributes of files in bin directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_dontaudit_getattr_sbin_files( domain )
Summary

Do not audit attempts to get the attibutes of sbin files. (Deprecated)

Parameters
Parameter:Description:
domain

Domain to not audit.

corecmd_dontaudit_search_bin( domain )
Summary

Do not audit attempts to search the contents of bin directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

corecmd_dontaudit_search_sbin( domain )
Summary

Do not audit attempts to search sbin directories. (Deprecated)

Parameters
Parameter:Description:
domain

Domain to not audit.

corecmd_dontaudit_write_bin_dirs( domain )
Summary

Do not audit attempts to write bin directories.

Parameters
Parameter:Description:
domain

Domain to not audit.

corecmd_dontaudit_write_bin_files( domain )
Summary

Do not audit attempts to write bin files.

Parameters
Parameter:Description:
domain

Domain to not audit.

corecmd_dontaudit_write_sbin_dirs( domain )
Summary

Do not audit attempts to write sbin directories. (Deprecated)

Parameters
Parameter:Description:
domain

Domain to not audit.

corecmd_exec_all_executables( domain )
Summary

Execute all executable files.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_exec_bin( domain )
Summary

Execute generic programs in bin directories, in the caller domain.

Description

Allow the specified domain to execute generic programs in system bin directories (/bin, /sbin, /usr/bin, /usr/sbin) a without domain transition.

Typically, this interface should be used when the domain executes general system progams within the privileges of the source domain. Some examples of these programs are ls, cp, sed, python, and tar. This does not include shells, such as bash.

Related interface:

  • corecmd_exec_shell()

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_exec_chroot( domain )
Summary

Execute chroot in the caller domain.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_exec_ls( domain )
Summary

Execute ls in the caller domain. (Deprecated)

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_exec_sbin( domain )
Summary

Execute generic programs in sbin directories, in the caller domain. (Deprecated)

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_exec_shell( domain )
Summary

Execute shells in the caller domain.

Description

Allow the specified domain to execute shells without a domain transition.

Typically, this interface should be used when the domain executes shells within the privileges of the source domain. Some examples of these programs are bash, tcsh, and zsh.

Related interface:

  • corecmd_exec_bin()

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_executable_file( type )
Summary

Make the specified type usable for files that are exectuables, such as binary programs. This does not include shared libraries.

Parameters
Parameter:Description:
type

Type to be used for files.

corecmd_getattr_all_executables( domain )
Summary

Get the attributes of all executable files.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_getattr_bin_files( domain )
Summary

Get the attributes of files in bin directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_getattr_sbin_files( domain )
Summary

Get the attributes of sbin files. (Deprecated)

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_list_bin( domain )
Summary

List the contents of bin directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_list_sbin( domain )
Summary

List the contents of sbin directories. (Deprecated)

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_manage_all_executables( domain )
Summary

Create, read, write, and all executable files.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_manage_bin_files( domain )
Summary

Create, read, write, and delete bin files.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_manage_sbin_files( domain )
Summary

Create, read, write, and delete sbin files. (Deprecated)

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_mmap_all_executables( domain )
Summary

Mmap all executables as executable.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_mmap_bin_files( domain )
Summary

Mmap a bin file as executable.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_mmap_sbin_files( domain )
Summary

Mmap a sbin file as executable. (Deprecated)

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_read_all_executables( domain )
Summary

Read all executable files.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_read_bin_files( domain )
Summary

Read files in bin directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_read_bin_pipes( domain )
Summary

Read pipes in bin directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_read_bin_sockets( domain )
Summary

Read named sockets in bin directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_read_bin_symlinks( domain )
Summary

Read symbolic links in bin directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_read_sbin_files( domain )
Summary

Read files in sbin directories. (Deprecated)

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_read_sbin_pipes( domain )
Summary

Read named pipes in sbin directories. (Deprecated)

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_read_sbin_sockets( domain )
Summary

Read named sockets in sbin directories. (Deprecated)

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_read_sbin_symlinks( domain )
Summary

Read symbolic links in sbin directories. (Deprecated)

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_relabel_all_executables( domain )
Summary

Relabel to and from the bin type.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_relabel_bin_files( domain )
Summary

Relabel to and from the bin type.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_relabel_sbin_files( domain )
Summary

Relabel to and from the sbin type. (Deprecated)

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_sbin_domtrans( domain , target_domain )
Summary

Execute a file in a sbin directory in the specified domain. (Deprecated)

Description

Execute a file in a sbin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested. (Deprecated)

No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.

This interface was added to handle the ssh-agent policy.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

target_domain

The type of the new process.

corecmd_sbin_entry_type( domain )
Summary

Make general progams in sbin an entrypoint for the specified domain. (Deprecated)

Parameters
Parameter:Description:
domain

The domain for which sbin programs are an entrypoint.

corecmd_sbin_spec_domtrans( domain , target_domain )
Summary

Execute a file in a sbin directory in the specified domain but do not do it automatically. This is an explicit transition, requiring the caller to use setexeccon(). (Deprecated)

Description

Execute a file in a sbin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested. (Deprecated)

No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.

This interface was added to handle the userhelper policy.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

target_domain

The type of the new process.

corecmd_search_bin( domain )
Summary

Search the contents of bin directories.

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_search_sbin( domain )
Summary

Search the contents of sbin directories. (Deprecated)

Parameters
Parameter:Description:
domain

Domain allowed access.

corecmd_shell_domtrans( domain , target_domain )
Summary

Execute a shell in the specified domain.

Description

Execute a shell in the specified domain.

No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

target_domain

The type of the shell process.

corecmd_shell_entry_type( domain )
Summary

Make the shell an entrypoint for the specified domain.

Parameters
Parameter:Description:
domain

The domain for which the shell is an entrypoint.

corecmd_shell_spec_domtrans( domain , target_domain )
Summary

Execute a shell in the target domain. This is an explicit transition, requiring the caller to use setexeccon().

Description

Execute a shell in the target domain. This is an explicit transition, requiring the caller to use setexeccon().

No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.

Parameters
Parameter:Description:
domain

Domain allowed to transition.

target_domain

The type of the shell process.

Return