Core policy for shells, and generic programs in /bin, /sbin, /usr/bin, and /usr/sbin.
This module is required to be included in all policies.
Create a aliased type to generic bin files. (Deprecated)
Create a aliased type to generic bin files. (Deprecated)
This is added to support targeted policy. Its use should be limited. It has no effect on the strict policy.
Parameter: | Description: |
---|---|
domain |
Alias type for bin_t. |
Execute a file in a bin directory in the specified domain.
Execute a file in a bin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle the ssh-agent policy.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
target_domain |
The type of the new process. |
Make general progams in bin an entrypoint for the specified domain.
Parameter: | Description: |
---|---|
domain |
The domain for which bin_t is an entrypoint. |
Create objects in the /bin directory
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
file_type |
The type of the object to be created |
object_class |
The object class. |
name |
The name of the object being created. |
Execute a file in a bin directory in the specified domain but do not do it automatically. This is an explicit transition, requiring the caller to use setexeccon().
Execute a file in a bin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle the userhelper policy.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
target_domain |
The type of the new process. |
Check if a shell is executable (DAC-wise).
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to access check executable files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to access check bin files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to execute all executables.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Get the attributes of files in bin directories.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to get the attibutes of sbin files. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search the contents of bin directories.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to search sbin directories. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to write bin directories.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to write bin files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Do not audit attempts to write sbin directories. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Read all executable files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute all executable files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute generic programs in bin directories, in the caller domain.
Allow the specified domain to execute generic programs in system bin directories (/bin, /sbin, /usr/bin, /usr/sbin) a without domain transition.
Typically, this interface should be used when the domain executes general system progams within the privileges of the source domain. Some examples of these programs are ls, cp, sed, python, and tar. This does not include shells, such as bash.
Related interface:
corecmd_exec_shell()
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute chroot in the caller domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute ls in the caller domain. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute generic programs in sbin directories, in the caller domain. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute shells in the caller domain.
Allow the specified domain to execute shells without a domain transition.
Typically, this interface should be used when the domain executes shells within the privileges of the source domain. Some examples of these programs are bash, tcsh, and zsh.
Related interface:
corecmd_exec_bin()
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Make the specified type usable for files that are exectuables, such as binary programs. This does not include shared libraries.
Parameter: | Description: |
---|---|
type |
Type to be used for files. |
Get the attributes of all executable files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of files in bin directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get the attributes of sbin files. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List the contents of bin directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List the contents of sbin directories. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and all executable files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete bin files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete sbin files. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mmap all executables as executable.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mmap a bin file as executable.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Mmap a sbin file as executable. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read all executable files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read files in bin directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read pipes in bin directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read named sockets in bin directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read symbolic links in bin directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read files in sbin directories. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read named pipes in sbin directories. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read named sockets in sbin directories. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read symbolic links in sbin directories. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel to and from the bin type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel to and from the bin type.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Relabel to and from the sbin type. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute a file in a sbin directory in the specified domain. (Deprecated)
Execute a file in a sbin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested. (Deprecated)
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle the ssh-agent policy.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
target_domain |
The type of the new process. |
Make general progams in sbin an entrypoint for the specified domain. (Deprecated)
Parameter: | Description: |
---|---|
domain |
The domain for which sbin programs are an entrypoint. |
Execute a file in a sbin directory in the specified domain but do not do it automatically. This is an explicit transition, requiring the caller to use setexeccon(). (Deprecated)
Execute a file in a sbin directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain. This is not suggested. (Deprecated)
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
This interface was added to handle the userhelper policy.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
target_domain |
The type of the new process. |
Search the contents of bin directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search the contents of sbin directories. (Deprecated)
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute a shell in the specified domain.
Execute a shell in the specified domain.
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
target_domain |
The type of the shell process. |
Make the shell an entrypoint for the specified domain.
Parameter: | Description: |
---|---|
domain |
The domain for which the shell is an entrypoint. |
Execute a shell in the target domain. This is an explicit transition, requiring the caller to use setexeccon().
Execute a shell in the target domain. This is an explicit transition, requiring the caller to use setexeccon().
No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
target_domain |
The type of the shell process. |
corecmd stub bin_t interface. No access allowed.
Parameter: | Description: |
---|---|
domain |
Domain allowed access |