From c753c066d107146ce5aa599866bc949d077d396b Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Mon, 20 Feb 2017 14:20:00 +0100
Subject: [PATCH] add corecmd_check_exec_bin_files()

useful for monit
---
 policy/modules/kernel/corecommands.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 426122604..24e7c4fd4 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -216,6 +216,25 @@ interface(`corecmd_dontaudit_getattr_bin_files',`
 	dontaudit $1 bin_t:file getattr_file_perms;
 ')
 
+########################################
+## <summary>
+##	Check if files in bin directories are executable (DAC-wise)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corecmd_check_exec_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir search_dir_perms;
+	allow $1 bin_t:file { execute getattr };
+')
+
 ########################################
 ## <summary>
 ##	Read files in bin directories.