corecommands: fix corecmd_*_bin() for usr merged systems

2017-03-01 13:02:11 +01:00 · 2017-03-01 13:02:11 +01:00 · cef1f7bb29
parent cdbca94133
commit cef1f7bb29
1 changed files with 26 additions and 14 deletions
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@ -110,6 +110,7 @@ interface(`corecmd_shell_entry_type',`
 ########################################
 ## <summary>
 ##	Search the contents of bin directories.
+##	Also allow to read a possible /bin->/usr/bin symlink.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -122,7 +123,8 @@ interface(`corecmd_search_bin',`
 		type bin_t;
 	')

-	search_dirs_pattern($1, bin_t, bin_t)
+	read_lnk_files_pattern($1, bin_t, bin_t)
+	files_search_usr($1)
 ')

 ########################################
@ -158,6 +160,7 @@ interface(`corecmd_list_bin',`
 		type bin_t;
 	')

+	corecmd_search_bin($1)
 	list_dirs_pattern($1, bin_t, bin_t)
 ')

@ -194,6 +197,7 @@ interface(`corecmd_getattr_bin_files',`
 		type bin_t;
 	')

+	corecmd_search_bin($1)
 	getattr_files_pattern($1, bin_t, bin_t)
 ')

@ -250,6 +254,7 @@ interface(`corecmd_read_bin_files',`
 		type bin_t;
 	')

+	corecmd_search_bin($1)
 	read_files_pattern($1, bin_t, bin_t)
 ')

@ -282,11 +287,13 @@ interface(`corecmd_dontaudit_write_bin_files',`
 ## </param>
 #
 interface(`corecmd_read_bin_symlinks',`
+	refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.')
+
 	gen_require(`
 		type bin_t;
 	')

-	read_lnk_files_pattern($1, bin_t, bin_t)
+	corecmd_search_bin($1)
 ')

 ########################################
@ -304,6 +311,7 @@ interface(`corecmd_read_bin_pipes',`
 		type bin_t;
 	')

+	corecmd_search_bin($1)
 	read_fifo_files_pattern($1, bin_t, bin_t)
 ')

@ -322,6 +330,7 @@ interface(`corecmd_read_bin_sockets',`
 		type bin_t;
 	')

+	corecmd_search_bin($1)
 	read_sock_files_pattern($1, bin_t, bin_t)
 ')

@ -361,8 +370,7 @@ interface(`corecmd_exec_bin',`
 		type bin_t;
 	')

-	read_lnk_files_pattern($1, bin_t, bin_t)
-	list_dirs_pattern($1, bin_t, bin_t)
+	corecmd_list_bin($1)
 	can_exec($1, bin_t)
 ')

@ -381,6 +389,7 @@ interface(`corecmd_manage_bin_files',`
 		type bin_t;
 	')

+	corecmd_search_bin($1)
 	manage_files_pattern($1, bin_t, bin_t)
 ')

@ -399,6 +408,7 @@ interface(`corecmd_relabel_bin_files',`
 		type bin_t;
 	')

+	corecmd_search_bin($1)
 	relabel_files_pattern($1, bin_t, bin_t)
 ')

@ -417,6 +427,7 @@ interface(`corecmd_mmap_bin_files',`
 		type bin_t;
 	')

+	corecmd_search_bin($1)
 	mmap_files_pattern($1, bin_t, bin_t)
 ')

@ -461,7 +472,7 @@ interface(`corecmd_bin_spec_domtrans',`
 		type bin_t;
 	')

-	read_lnk_files_pattern($1, bin_t, bin_t)
+	corecmd_search_bin($1)
 	domain_transition_pattern($1, bin_t, $2)
 ')

@ -820,8 +831,7 @@ interface(`corecmd_check_exec_shell',`
 		type bin_t, shell_exec_t;
 	')

-	list_dirs_pattern($1, bin_t, bin_t)
-	read_lnk_files_pattern($1, bin_t, bin_t)
+	corecmd_list_bin($1)
 	allow $1 shell_exec_t:file execute;
 ')

@ -858,8 +868,7 @@ interface(`corecmd_exec_shell',`
 		type bin_t, shell_exec_t;
 	')

-	list_dirs_pattern($1, bin_t, bin_t)
-	read_lnk_files_pattern($1, bin_t, bin_t)
+	corecmd_list_bin($1)
 	can_exec($1, shell_exec_t)
 ')

@ -912,8 +921,7 @@ interface(`corecmd_shell_spec_domtrans',`
 		type bin_t, shell_exec_t;
 	')

-	list_dirs_pattern($1, bin_t, bin_t)
-	read_lnk_files_pattern($1, bin_t, bin_t)
+	corecmd_list_bin($1)
 	domain_transition_pattern($1, shell_exec_t, $2)
 ')

@ -966,7 +974,7 @@ interface(`corecmd_exec_chroot',`
 		type chroot_exec_t;
 	')

-	read_lnk_files_pattern($1, bin_t, bin_t)
+	corecmd_search_bin($1)
 	can_exec($1, chroot_exec_t)
 	allow $1 self:capability sys_chroot;
 ')
@ -988,7 +996,7 @@ interface(`corecmd_getattr_all_executables',`
 		type bin_t;
 	')

-	allow $1 bin_t:dir list_dir_perms;
+	corecmd_list_bin($1)
 	getattr_files_pattern($1, bin_t, exec_type)
 ')

@ -1008,6 +1016,7 @@ interface(`corecmd_read_all_executables',`
 		attribute exec_type;
 	')

+	corecmd_search_bin($1)
 	read_files_pattern($1, exec_type, exec_type)
 ')

@ -1028,8 +1037,8 @@ interface(`corecmd_exec_all_executables',`
 		type bin_t;
 	')

+	corecmd_list_bin($1)
 	can_exec($1, exec_type)
-	list_dirs_pattern($1, bin_t, bin_t)
 	read_lnk_files_pattern($1, bin_t, exec_type)
 ')

@ -1068,6 +1077,7 @@ interface(`corecmd_manage_all_executables',`
 		type bin_t;
 	')

+	corecmd_search_bin($1)
 	manage_files_pattern($1, bin_t, exec_type)
 	manage_lnk_files_pattern($1, bin_t, bin_t)
 ')
@ -1089,6 +1099,7 @@ interface(`corecmd_relabel_all_executables',`
 		type bin_t;
 	')

+	corecmd_search_bin($1)
 	relabel_files_pattern($1, bin_t, exec_type)
 ')

@ -1108,5 +1119,6 @@ interface(`corecmd_mmap_all_executables',`
 		type bin_t;
 	')

+	corecmd_search_bin($1)
 	mmap_files_pattern($1, bin_t, exec_type)
 ')