From cef1f7bb2906b6660e9ca41c74cd240516ae73ec Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Wed, 1 Mar 2017 13:02:11 +0100
Subject: [PATCH] corecommands: fix corecmd_*_bin() for usr merged systems

---
 policy/modules/kernel/corecommands.if | 40 +++++++++++++++++----------
 1 file changed, 26 insertions(+), 14 deletions(-)

diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 24e7c4fd4..b21c0498d 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -110,6 +110,7 @@ interface(`corecmd_shell_entry_type',`
 ########################################
 ## <summary>
 ##	Search the contents of bin directories.
+##	Also allow to read a possible /bin->/usr/bin symlink.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -122,7 +123,8 @@ interface(`corecmd_search_bin',`
 		type bin_t;
 	')
 
-	search_dirs_pattern($1, bin_t, bin_t)
+	read_lnk_files_pattern($1, bin_t, bin_t)
+	files_search_usr($1)
 ')
 
 ########################################
@@ -158,6 +160,7 @@ interface(`corecmd_list_bin',`
 		type bin_t;
 	')
 
+	corecmd_search_bin($1)
 	list_dirs_pattern($1, bin_t, bin_t)
 ')
 
@@ -194,6 +197,7 @@ interface(`corecmd_getattr_bin_files',`
 		type bin_t;
 	')
 
+	corecmd_search_bin($1)
 	getattr_files_pattern($1, bin_t, bin_t)
 ')
 
@@ -250,6 +254,7 @@ interface(`corecmd_read_bin_files',`
 		type bin_t;
 	')
 
+	corecmd_search_bin($1)
 	read_files_pattern($1, bin_t, bin_t)
 ')
 
@@ -282,11 +287,13 @@ interface(`corecmd_dontaudit_write_bin_files',`
 ## </param>
 #
 interface(`corecmd_read_bin_symlinks',`
+	refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.')
+
 	gen_require(`
 		type bin_t;
 	')
 
-	read_lnk_files_pattern($1, bin_t, bin_t)
+	corecmd_search_bin($1)
 ')
 
 ########################################
@@ -304,6 +311,7 @@ interface(`corecmd_read_bin_pipes',`
 		type bin_t;
 	')
 
+	corecmd_search_bin($1)
 	read_fifo_files_pattern($1, bin_t, bin_t)
 ')
 
@@ -322,6 +330,7 @@ interface(`corecmd_read_bin_sockets',`
 		type bin_t;
 	')
 
+	corecmd_search_bin($1)
 	read_sock_files_pattern($1, bin_t, bin_t)
 ')
 
@@ -361,8 +370,7 @@ interface(`corecmd_exec_bin',`
 		type bin_t;
 	')
 
-	read_lnk_files_pattern($1, bin_t, bin_t)
-	list_dirs_pattern($1, bin_t, bin_t)
+	corecmd_list_bin($1)
 	can_exec($1, bin_t)
 ')
 
@@ -381,6 +389,7 @@ interface(`corecmd_manage_bin_files',`
 		type bin_t;
 	')
 
+	corecmd_search_bin($1)
 	manage_files_pattern($1, bin_t, bin_t)
 ')
 
@@ -399,6 +408,7 @@ interface(`corecmd_relabel_bin_files',`
 		type bin_t;
 	')
 
+	corecmd_search_bin($1)
 	relabel_files_pattern($1, bin_t, bin_t)
 ')
 
@@ -417,6 +427,7 @@ interface(`corecmd_mmap_bin_files',`
 		type bin_t;
 	')
 
+	corecmd_search_bin($1)
 	mmap_files_pattern($1, bin_t, bin_t)
 ')
 
@@ -461,7 +472,7 @@ interface(`corecmd_bin_spec_domtrans',`
 		type bin_t;
 	')
 
-	read_lnk_files_pattern($1, bin_t, bin_t)
+	corecmd_search_bin($1)
 	domain_transition_pattern($1, bin_t, $2)
 ')
 
@@ -820,8 +831,7 @@ interface(`corecmd_check_exec_shell',`
 		type bin_t, shell_exec_t;
 	')
 
-	list_dirs_pattern($1, bin_t, bin_t)
-	read_lnk_files_pattern($1, bin_t, bin_t)
+	corecmd_list_bin($1)
 	allow $1 shell_exec_t:file execute;
 ')
 
@@ -858,8 +868,7 @@ interface(`corecmd_exec_shell',`
 		type bin_t, shell_exec_t;
 	')
 
-	list_dirs_pattern($1, bin_t, bin_t)
-	read_lnk_files_pattern($1, bin_t, bin_t)
+	corecmd_list_bin($1)
 	can_exec($1, shell_exec_t)
 ')
 
@@ -912,8 +921,7 @@ interface(`corecmd_shell_spec_domtrans',`
 		type bin_t, shell_exec_t;
 	')
 
-	list_dirs_pattern($1, bin_t, bin_t)
-	read_lnk_files_pattern($1, bin_t, bin_t)
+	corecmd_list_bin($1)
 	domain_transition_pattern($1, shell_exec_t, $2)
 ')
 
@@ -966,7 +974,7 @@ interface(`corecmd_exec_chroot',`
 		type chroot_exec_t;
 	')
 
-	read_lnk_files_pattern($1, bin_t, bin_t)
+	corecmd_search_bin($1)
 	can_exec($1, chroot_exec_t)
 	allow $1 self:capability sys_chroot;
 ')
@@ -988,7 +996,7 @@ interface(`corecmd_getattr_all_executables',`
 		type bin_t;
 	')
 
-	allow $1 bin_t:dir list_dir_perms;
+	corecmd_list_bin($1)
 	getattr_files_pattern($1, bin_t, exec_type)
 ')
 
@@ -1008,6 +1016,7 @@ interface(`corecmd_read_all_executables',`
 		attribute exec_type;
 	')
 
+	corecmd_search_bin($1)
 	read_files_pattern($1, exec_type, exec_type)
 ')
 
@@ -1028,8 +1037,8 @@ interface(`corecmd_exec_all_executables',`
 		type bin_t;
 	')
 
+	corecmd_list_bin($1)
 	can_exec($1, exec_type)
-	list_dirs_pattern($1, bin_t, bin_t)
 	read_lnk_files_pattern($1, bin_t, exec_type)
 ')
 
@@ -1068,6 +1077,7 @@ interface(`corecmd_manage_all_executables',`
 		type bin_t;
 	')
 
+	corecmd_search_bin($1)
 	manage_files_pattern($1, bin_t, exec_type)
 	manage_lnk_files_pattern($1, bin_t, bin_t)
 ')
@@ -1089,6 +1099,7 @@ interface(`corecmd_relabel_all_executables',`
 		type bin_t;
 	')
 
+	corecmd_search_bin($1)
 	relabel_files_pattern($1, bin_t, exec_type)
 ')
 
@@ -1108,5 +1119,6 @@ interface(`corecmd_mmap_all_executables',`
 		type bin_t;
 	')
 
+	corecmd_search_bin($1)
 	mmap_files_pattern($1, bin_t, exec_type)
 ')