From 3000a315524e143576324a8e084c55f8f975d693 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 23 May 2005 15:48:45 +0000
Subject: [PATCH] make transition on shell work

---
 .../policy/modules/system/corecommands.if     | 24 +++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if
index c9355bd69..78f7d30b5 100644
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@@ -1,4 +1,9 @@
 # Copyright (C) 2005 Tresys Technology, LLC
+## <module name="corecommands" layer="system">
+## <summary>
+##	Core policy for shells, and generic programs
+##	in /bin, /sbin, /usr/bin, and /usr/sbin.
+## </summary>
 
 #######################################
 #
@@ -124,14 +129,27 @@ class file { getattr read execute execute_no_trans };
 ')
 
 ########################################
-#
-# corecommands_shell_transition(domain)
+## <interface name="corecommands_shell_transition">
+##	<description>
+##		Execute a shell in the target domain.
+##	</description>
+##	<parameter name="domain">
+##		The type of the process performing this action.
+##	</parameter>
+##	<parameter name="target_domain">
+##		The type of the shell process.
+##	</parameter>
+##	<infoflow type="write" weight="10"/>
+## </interface>
 #
 define(`corecommands_shell_transition',`
 requires_block_template(`$0'_depend)
 allow $1 bin_t:dir { getattr search read };
 allow $1 bin_t:lnk_file { getattr read };
 allow $1 shell_exec_t:file { getattr read execute };
+allow $1 $2:process transition;
+type_transition $1 shell_exec_t:file $2;
+dontaudit $1 $2:process { noatsecure siginh rlimitinh };
 ')
 
 define(`corecommands_shell_transition_depend',`
@@ -157,3 +175,5 @@ type chroot_exec_t;
 class file { getattr read execute execute_no_trans };
 class capability sys_chroot;
 ')
+
+## </module>