From 2a1802c29f4629f06ebd2c8bf1491f98565bf5b1 Mon Sep 17 00:00:00 2001
From: "GONG, Ruiqi" <gongruiqi1@huawei.com>
Date: Mon, 20 Mar 2023 20:42:49 +0800
Subject: [PATCH] Revert "Don't allow kernel_t to execute bin_t/usr_t binaries
 without a transition"

This reverts commit 18c5559222ea3ca3588c8d32c06cddc41b66f688.

---
 policy/modules/kernel/kernel.te | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7dce828..0c1d125 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -356,25 +356,14 @@ selinux_compute_create_context(kernel_t)
 term_use_all_terms(kernel_t)
 term_use_ptmx(kernel_t)
 
+corecmd_exec_shell(kernel_t)
 corecmd_list_bin(kernel_t)
-
-# /proc/sys/kernel/modprobe is set to /bin/true if not using modules,
-# thus allow a transition into a minimal helper domain through generic bin
-# types.
-type kernel_generic_helper_t;
-domain_type(kernel_generic_helper_t)
-role system_r types kernel_generic_helper_t;
-corecmd_bin_entry_type(kernel_generic_helper_t)
-corecmd_bin_domtrans(kernel_t, kernel_generic_helper_t)
-
-allow kernel_generic_helper_t kernel_t:fifo_file read_inherited_fifo_file_perms;
+# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
+corecmd_exec_bin(kernel_t)
 
 # Enable running `/usr/bin/env [u]mount ...` to support ZFS automounting.
 # See the module/os/linux/zfs/zfs_ctldir.c file in
 # https://github.com/openzfs/zfs/ for the usermode helper calls.
-optional_policy(`
-	mount_domtrans(kernel_generic_helper_t)
-')
 
 domain_use_all_fds(kernel_t)
 domain_signal_all_domains(kernel_t)
-- 
2.33.0