From: lvrabec@redhat.com (Lukas Vrabec) Date: Thu, 19 Jul 2018 18:17:46 +0200 Subject: [refpolicy] map permission in can_exec() but not in domain_transition_pattern() Message-ID: <11ce07ad-6001-f686-29be-202c9062730e@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi All, I found one thing in refpolicy which I don't completely understand. In "policy/support/misc_patterns.spt" there is definition of "domain_transition_pattern" and this contains line: allow $1 $2:file { getattr open read execute }; There is missing map permission. However in "policy/support/misc_macros.spt" there is definition of "can_exec" and it contains allow rule: define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock execute_no_trans };') There is a mmap_exec_file_perms which contains: define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }') Map is present in can_exec(). So for domain transitions we don't allow map permission from calling domain on binary type but in can_exec macro there is map permission. I think this is a bug and in "domain_transition_pattern" there should be this line: allow $1 $2:file { getattr open read execute map }; instead of: allow $1 $2:file { getattr open read execute }; Am I right or missing something? Thanks for help! Lukas. -- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180719/b16f0660/attachment.bin