From: lvrabec@redhat.com (Lukas Vrabec)
Date: Thu, 19 Jul 2018 18:17:46 +0200
Subject: [refpolicy] map permission in can_exec() but not in
	domain_transition_pattern()
Message-ID: <11ce07ad-6001-f686-29be-202c9062730e@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi All,

I found one thing in refpolicy which I don't completely understand.

In "policy/support/misc_patterns.spt" there is definition of
"domain_transition_pattern" and this contains line:
allow $1 $2:file { getattr open read execute };

There is missing map permission.

However in "policy/support/misc_macros.spt" there is definition of
"can_exec" and it contains allow rule:
define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock
execute_no_trans };')

There is a mmap_exec_file_perms which contains:
define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }')

Map is present in can_exec().

So for domain transitions we don't allow map permission from calling
domain on binary type but in can_exec macro there is map permission.

I think this is a bug and in "domain_transition_pattern" there should be
this line:
allow $1 $2:file { getattr open read execute map };

instead of:
allow $1 $2:file { getattr open read execute };

Am I right or missing something?

Thanks for help!
Lukas.

-- 
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180719/b16f0660/attachment.bin