From: lvrabec@redhat.com (Lukas Vrabec)
Date: Fri, 20 Jul 2018 00:17:27 +0200
Subject: [refpolicy] [PATCH] Improve domain_transition_pattern to allow mmap
	entrypoint bin file.
Message-ID: <20180719221727.19457-1-lvrabec@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

In domain_transition_pattern there is rule:
allow $1 $2:file { getattr open read execute };

map permission is missing here, which is generating lot of AVC.
Replacing permissions with mmap_exec_file_perms set.
---
 policy/support/misc_patterns.spt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index 26a86dda..2cfa0313 100644
--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
@@ -7,7 +7,7 @@
 # 3. target domain
 #
 define(`domain_transition_pattern',`
-	allow $1 $2:file { getattr open read execute };
+	allow $1 $2:file { mmap_exec_file_perms };
 	allow $1 $3:process transition;
 	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
 ')
-- 
2.17.1