From: lvrabec@redhat.com (Lukas Vrabec) Date: Fri, 20 Jul 2018 00:17:27 +0200 Subject: [refpolicy] [PATCH] Improve domain_transition_pattern to allow mmap entrypoint bin file. Message-ID: <20180719221727.19457-1-lvrabec@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com In domain_transition_pattern there is rule: allow $1 $2:file { getattr open read execute }; map permission is missing here, which is generating lot of AVC. Replacing permissions with mmap_exec_file_perms set. --- policy/support/misc_patterns.spt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index 26a86dda..2cfa0313 100644 --- a/policy/support/misc_patterns.spt +++ b/policy/support/misc_patterns.spt @@ -7,7 +7,7 @@ # 3. target domain # define(`domain_transition_pattern',` - allow $1 $2:file { getattr open read execute }; + allow $1 $2:file { mmap_exec_file_perms }; allow $1 $3:process transition; dontaudit $1 $3:process { noatsecure siginh rlimitinh }; ') -- 2.17.1