From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 19 Jul 2018 19:54:01 -0400
Subject: [refpolicy] [PATCH] Improve domain_transition_pattern to allow
 mmap entrypoint bin file.
In-Reply-To: <20180719221727.19457-1-lvrabec@redhat.com>
References: <20180719221727.19457-1-lvrabec@redhat.com>
Message-ID: <8b22f7b3-873f-6244-4bca-28fd23166af1@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/19/2018 06:17 PM, Lukas Vrabec via refpolicy wrote:
> In domain_transition_pattern there is rule:
> allow $1 $2:file { getattr open read execute };
> 
> map permission is missing here, which is generating lot of AVC.
> Replacing permissions with mmap_exec_file_perms set.
> ---
>   policy/support/misc_patterns.spt | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
> index 26a86dda..2cfa0313 100644
> --- a/policy/support/misc_patterns.spt
> +++ b/policy/support/misc_patterns.spt
> @@ -7,7 +7,7 @@
>   # 3. target domain
>   #
>   define(`domain_transition_pattern',`
> -	allow $1 $2:file { getattr open read execute };
> +	allow $1 $2:file { mmap_exec_file_perms };
>   	allow $1 $3:process transition;
>   	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
>   ')

Merged.

-- 
Chris PeBenito