From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 19 Jul 2018 19:54:01 -0400 Subject: [refpolicy] [PATCH] Improve domain_transition_pattern to allow mmap entrypoint bin file. In-Reply-To: <20180719221727.19457-1-lvrabec@redhat.com> References: <20180719221727.19457-1-lvrabec@redhat.com> Message-ID: <8b22f7b3-873f-6244-4bca-28fd23166af1@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/19/2018 06:17 PM, Lukas Vrabec via refpolicy wrote: > In domain_transition_pattern there is rule: > allow $1 $2:file { getattr open read execute }; > > map permission is missing here, which is generating lot of AVC. > Replacing permissions with mmap_exec_file_perms set. > --- > policy/support/misc_patterns.spt | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt > index 26a86dda..2cfa0313 100644 > --- a/policy/support/misc_patterns.spt > +++ b/policy/support/misc_patterns.spt > @@ -7,7 +7,7 @@ > # 3. target domain > # > define(`domain_transition_pattern',` > - allow $1 $2:file { getattr open read execute }; > + allow $1 $2:file { mmap_exec_file_perms }; > allow $1 $3:process transition; > dontaudit $1 $3:process { noatsecure siginh rlimitinh }; > ') Merged. -- Chris PeBenito