Hi All,
I found one thing in refpolicy which I don't completely understand.
In "policy/support/misc_patterns.spt" there is definition of
"domain_transition_pattern" and this contains line:
allow $1 $2:file { getattr open read execute };
There is missing map permission.
However in "policy/support/misc_macros.spt" there is definition of
"can_exec" and it contains allow rule:
define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock
execute_no_trans };')
There is a mmap_exec_file_perms which contains:
define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }')
Map is present in can_exec().
So for domain transitions we don't allow map permission from calling
domain on binary type but in can_exec macro there is map permission.
I think this is a bug and in "domain_transition_pattern" there should be
this line:
allow $1 $2:file { getattr open read execute map };
instead of:
allow $1 $2:file { getattr open read execute };
Am I right or missing something?
Thanks for help!
Lukas.
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
