Remove execmod access to system_file and exec_type.

execmod is checked on attempts to make executable a file mapping that has been modified. Typically this indicates a text relocation attempt. As we do not ever allow this for any confined domain to system_file or exec_type, we should not need it for unconfineddomain either. Change-Id: I8fdc858f836ae0d2aa56da2abd7797fba9c258b1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove execmod access to system_file and exec_type.
a893edae · Stephen Smalley · bb75dd73 · a893edae
Commit a893edae authored 10 years ago by Stephen Smalley
--- a/unconfined.te
+++ b/unconfined.te
@@ -61,10 +61,10 @@ allow unconfineddomain {
    -app_data_file
 }:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain exec_type:dir r_dir_perms;
-allow unconfineddomain exec_type:file { r_file_perms execute execmod };
+allow unconfineddomain exec_type:file { r_file_perms execute };
 allow unconfineddomain exec_type:lnk_file r_file_perms;
 allow unconfineddomain system_file:dir r_dir_perms;
-allow unconfineddomain system_file:file { r_file_perms execute execmod };
+allow unconfineddomain system_file:file { r_file_perms execute };
 allow unconfineddomain system_file:lnk_file r_file_perms;
 allow unconfineddomain {
    fs_type