From a893edae3716b33be62edf1b5f3336e6f6bb251b Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 23 Jun 2014 12:47:16 -0400
Subject: [PATCH] Remove execmod access to system_file and exec_type.

execmod is checked on attempts to make executable a file mapping
that has been modified.  Typically this indicates a text relocation
attempt.  As we do not ever allow this for any confined domain to
system_file or exec_type, we should not need it for unconfineddomain
either.

Change-Id: I8fdc858f836ae0d2aa56da2abd7797fba9c258b1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 unconfined.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/unconfined.te b/unconfined.te
index cd49cf1eb..d74b29303 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -61,10 +61,10 @@ allow unconfineddomain {
     -app_data_file
 }:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain exec_type:dir r_dir_perms;
-allow unconfineddomain exec_type:file { r_file_perms execute execmod };
+allow unconfineddomain exec_type:file { r_file_perms execute };
 allow unconfineddomain exec_type:lnk_file r_file_perms;
 allow unconfineddomain system_file:dir r_dir_perms;
-allow unconfineddomain system_file:file { r_file_perms execute execmod };
+allow unconfineddomain system_file:file { r_file_perms execute };
 allow unconfineddomain system_file:lnk_file r_file_perms;
 allow unconfineddomain {
     fs_type
-- 
GitLab