From ea219e37f66cbd166dba2bbeaadfb87864e26a6c Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 26 Mar 2014 10:32:09 -0400
Subject: [PATCH] Allow domains to stat and open their entrypoint executables.

Resolves denials such as:
 avc:  denied  { open } for  pid=2758 comm="mediaserver" name="mediaserver" dev="mmcblk0p22" ino=169 scontext=u:r:mediaserver:s0 tcontext=u:object_r:mediaserver_exec:s0 tclass=file
 avc:  denied  { getattr } for  pid=2758 comm="mediaserver" path="/system/bin/mediaserver" dev="mmcblk0p22" ino=169 scontext=u:r:mediaserver:s0 tcontext=u:object_r:mediaserver_exec:s0 tclass=file

Change-Id: Ifee9e6fa87ae933639ce0b1d69a2feee460cf31f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 te_macros | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/te_macros b/te_macros
index 404222ad7..3d170f4fb 100644
--- a/te_macros
+++ b/te_macros
@@ -11,7 +11,7 @@ define(`domain_trans', `
 allow $1 $2:file { getattr open read execute };
 allow $1 $3:process transition;
 # New domain is entered by executing the file.
-allow $3 $2:file { entrypoint read execute };
+allow $3 $2:file { entrypoint open read execute getattr };
 # New domain can send SIGCHLD to its caller.
 allow $3 $1:process sigchld;
 # Enable AT_SECURE, i.e. libc secure mode.
-- 
GitLab