Allow domains to stat and open their entrypoint executables.

Resolves denials such as: avc: denied { open } for pid=2758 comm="mediaserver" name="mediaserver" dev="mmcblk0p22" ino=169 scontext=u:r:mediaserver:s0 tcontext=u:object_r:mediaserver_exec:s0 tclass=file avc: denied { getattr } for pid=2758 comm="mediaserver" path="/system/bin/mediaserver" dev="mmcblk0p22" ino=169 scontext=u:r:mediaserver:s0 tcontext=u:object_r:mediaserver_exec:s0 tclass=file Change-Id: Ifee9e6fa87ae933639ce0b1d69a2feee460cf31f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow domains to stat and open their entrypoint executables.
ea219e37 · Stephen Smalley · 18f2b80e · ea219e37
Commit ea219e37 authored 11 years ago by Stephen Smalley
--- a/te_macros
+++ b/te_macros
@@ -11,7 +11,7 @@ define(`domain_trans', `
 allow $1 $2:file { getattr open read execute };
 allow $1 $3:process transition;
 # New domain is entered by executing the file.
-allow $3 $2:file { entrypoint read execute };
+allow $3 $2:file { entrypoint open read execute getattr };
 # New domain can send SIGCHLD to its caller.
 allow $3 $1:process sigchld;
 # Enable AT_SECURE, i.e. libc secure mode.