| Message ID | 20200508154138.24217-3-stephen.smalley.work@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | Update to work on Debian | expand |
diff --git a/policy/test_execute_no_trans.te b/policy/test_execute_no_trans.te index 79ba868..2c0346a 100644 --- a/policy/test_execute_no_trans.te +++ b/policy/test_execute_no_trans.te @@ -24,4 +24,5 @@ userdom_sysadm_entry_spec_domtrans_to(test_execute_notrans_t) #Allow test_execute_notrans permissions to the allowed type can_exec(test_execute_notrans_t,test_execute_notrans_allowed_t) -allow test_execute_notrans_t test_execute_notrans_denied_t:file mmap_file_perms; +allow_map(test_execute_notrans_t, test_execute_notrans_denied_t, file) +allow test_execute_notrans_t test_execute_notrans_denied_t:file { getattr open read };
mmap_file_perms was deprecated in refpolicy in 2017 and is removed from Debian policy. mmap_exec_file_perms is recommended by refpolicy but RHEL-7 defined it differently (including execute_no_trans) so we cannot use it here unconditionally. Just open-code the necessary permissions and use the existing allow_map() macro defined by the testsuite to cover map permission if defined. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> --- policy/test_execute_no_trans.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)