SELinux: Move execmod to the common perms

execmod "could" show up on non regular files and non chr files. The current implementation would actually make these checks against non-existant bits since the code assumes the execmod permission is same for all file types. To make this line up for chr files we had to define execute_no_trans and entrypoint permissions. These permissions are unreachable and only existed to to make FILE__EXECMOD and CHR_FILE__EXECMOD the same. This patch drops those needless perms as well. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
2010-07-23 11:44:15 -04:00 · 2010-07-23 11:44:15 -04:00 · b424485abe
commit b424485abe
parent 49b7b8de46
1 changed files with 3 additions and 4 deletions
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@ -3,7 +3,7 @@

 #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
    "rename", "execute", "swapon", "quotaon", "mounton", "audit_access", \
-    "open"
+    "open", "execmod"

 #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
    "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom",  \
@ -44,7 +44,7 @@ struct security_class_mapping secclass_map[] = {
 	    "quotaget", NULL } },
 	{ "file",
 	  { COMMON_FILE_PERMS,
-	    "execute_no_trans", "entrypoint", "execmod", NULL } },
+	    "execute_no_trans", "entrypoint", NULL } },
 	{ "dir",
 	  { COMMON_FILE_PERMS, "add_name", "remove_name",
 	    "reparent", "search", "rmdir", NULL } },
@ -52,8 +52,7 @@ struct security_class_mapping secclass_map[] = {
 	{ "lnk_file",
 	  { COMMON_FILE_PERMS, NULL } },
 	{ "chr_file",
-	  { COMMON_FILE_PERMS,
-	    "execute_no_trans", "entrypoint", "execmod", NULL } },
+	  { COMMON_FILE_PERMS, NULL } },
 	{ "blk_file",
 	  { COMMON_FILE_PERMS, NULL } },
 	{ "sock_file",