Revert "Allow an domain that has an entrypoint from a type to be allo…

…wed to execute the entrypoint without a transition, I can see no case where this is a bad thing, and elminiates a whole class of AVCs." This reverts commit e63f490. It allows to the process to re-exec itself at will. If it is needed then can_exec() macro should be used.
fedora-selinux · Dec 12, 2016 · 870f694 · 870f694
1 parent d0546e3
commit 870f694
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
@@ -103,7 +103,7 @@ interface(`domain_entry_file',`
 	')
 
 	allow $1 $2:file entrypoint;
-	allow $1 $2:file { mmap_file_perms ioctl lock execute_no_trans };
+	allow $1 $2:file { mmap_file_perms ioctl lock };
 
 	typeattribute $2 entry_type;