Remove execmod access to system_file and exec_type. execmod is checked on attempts to make executable a file mapping that has been modified. Typically this indicates a text relocation attempt. As we do not ever allow this for any confined domain to system_file or exec_type, we should not need it for unconfineddomain either. Change-Id: I8fdc858f836ae0d2aa56da2abd7797fba9c258b1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: a893edae3716b33be62edf1b5f3336e6f6bb251b [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Mon Jun 23 12:47:16 2014 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Mon Jun 23 12:50:57 2014 -0400
tree: 101454e7f1a419eef9940caeda781e799102d0ac
parent: bb75dd732bd690c9bc6017679a3630a123266161 [diff]
diff --git a/unconfined.te b/unconfined.te
index cd49cf1..d74b293 100644
--- a/unconfined.te
+++ b/unconfined.te

@@ -61,10 +61,10 @@
     -app_data_file
 }:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain exec_type:dir r_dir_perms;
-allow unconfineddomain exec_type:file { r_file_perms execute execmod };
+allow unconfineddomain exec_type:file { r_file_perms execute };
 allow unconfineddomain exec_type:lnk_file r_file_perms;
 allow unconfineddomain system_file:dir r_dir_perms;
-allow unconfineddomain system_file:file { r_file_perms execute execmod };
+allow unconfineddomain system_file:file { r_file_perms execute };
 allow unconfineddomain system_file:lnk_file r_file_perms;
 allow unconfineddomain {
     fs_type
commit	a893edae3716b33be62edf1b5f3336e6f6bb251b	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Mon Jun 23 12:47:16 2014 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Mon Jun 23 12:50:57 2014 -0400
tree	101454e7f1a419eef9940caeda781e799102d0ac
parent	bb75dd732bd690c9bc6017679a3630a123266161 [diff]