commit ea219e37f66cbd166dba2bbeaadfb87864e26a6c
author Stephen Smalley <sds@tycho.nsa.gov> Wed Mar 26 10:32:09 2014 -0400
committer Stephen Smalley <sds@tycho.nsa.gov> Wed Mar 26 10:32:09 2014 -0400
tree 543faa7feba01522b122c0276ce4868cfe10c4c9
parent 18f2b80e6279a7642ed307f613281411955f699a

Allow domains to stat and open their entrypoint executables.

Resolves denials such as:
 avc:  denied  { open } for  pid=2758 comm="mediaserver" name="mediaserver" dev="mmcblk0p22" ino=169 scontext=u:r:mediaserver:s0 tcontext=u:object_r:mediaserver_exec:s0 tclass=file
 avc:  denied  { getattr } for  pid=2758 comm="mediaserver" path="/system/bin/mediaserver" dev="mmcblk0p22" ino=169 scontext=u:r:mediaserver:s0 tcontext=u:object_r:mediaserver_exec:s0 tclass=file

Change-Id: Ifee9e6fa87ae933639ce0b1d69a2feee460cf31f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

te_macros

diff --git a/te_macros b/te_macros
index 404222a..3d170f4 100644
--- a/te_macros
+++ b/te_macros
@@ -11,7 +11,7 @@
 allow $1 $2:file { getattr open read execute };
 allow $1 $3:process transition;
 # New domain is entered by executing the file.
-allow $3 $2:file { entrypoint read execute };
+allow $3 $2:file { entrypoint open read execute getattr };
 # New domain can send SIGCHLD to its caller.
 allow $3 $1:process sigchld;
 # Enable AT_SECURE, i.e. libc secure mode.