Linux – map access in the context of SELinux

fedoraselinux

I am hitting an issue with SELinux where it tells me SELinux is preventing sh from map access on the file /bin/busybox.

and then it tells me 

If you believe that sh should be allowed map access on the busybox file by default.
Then you should report this as a bug.

I can't seem to find anywhere that tells me what map access actually means which makes it hard for me to know if this should be default behavior.

What is map access and is there any documentation for what it means?

Best Answer

Mapping refers to memory mapping (a file using mmap(2)). SELinux wiki page for permissions and object classes document most of SELinux permissions, but it hasn't been updated since 2013 and doesn't include map permission.

The commit messages[1][2] provide some further details:

When a file is opened and then read or written via syscalls like read(2)/write(2), we revalidate access on each read/write operation via selinux_file_permission() and therefore can revoke access if the process context, the file context, or the policy changes in such a manner that access is no longer allowed. When a file is opened and then memory mapped via mmap(2) and then subsequently read or written directly in memory, we presently have no way to revalidate or revoke access. The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying).

Related Question