Mapeamento refere-se ao mapeamento de memória (um arquivo que usa mmap (2) ). A página wiki do SELinux para permissões e classes de objetos documenta a maioria das permissões do SELinux, mas não é atualizada desde 2013 e não inclui permissão de mapa.
As mensagens de confirmação [1] [2] forneça mais detalhes:
When a file is opened and then read or written via syscalls like read(2)/write(2), we revalidate access on each read/write operation via selinux_file_permission() and therefore can revoke access if the process context, the file context, or the policy changes in such a manner that access is no longer allowed. When a file is opened and then memory mapped via mmap(2) and then subsequently read or written directly in memory, we presently have no way to revalidate or revoke access. The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying).