Dan Walsh 6b27a2
diff -up serefpolicy-3.10.0/policy/global_tunables.denyexecmem serefpolicy-3.10.0/policy/global_tunables
Dan Walsh 6b27a2
--- serefpolicy-3.10.0/policy/global_tunables.denyexecmem	2011-11-08 16:11:51.764047705 -0500
Dan Walsh 6b27a2
+++ serefpolicy-3.10.0/policy/global_tunables	2011-11-08 16:11:52.028047558 -0500
Dan Walsh 6b27a2
@@ -20,10 +20,10 @@ gen_tunable(allow_execheap,false)
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
 ## <desc>
Dan Walsh 6b27a2
 ## 

Dan Walsh 6b27a2
-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
Dan Walsh 6b27a2
+## Deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla
Dan Walsh 6b27a2
 ## 

Dan Walsh 6b27a2
 ## </desc>
Dan Walsh 6b27a2
-gen_tunable(allow_execmem,false)
Dan Walsh 6b27a2
+gen_tunable(deny_execmem,false)
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
 ## <desc>
Dan Walsh 6b27a2
 ## 

Dan Walsh 6b27a2
diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.denyexecmem serefpolicy-3.10.0/policy/modules/admin/rpm.te
Dan Walsh 6b27a2
--- serefpolicy-3.10.0/policy/modules/admin/rpm.te.denyexecmem	2011-11-08 16:11:51.771047703 -0500
Dan Walsh 6b27a2
+++ serefpolicy-3.10.0/policy/modules/admin/rpm.te	2011-11-08 16:11:52.030047557 -0500
Dan Walsh 6b27a2
@@ -382,7 +382,7 @@ ifdef(`distro_redhat',`
Dan Walsh 6b27a2
 	')
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-tunable_policy(`allow_execmem',`
Dan Walsh 6b27a2
+tunable_policy(`deny_execmem',`',`
Dan Walsh 6b27a2
 	allow rpm_script_t self:process execmem;
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
diff -up serefpolicy-3.10.0/policy/modules/apps/games.te.denyexecmem serefpolicy-3.10.0/policy/modules/apps/games.te
Dan Walsh 6b27a2
--- serefpolicy-3.10.0/policy/modules/apps/games.te.denyexecmem	2011-06-27 14:18:04.000000000 -0400
Dan Walsh 6b27a2
+++ serefpolicy-3.10.0/policy/modules/apps/games.te	2011-11-08 16:11:52.031047556 -0500
Dan Walsh 6b27a2
@@ -166,7 +166,7 @@ userdom_manage_user_tmp_sockets(games_t)
Dan Walsh 6b27a2
 # Suppress .icons denial until properly implemented
Dan Walsh 6b27a2
 userdom_dontaudit_read_user_home_content_files(games_t)
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-tunable_policy(`allow_execmem',`
Dan Walsh 6b27a2
+tunable_policy(`deny_execmem',`', `
Dan Walsh 6b27a2
 	allow games_t self:process execmem;
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.denyexecmem serefpolicy-3.10.0/policy/modules/apps/mozilla.te
Dan Walsh 6b27a2
--- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.denyexecmem	2011-11-08 16:11:51.786047693 -0500
Dan Walsh 6b27a2
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te	2011-11-08 16:11:52.032047555 -0500
Dan Walsh 6b27a2
@@ -178,8 +178,12 @@ xserver_user_x_domain_template(mozilla,
Dan Walsh 6b27a2
 xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
Dan Walsh 6b27a2
 xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-tunable_policy(`allow_execmem',`
Dan Walsh 6b27a2
-	allow mozilla_t self:process { execmem execstack };
Dan Walsh 6b27a2
+tunable_policy(`allow_execstack',`
Dan Walsh 6b27a2
+	allow mozilla_t self:process execstack;
Dan Walsh 6b27a2
+')
Dan Walsh 6b27a2
+
Dan Walsh 6b27a2
+tunable_policy(`deny_execmem',`',`
Dan Walsh 6b27a2
+	allow mozilla_t self:process execmem;
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
 tunable_policy(`use_nfs_home_dirs',`
Dan Walsh 6b27a2
@@ -410,12 +414,12 @@ userdom_read_user_home_content_symlinks(
Dan Walsh 6b27a2
 userdom_read_home_certs(mozilla_plugin_t)
Dan Walsh 6b27a2
 userdom_dontaudit_write_home_certs(mozilla_plugin_t)
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-tunable_policy(`allow_execmem',`
Dan Walsh 6b27a2
-	allow mozilla_plugin_t self:process { execmem execstack };
Dan Walsh 6b27a2
+tunable_policy(`deny_execmem',`', `
Dan Walsh 6b27a2
+	allow mozilla_plugin_t self:process execmem;
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
 tunable_policy(`allow_execstack',`
Dan Walsh 6b27a2
-	allow mozilla_plugin_t self:process { execstack };
Dan Walsh 6b27a2
+	allow mozilla_plugin_t self:process execstack;
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
 tunable_policy(`use_nfs_home_dirs',`
Dan Walsh 6b27a2
diff -up serefpolicy-3.10.0/policy/modules/apps/mplayer.te.denyexecmem serefpolicy-3.10.0/policy/modules/apps/mplayer.te
Dan Walsh 6b27a2
--- serefpolicy-3.10.0/policy/modules/apps/mplayer.te.denyexecmem	2011-11-08 16:11:51.048048110 -0500
Dan Walsh 6b27a2
+++ serefpolicy-3.10.0/policy/modules/apps/mplayer.te	2011-11-08 16:11:53.818046549 -0500
Dan Walsh 6b27a2
@@ -92,7 +92,7 @@ ifndef(`enable_mls',`
Dan Walsh 6b27a2
 	fs_read_removable_symlinks(mencoder_t)
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-tunable_policy(`allow_execmem',`
Dan Walsh 6b27a2
+tunable_policy(`deny_execmem',`',`
Dan Walsh 6b27a2
 	allow mencoder_t self:process execmem;
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
@@ -252,7 +252,7 @@ ifdef(`enable_mls',`',`
Dan Walsh 6b27a2
 	fs_read_removable_symlinks(mplayer_t)
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-tunable_policy(`allow_execmem',`
Dan Walsh 6b27a2
+tunable_policy(`deny_execmem',`',`
Dan Walsh 6b27a2
 	allow mplayer_t self:process execmem;
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
diff -up serefpolicy-3.10.0/policy/modules/kernel/corecommands.te.denyexecmem serefpolicy-3.10.0/policy/modules/kernel/corecommands.te
Dan Walsh 6b27a2
--- serefpolicy-3.10.0/policy/modules/kernel/corecommands.te.denyexecmem	2011-06-27 14:18:04.000000000 -0400
Dan Walsh 6b27a2
+++ serefpolicy-3.10.0/policy/modules/kernel/corecommands.te	2011-11-08 16:11:52.033047554 -0500
Dan Walsh 6b27a2
@@ -13,7 +13,7 @@ attribute exec_type;
Dan Walsh 6b27a2
 #
Dan Walsh 6b27a2
 # bin_t is the type of files in the system bin/sbin directories.
Dan Walsh 6b27a2
 #
Dan Walsh 6b27a2
-type bin_t alias { ls_exec_t sbin_t };
Dan Walsh 6b27a2
+type bin_t alias { ls_exec_t sbin_t java_exec_t execmem_exec_t mono_exec_t };
Dan Walsh 6b27a2
 corecmd_executable_file(bin_t)
Dan Walsh 6b27a2
 dev_associate(bin_t)	#For /dev/MAKEDEV
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.denyexecmem serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te
Dan Walsh 6b27a2
--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.denyexecmem	2011-11-08 16:11:51.729047726 -0500
Dan Walsh 6b27a2
+++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te	2011-11-08 16:11:52.034047554 -0500
Dan Walsh 6b27a2
@@ -104,11 +104,11 @@ unconfined_domain_noaudit(unconfined_t)
Dan Walsh 6b27a2
 usermanage_run_passwd(unconfined_t, unconfined_r)
Dan Walsh 6b27a2
 usermanage_run_chfn(unconfined_t, unconfined_r)
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-tunable_policy(`allow_execmem',`
Dan Walsh 6b27a2
+tunable_policy(`deny_execmem',`',`
Dan Walsh 6b27a2
 	allow unconfined_t self:process execmem;
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-tunable_policy(`allow_execmem && allow_execstack',`
Dan Walsh 6b27a2
+tunable_policy(`allow_execstack',`
Dan Walsh 6b27a2
 	allow unconfined_t self:process execstack;
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
@@ -230,7 +230,6 @@ optional_policy(`
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
 	optional_policy(`
Dan Walsh 6b27a2
 		unconfined_domain(unconfined_dbusd_t)
Dan Walsh 6b27a2
-		unconfined_execmem_domtrans(unconfined_dbusd_t)
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
 		optional_policy(`
Dan Walsh 6b27a2
 			xserver_rw_shm(unconfined_dbusd_t)
Dan Walsh 6b27a2
@@ -389,48 +388,5 @@ optional_policy(`
Dan Walsh 6b27a2
 	xserver_manage_home_fonts(unconfined_t)
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-########################################
Dan Walsh 6b27a2
-#
Dan Walsh 6b27a2
-# Unconfined Execmem Local policy
Dan Walsh 6b27a2
-#
Dan Walsh 6b27a2
-
Dan Walsh 6b27a2
-optional_policy(`
Dan Walsh 6b27a2
-	execmem_role_template(unconfined, unconfined_r, unconfined_t)
Dan Walsh 6b27a2
-	typealias unconfined_execmem_t alias execmem_t;
Dan Walsh 6b27a2
-	typealias unconfined_execmem_t alias unconfined_openoffice_t;
Dan Walsh 6b27a2
-	unconfined_domain_noaudit(unconfined_execmem_t)
Dan Walsh 6b27a2
-	allow unconfined_execmem_t unconfined_t:process transition;
Dan Walsh 6b27a2
-	rpm_transition_script(unconfined_execmem_t)
Dan Walsh 6b27a2
-	role system_r types unconfined_execmem_t;
Dan Walsh 6b27a2
-
Dan Walsh 6b27a2
-	optional_policy(`
Dan Walsh 6b27a2
-		init_dbus_chat_script(unconfined_execmem_t)
Dan Walsh 6b27a2
-		dbus_system_bus_client(unconfined_execmem_t)
Dan Walsh 6b27a2
-		unconfined_dbus_chat(unconfined_execmem_t)
Dan Walsh 6b27a2
-		unconfined_dbus_connect(unconfined_execmem_t)
Dan Walsh 6b27a2
-	')
Dan Walsh 6b27a2
-
Dan Walsh 6b27a2
-	optional_policy(`
Dan Walsh 6b27a2
-		tunable_policy(`allow_unconfined_nsplugin_transition',`', `
Dan Walsh 6b27a2
-			nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t)
Dan Walsh 6b27a2
-		')
Dan Walsh 6b27a2
-	')
Dan Walsh 6b27a2
-
Dan Walsh 6b27a2
-	optional_policy(`
Dan Walsh 6b27a2
-		tunable_policy(`unconfined_login',`
Dan Walsh 6b27a2
-			mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
Dan Walsh 6b27a2
-		')
Dan Walsh 6b27a2
-	')
Dan Walsh 6b27a2
-
Dan Walsh 6b27a2
-	optional_policy(`
Dan Walsh 6b27a2
-		openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
Dan Walsh 6b27a2
-	')
Dan Walsh 6b27a2
-')
Dan Walsh 6b27a2
-
Dan Walsh 6b27a2
-########################################
Dan Walsh 6b27a2
-#
Dan Walsh 6b27a2
-# Unconfined mount local policy
Dan Walsh 6b27a2
-#
Dan Walsh 6b27a2
-
Dan Walsh 6b27a2
 gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.te.denyexecmem serefpolicy-3.10.0/policy/modules/services/postgresql.te
Dan Walsh 6b27a2
--- serefpolicy-3.10.0/policy/modules/services/postgresql.te.denyexecmem	2011-11-08 16:11:51.439047890 -0500
Dan Walsh 6b27a2
+++ serefpolicy-3.10.0/policy/modules/services/postgresql.te	2011-11-08 16:11:52.035047553 -0500
Dan Walsh 6b27a2
@@ -329,7 +329,7 @@ userdom_dontaudit_use_user_terminals(pos
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
 mta_getattr_spool(postgresql_t)
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-tunable_policy(`allow_execmem',`
Dan Walsh 6b27a2
+tunable_policy(`deny_execmem',`',`
Dan Walsh 6b27a2
 	allow postgresql_t self:process execmem;
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.denyexecmem serefpolicy-3.10.0/policy/modules/services/xserver.te
Dan Walsh 6b27a2
--- serefpolicy-3.10.0/policy/modules/services/xserver.te.denyexecmem	2011-11-08 16:11:51.969047589 -0500
Dan Walsh 6b27a2
+++ serefpolicy-3.10.0/policy/modules/services/xserver.te	2011-11-08 16:11:52.037047551 -0500
Dan Walsh 6b27a2
@@ -1412,7 +1412,7 @@ tunable_policy(`allow_xserver_execmem',`
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
 # Hack to handle the problem of using the nvidia blobs
Dan Walsh 6b27a2
-tunable_policy(`allow_execmem',`
Dan Walsh 6b27a2
+tunable_policy(`deny_execmem',`',`
Dan Walsh 6b27a2
 	allow xdm_t self:process execmem;
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.denyexecmem serefpolicy-3.10.0/policy/modules/system/unconfined.if
Dan Walsh 6b27a2
--- serefpolicy-3.10.0/policy/modules/system/unconfined.if.denyexecmem	2011-11-08 16:11:51.983047584 -0500
Dan Walsh 6b27a2
+++ serefpolicy-3.10.0/policy/modules/system/unconfined.if	2011-11-08 16:11:52.038047550 -0500
Dan Walsh 6b27a2
@@ -63,16 +63,14 @@ interface(`unconfined_domain_noaudit',`
Dan Walsh 6b27a2
 		allow $1 self:process execheap;
Dan Walsh 6b27a2
 	')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-	tunable_policy(`allow_execmem',`
Dan Walsh 6b27a2
+	tunable_policy(`deny_execmem',`',`
Dan Walsh 6b27a2
 		# Allow making anonymous memory executable, e.g. 
Dan Walsh 6b27a2
 		# for runtime-code generation or executable stack.
Dan Walsh 6b27a2
 		allow $1 self:process execmem;
Dan Walsh 6b27a2
 	')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
 	tunable_policy(`allow_execstack',`
Dan Walsh 6b27a2
-		# Allow making the stack executable via mprotect;
Dan Walsh 6b27a2
-		# execstack implies execmem;
Dan Walsh 6b27a2
-		allow $1 self:process { execstack execmem };
Dan Walsh 6b27a2
+		allow $1 self:process execstack;
Dan Walsh 6b27a2
 #		auditallow $1 self:process execstack;
Dan Walsh 6b27a2
 	')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.denyexecmem serefpolicy-3.10.0/policy/modules/system/userdomain.if
Dan Walsh 6b27a2
--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.denyexecmem	2011-11-08 16:11:51.986047581 -0500
Dan Walsh 6b27a2
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if	2011-11-08 16:11:52.041047550 -0500
Dan Walsh 6b27a2
@@ -149,12 +149,12 @@ template(`userdom_base_user_template',`
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
 	systemd_dbus_chat_logind($1_usertype)
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-	tunable_policy(`allow_execmem',`
Dan Walsh 6b27a2
+	tunable_policy(`deny_execmem',`', `
Dan Walsh 6b27a2
 		# Allow loading DSOs that require executable stack.
Dan Walsh 6b27a2
 		allow $1_t self:process execmem;
Dan Walsh 6b27a2
 	')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-	tunable_policy(`allow_execmem && allow_execstack',`
Dan Walsh 6b27a2
+	tunable_policy(`allow_execstack',`
Dan Walsh 6b27a2
 		# Allow making the stack executable via mprotect.
Dan Walsh 6b27a2
 		allow $1_t self:process execstack;
Dan Walsh 6b27a2
 	')
Dan Walsh 6b27a2
diff -up serefpolicy-3.10.0/policy/modules/apps/mplayer.te~ serefpolicy-3.10.0/policy/modules/apps/mplayer.te
Dan Walsh 6b27a2
diff -up serefpolicy-3.10.0/policy/modules/apps/sandbox.te~ serefpolicy-3.10.0/policy/modules/apps/sandbox.te
Dan Walsh 6b27a2
--- serefpolicy-3.10.0/policy/modules/apps/sandbox.te~	2011-11-08 16:12:17.701033064 -0500
Dan Walsh 6b27a2
+++ serefpolicy-3.10.0/policy/modules/apps/sandbox.te	2011-11-08 16:24:21.364582225 -0500
Dan Walsh 6b27a2
@@ -40,7 +40,12 @@ files_type(sandbox_devpts_t)
Dan Walsh 6b27a2
 #
Dan Walsh 6b27a2
 # sandbox xserver policy
Dan Walsh 6b27a2
 #
Dan Walsh 6b27a2
-allow sandbox_xserver_t self:process { execmem execstack };
Dan Walsh 6b27a2
+allow sandbox_xserver_t self:process execstack;
Dan Walsh 6b27a2
+
Dan Walsh 6b27a2
+tunable_policy(`deny_execmem',`',`
Dan Walsh 6b27a2
+	allow sandbox_xserver_t self:process execmem;
Dan Walsh 6b27a2
+')
Dan Walsh 6b27a2
+
Dan Walsh 6b27a2
 allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
Dan Walsh 6b27a2
 allow sandbox_xserver_t self:shm create_shm_perms;
Dan Walsh 6b27a2
 allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
Dan Walsh 6b27a2
@@ -119,7 +124,11 @@ optional_policy(`
Dan Walsh 6b27a2
 # sandbox local policy
Dan Walsh 6b27a2
 #
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
Dan Walsh 6b27a2
+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
Dan Walsh 6b27a2
+tunable_policy(`deny_execmem',`',`
Dan Walsh 6b27a2
+	allow sandbox_domain self:process execmem;
Dan Walsh 6b27a2
+')
Dan Walsh 6b27a2
+
Dan Walsh 6b27a2
 allow sandbox_domain self:fifo_file manage_file_perms;
Dan Walsh 6b27a2
 allow sandbox_domain self:sem create_sem_perms;
Dan Walsh 6b27a2
 allow sandbox_domain self:shm create_shm_perms;
Dan Walsh 6b27a2
@@ -168,7 +177,11 @@ mta_dontaudit_read_spool_symlinks(sandbo
Dan Walsh 6b27a2
 #
Dan Walsh 6b27a2
 # sandbox_x_domain local policy
Dan Walsh 6b27a2
 #
Dan Walsh 6b27a2
-allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
Dan Walsh 6b27a2
+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
Dan Walsh 6b27a2
+tunable_policy(`deny_execmem',`',`
Dan Walsh 6b27a2
+	allow sandbox_x_domain self:process execmem;
Dan Walsh 6b27a2
+')
Dan Walsh 6b27a2
+
Dan Walsh 6b27a2
 allow sandbox_x_domain self:fifo_file manage_file_perms;
Dan Walsh 6b27a2
 allow sandbox_x_domain self:sem create_sem_perms;
Dan Walsh 6b27a2
 allow sandbox_x_domain self:shm create_shm_perms;
Dan Walsh 6b27a2
diff -up serefpolicy-3.10.0/policy/modules/apps/thumb.te~ serefpolicy-3.10.0/policy/modules/apps/thumb.te
Dan Walsh 6b27a2
--- serefpolicy-3.10.0/policy/modules/apps/thumb.te~	2011-11-08 16:12:17.709033060 -0500
Dan Walsh 6b27a2
+++ serefpolicy-3.10.0/policy/modules/apps/thumb.te	2011-11-08 16:23:18.017395117 -0500
Dan Walsh 6b27a2
@@ -19,7 +19,12 @@ ubac_constrained(thumb_tmp_t)
Dan Walsh 6b27a2
 # thumb local policy
Dan Walsh 6b27a2
 #
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-allow thumb_t self:process { setsched signal setrlimit execmem };
Dan Walsh 6b27a2
+allow thumb_t self:process { setsched signal setrlimit };
Dan Walsh 6b27a2
+
Dan Walsh 6b27a2
+tunable_policy(`deny_execmem',`',`
Dan Walsh 6b27a2
+	allow thumb_t self:process execmem;
Dan Walsh 6b27a2
+')
Dan Walsh 6b27a2
+
Dan Walsh 6b27a2
 allow thumb_t self:fifo_file manage_fifo_file_perms;
Dan Walsh 6b27a2
 allow thumb_t self:unix_stream_socket create_stream_socket_perms;
Dan Walsh 6b27a2
 allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
Dan Walsh 6b27a2
diff -up serefpolicy-3.10.0/policy/modules/roles/xguest.te~ serefpolicy-3.10.0/policy/modules/roles/xguest.te
Dan Walsh 6b27a2
--- serefpolicy-3.10.0/policy/modules/roles/xguest.te~	2011-11-08 16:12:18.349032697 -0500
Dan Walsh 6b27a2
+++ serefpolicy-3.10.0/policy/modules/roles/xguest.te	2011-11-08 16:21:44.303111563 -0500
Dan Walsh 6b27a2
@@ -54,7 +54,6 @@ optional_policy(`
Dan Walsh 6b27a2
 	mount_dontaudit_exec_fusermount(xguest_t)
Dan Walsh 6b27a2
 ')
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
-allow xguest_t self:process execmem;
Dan Walsh 6b27a2
 kernel_dontaudit_request_load_module(xguest_t)
Dan Walsh 6b27a2
 
Dan Walsh 6b27a2
 tunable_policy(`allow_execstack',`