+-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla ++## Deny user domains applications to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla + ##
+ ##+diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.denyexecmem serefpolicy-3.10.0/policy/modules/admin/rpm.te +--- serefpolicy-3.10.0/policy/modules/admin/rpm.te.denyexecmem 2011-11-08 16:11:51.771047703 -0500 ++++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-11-08 16:11:52.030047557 -0500 +@@ -382,7 +382,7 @@ ifdef(`distro_redhat',` + ') + ') + +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`',` + allow rpm_script_t self:process execmem; + ') + +diff -up serefpolicy-3.10.0/policy/modules/apps/games.te.denyexecmem serefpolicy-3.10.0/policy/modules/apps/games.te +--- serefpolicy-3.10.0/policy/modules/apps/games.te.denyexecmem 2011-06-27 14:18:04.000000000 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/games.te 2011-11-08 16:11:52.031047556 -0500 +@@ -166,7 +166,7 @@ userdom_manage_user_tmp_sockets(games_t) + # Suppress .icons denial until properly implemented + userdom_dontaudit_read_user_home_content_files(games_t) + +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`', ` + allow games_t self:process execmem; + ') + +diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.denyexecmem serefpolicy-3.10.0/policy/modules/apps/mozilla.te +--- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.denyexecmem 2011-11-08 16:11:51.786047693 -0500 ++++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te 2011-11-08 16:11:52.032047555 -0500 +@@ -178,8 +178,12 @@ xserver_user_x_domain_template(mozilla, + xserver_dontaudit_read_xdm_tmp_files(mozilla_t) + xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) + +-tunable_policy(`allow_execmem',` +- allow mozilla_t self:process { execmem execstack }; ++tunable_policy(`allow_execstack',` ++ allow mozilla_t self:process execstack; ++') ++ ++tunable_policy(`deny_execmem',`',` ++ allow mozilla_t self:process execmem; + ') + + tunable_policy(`use_nfs_home_dirs',` +@@ -410,12 +414,12 @@ userdom_read_user_home_content_symlinks( + userdom_read_home_certs(mozilla_plugin_t) + userdom_dontaudit_write_home_certs(mozilla_plugin_t) + +-tunable_policy(`allow_execmem',` +- allow mozilla_plugin_t self:process { execmem execstack }; ++tunable_policy(`deny_execmem',`', ` ++ allow mozilla_plugin_t self:process execmem; + ') + + tunable_policy(`allow_execstack',` +- allow mozilla_plugin_t self:process { execstack }; ++ allow mozilla_plugin_t self:process execstack; + ') + + tunable_policy(`use_nfs_home_dirs',` +diff -up serefpolicy-3.10.0/policy/modules/apps/mplayer.te.denyexecmem serefpolicy-3.10.0/policy/modules/apps/mplayer.te +--- serefpolicy-3.10.0/policy/modules/apps/mplayer.te.denyexecmem 2011-11-08 16:11:51.048048110 -0500 ++++ serefpolicy-3.10.0/policy/modules/apps/mplayer.te 2011-11-08 16:11:53.818046549 -0500 +@@ -92,7 +92,7 @@ ifndef(`enable_mls',` + fs_read_removable_symlinks(mencoder_t) + ') + +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`',` + allow mencoder_t self:process execmem; + ') + +@@ -252,7 +252,7 @@ ifdef(`enable_mls',`',` + fs_read_removable_symlinks(mplayer_t) + ') + +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`',` + allow mplayer_t self:process execmem; + ') + +diff -up serefpolicy-3.10.0/policy/modules/kernel/corecommands.te.denyexecmem serefpolicy-3.10.0/policy/modules/kernel/corecommands.te +--- serefpolicy-3.10.0/policy/modules/kernel/corecommands.te.denyexecmem 2011-06-27 14:18:04.000000000 -0400 ++++ serefpolicy-3.10.0/policy/modules/kernel/corecommands.te 2011-11-08 16:11:52.033047554 -0500 +@@ -13,7 +13,7 @@ attribute exec_type; + # + # bin_t is the type of files in the system bin/sbin directories. + # +-type bin_t alias { ls_exec_t sbin_t }; ++type bin_t alias { ls_exec_t sbin_t java_exec_t execmem_exec_t mono_exec_t }; + corecmd_executable_file(bin_t) + dev_associate(bin_t) #For /dev/MAKEDEV + +diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.denyexecmem serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te +--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.denyexecmem 2011-11-08 16:11:51.729047726 -0500 ++++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te 2011-11-08 16:11:52.034047554 -0500 +@@ -104,11 +104,11 @@ unconfined_domain_noaudit(unconfined_t) + usermanage_run_passwd(unconfined_t, unconfined_r) + usermanage_run_chfn(unconfined_t, unconfined_r) + +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`',` + allow unconfined_t self:process execmem; + ') + +-tunable_policy(`allow_execmem && allow_execstack',` ++tunable_policy(`allow_execstack',` + allow unconfined_t self:process execstack; + ') + +@@ -230,7 +230,6 @@ optional_policy(` + + optional_policy(` + unconfined_domain(unconfined_dbusd_t) +- unconfined_execmem_domtrans(unconfined_dbusd_t) + + optional_policy(` + xserver_rw_shm(unconfined_dbusd_t) +@@ -389,48 +388,5 @@ optional_policy(` + xserver_manage_home_fonts(unconfined_t) + ') + +-######################################## +-# +-# Unconfined Execmem Local policy +-# +- +-optional_policy(` +- execmem_role_template(unconfined, unconfined_r, unconfined_t) +- typealias unconfined_execmem_t alias execmem_t; +- typealias unconfined_execmem_t alias unconfined_openoffice_t; +- unconfined_domain_noaudit(unconfined_execmem_t) +- allow unconfined_execmem_t unconfined_t:process transition; +- rpm_transition_script(unconfined_execmem_t) +- role system_r types unconfined_execmem_t; +- +- optional_policy(` +- init_dbus_chat_script(unconfined_execmem_t) +- dbus_system_bus_client(unconfined_execmem_t) +- unconfined_dbus_chat(unconfined_execmem_t) +- unconfined_dbus_connect(unconfined_execmem_t) +- ') +- +- optional_policy(` +- tunable_policy(`allow_unconfined_nsplugin_transition',`', ` +- nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t) +- ') +- ') +- +- optional_policy(` +- tunable_policy(`unconfined_login',` +- mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t) +- ') +- ') +- +- optional_policy(` +- openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t) +- ') +-') +- +-######################################## +-# +-# Unconfined mount local policy +-# +- + gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + +diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.te.denyexecmem serefpolicy-3.10.0/policy/modules/services/postgresql.te +--- serefpolicy-3.10.0/policy/modules/services/postgresql.te.denyexecmem 2011-11-08 16:11:51.439047890 -0500 ++++ serefpolicy-3.10.0/policy/modules/services/postgresql.te 2011-11-08 16:11:52.035047553 -0500 +@@ -329,7 +329,7 @@ userdom_dontaudit_use_user_terminals(pos + + mta_getattr_spool(postgresql_t) + +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`',` + allow postgresql_t self:process execmem; + ') + +diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.denyexecmem serefpolicy-3.10.0/policy/modules/services/xserver.te +--- serefpolicy-3.10.0/policy/modules/services/xserver.te.denyexecmem 2011-11-08 16:11:51.969047589 -0500 ++++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-11-08 16:11:52.037047551 -0500 +@@ -1412,7 +1412,7 @@ tunable_policy(`allow_xserver_execmem',` + ') + + # Hack to handle the problem of using the nvidia blobs +-tunable_policy(`allow_execmem',` ++tunable_policy(`deny_execmem',`',` + allow xdm_t self:process execmem; + ') + +diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.denyexecmem serefpolicy-3.10.0/policy/modules/system/unconfined.if +--- serefpolicy-3.10.0/policy/modules/system/unconfined.if.denyexecmem 2011-11-08 16:11:51.983047584 -0500 ++++ serefpolicy-3.10.0/policy/modules/system/unconfined.if 2011-11-08 16:11:52.038047550 -0500 +@@ -63,16 +63,14 @@ interface(`unconfined_domain_noaudit',` + allow $1 self:process execheap; + ') + +- tunable_policy(`allow_execmem',` ++ tunable_policy(`deny_execmem',`',` + # Allow making anonymous memory executable, e.g. + # for runtime-code generation or executable stack. + allow $1 self:process execmem; + ') + + tunable_policy(`allow_execstack',` +- # Allow making the stack executable via mprotect; +- # execstack implies execmem; +- allow $1 self:process { execstack execmem }; ++ allow $1 self:process execstack; + # auditallow $1 self:process execstack; + ') + +diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.denyexecmem serefpolicy-3.10.0/policy/modules/system/userdomain.if +--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.denyexecmem 2011-11-08 16:11:51.986047581 -0500 ++++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-11-08 16:11:52.041047550 -0500 +@@ -149,12 +149,12 @@ template(`userdom_base_user_template',` + + systemd_dbus_chat_logind($1_usertype) + +- tunable_policy(`allow_execmem',` ++ tunable_policy(`deny_execmem',`', ` + # Allow loading DSOs that require executable stack. + allow $1_t self:process execmem; + ') + +- tunable_policy(`allow_execmem && allow_execstack',` ++ tunable_policy(`allow_execstack',` + # Allow making the stack executable via mprotect. + allow $1_t self:process execstack; + ') +diff -up serefpolicy-3.10.0/policy/modules/apps/mplayer.te~ serefpolicy-3.10.0/policy/modules/apps/mplayer.te +diff -up serefpolicy-3.10.0/policy/modules/apps/sandbox.te~ serefpolicy-3.10.0/policy/modules/apps/sandbox.te +--- serefpolicy-3.10.0/policy/modules/apps/sandbox.te~ 2011-11-08 16:12:17.701033064 -0500 ++++ serefpolicy-3.10.0/policy/modules/apps/sandbox.te 2011-11-08 16:24:21.364582225 -0500 +@@ -40,7 +40,12 @@ files_type(sandbox_devpts_t) + # + # sandbox xserver policy + # +-allow sandbox_xserver_t self:process { execmem execstack }; ++allow sandbox_xserver_t self:process execstack; ++ ++tunable_policy(`deny_execmem',`',` ++ allow sandbox_xserver_t self:process execmem; ++') ++ + allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms; + allow sandbox_xserver_t self:shm create_shm_perms; + allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms; +@@ -119,7 +124,11 @@ optional_policy(` + # sandbox local policy + # + +-allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem }; ++allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack }; ++tunable_policy(`deny_execmem',`',` ++ allow sandbox_domain self:process execmem; ++') ++ + allow sandbox_domain self:fifo_file manage_file_perms; + allow sandbox_domain self:sem create_sem_perms; + allow sandbox_domain self:shm create_shm_perms; +@@ -168,7 +177,11 @@ mta_dontaudit_read_spool_symlinks(sandbo + # + # sandbox_x_domain local policy + # +-allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem }; ++allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack }; ++tunable_policy(`deny_execmem',`',` ++ allow sandbox_x_domain self:process execmem; ++') ++ + allow sandbox_x_domain self:fifo_file manage_file_perms; + allow sandbox_x_domain self:sem create_sem_perms; + allow sandbox_x_domain self:shm create_shm_perms; +diff -up serefpolicy-3.10.0/policy/modules/apps/thumb.te~ serefpolicy-3.10.0/policy/modules/apps/thumb.te +--- serefpolicy-3.10.0/policy/modules/apps/thumb.te~ 2011-11-08 16:12:17.709033060 -0500 ++++ serefpolicy-3.10.0/policy/modules/apps/thumb.te 2011-11-08 16:23:18.017395117 -0500 +@@ -19,7 +19,12 @@ ubac_constrained(thumb_tmp_t) + # thumb local policy + # + +-allow thumb_t self:process { setsched signal setrlimit execmem }; ++allow thumb_t self:process { setsched signal setrlimit }; ++ ++tunable_policy(`deny_execmem',`',` ++ allow thumb_t self:process execmem; ++') ++ + allow thumb_t self:fifo_file manage_fifo_file_perms; + allow thumb_t self:unix_stream_socket create_stream_socket_perms; + allow thumb_t self:netlink_route_socket r_netlink_socket_perms; +diff -up serefpolicy-3.10.0/policy/modules/roles/xguest.te~ serefpolicy-3.10.0/policy/modules/roles/xguest.te +--- serefpolicy-3.10.0/policy/modules/roles/xguest.te~ 2011-11-08 16:12:18.349032697 -0500 ++++ serefpolicy-3.10.0/policy/modules/roles/xguest.te 2011-11-08 16:21:44.303111563 -0500 +@@ -54,7 +54,6 @@ optional_policy(` + mount_dontaudit_exec_fusermount(xguest_t) + ') + +-allow xguest_t self:process execmem; + kernel_dontaudit_request_load_module(xguest_t) + + tunable_policy(`allow_execstack',`