## execmem domain ######################################## ## ## Execute the execmem program in the execmem domain. ## ## ## ## Domain allowed access. ## ## # interface(`execmem_exec',` gen_require(` type execmem_exec_t; ') can_exec($1, execmem_exec_t) ') ####################################### ## ## The role template for the execmem module. ## ## ##

## This template creates a derived domains which are used ## for execmem applications. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The role associated with the user domain. ## ## ## ## ## The type of the user domain. ## ## # template(`execmem_role_template',` gen_require(` type execmem_exec_t; ') type $1_execmem_t; domain_type($1_execmem_t) domain_entry_file($1_execmem_t, execmem_exec_t) role $2 types $1_execmem_t; userdom_unpriv_usertype($1, $1_execmem_t) userdom_manage_tmp_role($2, $1_execmem_t) userdom_manage_tmpfs_role($2, $1_execmem_t) allow $1_execmem_t self:process { execmem execstack }; allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms }; domtrans_pattern($3, execmem_exec_t, $1_execmem_t) ifdef(`hide_broken_symptoms', ` dontaudit $1_execmem_t $3:socket_class_set { read write }; ') files_execmod_tmp($1_execmem_t) optional_policy(` chrome_role($2, $1_execmem_t) ') optional_policy(` mozilla_execmod_user_home_files($1_execmem_t) ') optional_policy(` nsplugin_rw_shm($1_execmem_t) nsplugin_rw_semaphores($1_execmem_t) ') optional_policy(` xserver_role($2, $1_execmem_t) ') ') ######################################## ## ## Execute a execmem_exec file ## in the specified domain. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the new process. ## ## # interface(`execmem_domtrans',` gen_require(` type execmem_exec_t; ') domtrans_pattern($1, execmem_exec_t, $2) ')