selinux-policy/policy/modules/apps/execmem.if

## <summary>execmem domain</summary>

########################################
## <summary>
##	Execute the execmem program in the execmem domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`execmem_exec',`
	gen_require(`
		type execmem_exec_t;
	')

	can_exec($1, execmem_exec_t)
')

#######################################
## <summary>
##	The role template for the execmem module.
## </summary>
## <desc>
##	<p>
##	This template creates a derived domains which are used
##	for execmem applications.
##	</p>
## </desc>
## <param name="role_prefix">
##	<summary>
##	The prefix of the user domain (e.g., user
##	is the prefix for user_t).
##	</summary>
## </param>
## <param name="user_role">
##	<summary>
##	The role associated with the user domain.
##	</summary>
## </param>
## <param name="user_domain">
##	<summary>
##	The type of the user domain.
##	</summary>
## </param>
#
template(`execmem_role_template',`
	gen_require(`
		type execmem_exec_t;
	')

	type $1_execmem_t;
	domain_type($1_execmem_t)
	domain_entry_file($1_execmem_t, execmem_exec_t)
	role $2 types $1_execmem_t;

	userdom_unpriv_usertype($1, $1_execmem_t)
	userdom_manage_tmp_role($2, $1_execmem_t)
	userdom_manage_tmpfs_role($2, $1_execmem_t)

	allow $1_execmem_t self:process { execmem execstack };
	allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
	domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
ifdef(`hide_broken_symptoms', `
	dontaudit $1_execmem_t $3:socket_class_set { read write };
')
	files_execmod_tmp($1_execmem_t)

	optional_policy(`
		chrome_role($2, $1_execmem_t)
	')

	optional_policy(`
		mozilla_execmod_user_home_files($1_execmem_t)
	')

	optional_policy(`
		nsplugin_rw_shm($1_execmem_t)
		nsplugin_rw_semaphores($1_execmem_t)
	')

	optional_policy(`
		xserver_role($2, $1_execmem_t)
	')
')

########################################
## <summary>
##	Execute a execmem_exec file
##	in the specified domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="target_domain">
##	<summary>
##	The type of the new process.
##	</summary>
## </param>
#
interface(`execmem_domtrans',`
	gen_require(`
		type execmem_exec_t;
	')

	domtrans_pattern($1, execmem_exec_t, $2)
')