Remove execmem_exec_t, java_exec_t, mono_exec_t and allow confined users to use execm...

[people/stevee/selinux-policy.git] / policy / modules / system / userdomain.if

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9d1e704e49d0545d53234125bda46e27075dbaee..f5cb8b5385bf1f379f9be2d4c914b60ed372ae6c 100644 (file)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -149,12 +149,12 @@ template(`userdom_base_user_template',`
 
        systemd_dbus_chat_logind($1_usertype)
 
-       tunable_policy(`allow_execmem',`
+       tunable_policy(`deny_execmem',`', `
                # Allow loading DSOs that require executable stack.
                allow $1_t self:process execmem;
        ')
 
-       tunable_policy(`allow_execmem && allow_execstack',`
+       tunable_policy(`allow_execstack',`
                # Allow making the stack executable via mprotect.
                allow $1_t self:process execstack;
        ')