I steer clear of all kinds of execmem like the plague, so no issues there.
But are you saying that Firefox users should always use the nswrapped version of Flash, rather than bare, in order that Flash always run in the nsplugin_t domain, even if all execmem booleans are off?
And, for "better security", should the following booleans be on or off:
- allow_unconfined_nsplugin_transition (Transition to confined nsplugin domains from unconfined user)?
- nsplugin_can_network (Allow nsplugin code to connect to unreserved ports)?
(I suppose I should read up on nsplugin_t etc., but it's very late, and it seems you probably know the answer already).