diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index b8a1b9e9..508631be 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -25,6 +25,9 @@ gen_tunable(allow_kerberos,false)
## allow host key based authentication
gen_tunable(allow_ssh_keysign,false)
+## Allow sysadm to ptrace all processes
+gen_tunable(allow_ptrace,false)
+
## Allow users to connect to mysql
gen_tunable(allow_user_mysql_connect,false)
diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if
index 1c5725b1..1738f278 100644
--- a/refpolicy/policy/modules/admin/netutils.if
+++ b/refpolicy/policy/modules/admin/netutils.if
@@ -108,7 +108,6 @@ interface(`netutils_domtrans_ping',`
interface(`netutils_run_ping',`
gen_require(`
type ping_t;
- class chr_file rw_term_perms;
')
netutils_domtrans_ping($1)
@@ -116,6 +115,35 @@ interface(`netutils_run_ping',`
allow ping_t $3:chr_file rw_term_perms;
')
+########################################
+##
+## Conditionally execute ping in the ping domain, and
+## allow the specified role the ping domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the ping domain.
+##
+##
+## The type of the terminal allow the ping domain to use.
+##
+#
+interface(`netutils_run_ping_cond',`
+ gen_require(`
+ type ping_t;
+ bool user_ping;
+ ')
+
+ role $2 types ping_t;
+
+ if ( user_ping ) {
+ netutils_domtrans_ping($1)
+ allow ping_t $3:chr_file rw_term_perms;
+ }
+')
+
########################################
##
## Execute ping in the caller domain.
@@ -182,6 +210,35 @@ interface(`netutils_run_traceroute',`
allow traceroute_t $3:chr_file rw_term_perms;
')
+########################################
+##
+## Conditionally execute traceroute in the traceroute domain, and
+## allow the specified role the traceroute domain.
+##
+##
+## The type of the process performing this action.
+##
+##
+## The role to be allowed the traceroute domain.
+##
+##
+## The type of the terminal allow the traceroute domain to use.
+##
+#
+interface(`netutils_run_traceroute_cond',`
+ gen_require(`
+ type traceroute_t;
+ bool user_ping;
+ ')
+
+ role $2 types traceroute_t;
+
+ if( user_ping ) {
+ netutils_domtrans_traceroute($1)
+ allow traceroute_t $3:chr_file rw_term_perms;
+ }
+')
+
########################################
##
## Execute traceroute in the caller domain.
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 50e55de5..a089a1d5 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -152,11 +152,9 @@ optional_policy(`hotplug.te',`
')
ifdef(`TODO',`
-in_user_role(ping_t)
-tunable_policy(`user_ping',`
- domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
+if(user_ping) {
ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
-')
+}
') dnl end TODO
########################################
@@ -217,10 +215,6 @@ optional_policy(`nscd.te',`
')
ifdef(`TODO',`
-in_user_role(traceroute_t)
-tunable_policy(`user_ping',`
- domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
-')
ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
#rules needed for nmap
dontaudit traceroute_t userdomain:dir search;
diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if
index 154098e9..75d25113 100644
--- a/refpolicy/policy/modules/admin/rpm.if
+++ b/refpolicy/policy/modules/admin/rpm.if
@@ -148,14 +148,11 @@ interface(`rpm_use_script_fd',`
#
interface(`rpm_read_db',`
gen_require(`
- type rpm_var_lib_t_t;
- class dir r_dir_perms;
- class lnk_file r_file_perms;
- class file r_file_perms;
+ type rpm_var_lib_t;
')
allow $1 rpm_var_lib_t:dir r_dir_perms;
- allow $1 rpm_var_lib_t:file r_file_perms;
+ allow $1 rpm_var_lib_t:file { getattr read };
allow $1 rpm_var_lib_t:lnk_file r_file_perms;
')
@@ -170,9 +167,6 @@ interface(`rpm_read_db',`
interface(`rpm_manage_db',`
gen_require(`
type rpm_var_lib_t;
- class dir rw_dir_perms;
- class lnk_file { getattr read write unlink };
- class file { getattr create read write append unlink };
')
allow $1 rpm_var_lib_t:dir rw_dir_perms;
diff --git a/refpolicy/policy/modules/services/nis.if b/refpolicy/policy/modules/services/nis.if
index 2a2a5fd4..c4e02fc6 100644
--- a/refpolicy/policy/modules/services/nis.if
+++ b/refpolicy/policy/modules/services/nis.if
@@ -20,7 +20,7 @@ interface(`nis_use_ypbind',`
allow $1 self:udp_socket create_socket_perms;
allow $1 var_yp_t:dir r_dir_perms;
- allow $1 var_yp_t:lnk_file r_file_perms;
+ allow $1 var_yp_t:lnk_file { getattr read };
allow $1 var_yp_t:file r_file_perms;
corenet_tcp_sendrecv_all_if($1)
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 5da415f6..3f7bfc28 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -71,6 +71,10 @@ interface(`domain_type',`
unconfined_sigchld($1)
')
+ tunable_policy(`allow_ptrace',`
+ userdom_sigchld_sysadm($1)
+ ')
+
# allow any domain to connect to the LDAP server
optional_policy(`ldap.te',`
ldap_use($1)
@@ -545,6 +549,22 @@ interface(`domain_getattr_confined_domains',`
allow $1 { domain -unconfined_domain }:process getattr;
')
+########################################
+##
+## Ptrace all domains.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`domain_ptrace_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:process ptrace;
+')
+
########################################
##
## Do not audit attempts to ptrace all domains.
@@ -566,7 +586,6 @@ interface(`domain_getattr_confined_domains',`
interface(`domain_dontaudit_ptrace_all_domains',`
gen_require(`
attribute domain;
- class process ptrace;
')
dontaudit $1 domain:process ptrace;
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 9ed52ddd..d690a995 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -380,7 +380,6 @@ ifdef(`targeted_policy',`',`
term_dontaudit_list_ptys(run_init_t)
- auth_domtrans_chk_passwd(run_init_t)
auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 4656bb4e..0950c76e 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -609,6 +609,11 @@ template(`unpriv_user_template', `
modutils_read_module_conf($1_t)
')
+ optional_policy(`netutils.te',`
+ netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
+ ')
+
optional_policy(`selinuxutil.te',`
# for when the network connection is killed
seutil_dontaudit_signal_newrole($1_t)
@@ -1513,6 +1518,22 @@ interface(`userdom_read_staff_home_files',`
allow $1 staff_home_t:{ file lnk_file } r_file_perms;
')
+########################################
+##
+## Send a SIGCHLD signal to sysadm users.
+##
+##
+## The type of the process performing this action.
+##
+#
+interface(`userdom_sigchld_sysadm',`
+ gen_require(`
+ type sysadm_t;
+ ')
+
+ allow $1 sysadm_t:process sigchld;
+')
+
########################################
##
## Read and write sysadm ttys.
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index f18b9133..6881cfb4 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -116,6 +116,10 @@ ifdef(`targeted_policy',`
')
')
+ tunable_policy(`allow_ptrace',`
+ domain_ptrace_all_domains(sysadm_t)
+ ')
+
optional_policy(`bootloader.te',`
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
')