From 2a89dffbb54ecd79febde7781c8d375af891e493 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Thu, 6 Oct 2011 10:53:27 -0400
Subject: [PATCH] Shrink size of policy through use of attributes for
 userdomain and apache

---
 apache.patch        |  362 +++++
 policy-F16.patch    |   74 +-
 ptrace.patch        | 3727 +++++++++++++++++++++++++++++++++++++++++++
 selinux-policy.spec |    7 +-
 userdomain.patch    | 1395 ++++++++++++++++
 5 files changed, 5495 insertions(+), 70 deletions(-)
 create mode 100644 apache.patch
 create mode 100644 ptrace.patch
 create mode 100644 userdomain.patch

diff --git a/apache.patch b/apache.patch
new file mode 100644
index 00000000..4575cda2
--- /dev/null
+++ b/apache.patch
@@ -0,0 +1,362 @@
+diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
+index cf3d50b..3ded83e 100644
+--- a/policy/modules/kernel/domain.if
++++ b/policy/modules/kernel/domain.if
+@@ -75,34 +75,6 @@ interface(`domain_base_type',`
+ interface(`domain_type',`
+ 	# start with basic domain
+ 	domain_base_type($1)
+-
+-	ifdef(`distro_redhat',`
+-		optional_policy(`
+-			unconfined_use_fds($1)
+-		')
+-	')
+-
+-	# send init a sigchld and signull
+-	optional_policy(`
+-		init_sigchld($1)
+-		init_signull($1)
+-	')
+-
+-	# these seem questionable:
+-
+-	optional_policy(`
+-		rpm_use_fds($1)
+-		rpm_read_pipes($1)
+-	')
+-
+-	optional_policy(`
+-		selinux_dontaudit_getattr_fs($1)
+-		selinux_dontaudit_read_fs($1)
+-	')
+-
+-	optional_policy(`
+-		seutil_dontaudit_read_config($1)
+-	')
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index 00e20f7..db2a183 100644
+--- a/policy/modules/kernel/domain.te
++++ b/policy/modules/kernel/domain.te
+@@ -285,3 +285,30 @@ optional_policy(`
+ # broken kernel
+ dontaudit can_change_object_identity can_change_object_identity:key link;
+ 
++ifdef(`distro_redhat',`
++	optional_policy(`
++		unconfined_use_fds(domain)
++	')
++')
++
++# send init a sigchld and signull
++optional_policy(`
++	init_sigchld(domain)
++	init_signull(domain)
++')
++
++# these seem questionable:
++
++optional_policy(`
++	rpm_use_fds(domain)
++	rpm_read_pipes(domain)
++')
++
++optional_policy(`
++	selinux_dontaudit_getattr_fs(domain)
++	selinux_dontaudit_read_fs(domain)
++')
++
++optional_policy(`
++	seutil_dontaudit_read_config(domain)
++')
+diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
+index e12bbc0..606323d 100644
+--- a/policy/modules/services/apache.if
++++ b/policy/modules/services/apache.if
+@@ -16,55 +16,43 @@ template(`apache_content_template',`
+ 		attribute httpd_exec_scripts, httpd_script_exec_type;
+ 		type httpd_t, httpd_suexec_t, httpd_log_t;
+ 		type httpd_sys_content_t;
++		attribute httpd_script_type, httpd_content_type;
+ 	')
+ 
+ 	#This type is for webpages
+ 	type httpd_$1_content_t; # customizable;
++	typeattribute httpd_$1_content_t httpd_content_type;
+ 	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
+ 	files_type(httpd_$1_content_t)
+ 
+ 	# This type is used for .htaccess files
+-	type httpd_$1_htaccess_t; # customizable;
++	type httpd_$1_htaccess_t, httpd_content_type; # customizable;
++	typeattribute httpd_$1_htaccess_t httpd_content_type;
+ 	files_type(httpd_$1_htaccess_t)
+ 
+ 	# Type that CGI scripts run as
+-	type httpd_$1_script_t;
++	type httpd_$1_script_t,	httpd_script_type;
+ 	domain_type(httpd_$1_script_t)
+ 	role system_r types httpd_$1_script_t;
+ 
+-	search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
+-
+ 	# This type is used for executable scripts files
+ 	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
+-	corecmd_shell_entry_type(httpd_$1_script_t)
++	typeattribute httpd_$1_script_exec_t httpd_content_type;
+ 	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
+ 
+ 	type httpd_$1_rw_content_t; # customizable
++	typeattribute httpd_$1_rw_content_t httpd_content_type;
+ 	typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
+ 	files_type(httpd_$1_rw_content_t)
+ 
+-	type httpd_$1_ra_content_t; # customizable
++	type httpd_$1_ra_content_t, httpd_content_type; # customizable
++	typeattribute httpd_$1_ra_content_t httpd_content_type;
+ 	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
+ 	files_type(httpd_$1_ra_content_t)
+ 
+-	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
+-
+-	allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+-	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
+-
+-	allow httpd_$1_script_t self:fifo_file rw_file_perms;
+-	allow httpd_$1_script_t self:unix_stream_socket connectto;
+-
+-	allow httpd_$1_script_t httpd_t:fifo_file write;
+-	# apache should set close-on-exec
+-	apache_dontaudit_leaks(httpd_$1_script_t)
+-
+ 	# Allow the script process to search the cgi directory, and users directory
+ 	allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
+ 
+-	append_files_pattern(httpd_$1_script_t, httpd_log_t, httpd_log_t)
+-	logging_search_logs(httpd_$1_script_t)
+-
+ 	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
+ 	allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
+ 
+@@ -83,27 +71,6 @@ template(`apache_content_template',`
+ 	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ 	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ 
+-	kernel_dontaudit_search_sysctl(httpd_$1_script_t)
+-	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
+-
+-	dev_read_rand(httpd_$1_script_t)
+-	dev_read_urand(httpd_$1_script_t)
+-
+-	corecmd_exec_all_executables(httpd_$1_script_t)
+-	application_exec_all(httpd_$1_script_t)
+-
+-	files_exec_etc_files(httpd_$1_script_t)
+-	files_read_etc_files(httpd_$1_script_t)
+-	files_search_home(httpd_$1_script_t)
+-
+-	libs_exec_ld_so(httpd_$1_script_t)
+-	libs_exec_lib_files(httpd_$1_script_t)
+-
+-	miscfiles_read_fonts(httpd_$1_script_t)
+-	miscfiles_read_public_files(httpd_$1_script_t)
+-
+-	seutil_dontaudit_search_config(httpd_$1_script_t)
+-
+ 	# Allow the web server to run scripts and serve pages
+ 	tunable_policy(`httpd_builtin_scripting',`
+ 		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+@@ -111,19 +78,11 @@ template(`apache_content_template',`
+ 		manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ 		rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ 
+-		allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
++		allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
+ 		read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ 		append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ 		read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
+ 
+-		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+-		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+-		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+-
+-		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+-		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+-		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
+-		allow httpd_t httpd_$1_script_t:unix_stream_socket connectto;
+ 	')
+ 
+ 	tunable_policy(`httpd_enable_cgi',`
+@@ -138,49 +97,6 @@ template(`apache_content_template',`
+ 
+ 		# apache runs the script:
+ 		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+-
+-		allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
+-		allow httpd_t httpd_$1_script_exec_t:lnk_file read_lnk_file_perms;
+-
+-		allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
+-		allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
+-
+-		allow httpd_$1_script_t self:process { setsched signal_perms };
+-		allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
+-		allow httpd_$1_script_t self:unix_dgram_socket create_socket_perms;
+-
+-		allow httpd_$1_script_t httpd_t:fd use;
+-		allow httpd_$1_script_t httpd_t:process sigchld;
+-
+-		dontaudit httpd_$1_script_t httpd_t:tcp_socket { read write };
+-
+-		kernel_read_system_state(httpd_$1_script_t)
+-
+-		dev_read_urand(httpd_$1_script_t)
+-
+-		fs_getattr_xattr_fs(httpd_$1_script_t)
+-
+-		files_read_etc_runtime_files(httpd_$1_script_t)
+-		files_read_usr_files(httpd_$1_script_t)
+-
+-		libs_read_lib_files(httpd_$1_script_t)
+-
+-		miscfiles_read_localization(httpd_$1_script_t)
+-		allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms;
+-	')
+-
+-	optional_policy(`
+-		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
+-			nis_use_ypbind_uncond(httpd_$1_script_t)
+-		')
+-	')
+-
+-	optional_policy(`
+-		postgresql_unpriv_client(httpd_$1_script_t)
+-	')
+-
+-	optional_policy(`
+-		nscd_socket_use(httpd_$1_script_t)
+ 	')
+ ')
+ 
+diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
+index f165efd..adf2423 100644
+--- a/policy/modules/services/apache.te
++++ b/policy/modules/services/apache.te
+@@ -217,10 +217,12 @@ gen_tunable(allow_httpd_sys_script_anon_write, false)
+ 
+ attribute httpdcontent;
+ attribute httpd_user_content_type;
++attribute httpd_content_type;
+ 
+ # domains that can exec all users scripts
+ attribute httpd_exec_scripts;
+ 
++attribute httpd_script_type;
+ attribute httpd_script_exec_type;
+ attribute httpd_user_script_exec_type;
+ 
+@@ -293,6 +295,10 @@ files_tmp_file(httpd_suexec_tmp_t)
+ # setup the system domain for system CGI scripts
+ apache_content_template(sys)
+ 
++optional_policy(`
++	postgresql_unpriv_client(httpd_sys_script_t)
++')
++
+ typeattribute httpd_sys_content_t httpdcontent; # customizable
+ typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
+ typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
+@@ -1308,3 +1314,91 @@ systemd_passwd_agent_dev_template(httpd)
+ domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
+ dontaudit httpd_passwd_t httpd_config_t:file read;
+ 
++
++search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
++corecmd_shell_entry_type(httpd_script_type)
++
++allow httpd_script_type self:fifo_file rw_file_perms;
++allow httpd_script_type self:unix_stream_socket connectto;
++
++allow httpd_script_type httpd_t:fifo_file write;
++# apache should set close-on-exec
++apache_dontaudit_leaks(httpd_script_type)
++
++append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
++logging_search_logs(httpd_script_type)
++
++kernel_dontaudit_search_sysctl(httpd_script_type)
++kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
++
++dev_read_rand(httpd_script_type)
++dev_read_urand(httpd_script_type)
++
++corecmd_exec_all_executables(httpd_script_type)
++application_exec_all(httpd_script_type)
++
++files_exec_etc_files(httpd_script_type)
++files_read_etc_files(httpd_script_type)
++files_search_home(httpd_script_type)
++
++libs_exec_ld_so(httpd_script_type)
++libs_exec_lib_files(httpd_script_type)
++
++miscfiles_read_fonts(httpd_script_type)
++miscfiles_read_public_files(httpd_script_type)
++
++seutil_dontaudit_search_config(httpd_script_type)
++allow httpd_t httpd_script_type:unix_stream_socket connectto;
++
++allow httpd_t httpd_script_exec_type:file read_file_perms;
++allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
++allow httpd_t httpd_script_type:process { signal sigkill sigstop };
++allow httpd_t httpd_script_exec_type:dir list_dir_perms;
++
++allow httpd_script_type self:process { setsched signal_perms };
++allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
++allow httpd_script_type self:unix_dgram_socket create_socket_perms;
++
++allow httpd_script_type httpd_t:fd use;
++allow httpd_script_type httpd_t:process sigchld;
++
++dontaudit httpd_script_type httpd_t:tcp_socket { read write };
++
++kernel_read_system_state(httpd_script_type)
++
++dev_read_urand(httpd_script_type)
++
++fs_getattr_xattr_fs(httpd_script_type)
++
++files_read_etc_runtime_files(httpd_script_type)
++files_read_usr_files(httpd_script_type)
++
++libs_read_lib_files(httpd_script_type)
++
++miscfiles_read_localization(httpd_script_type)
++allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
++
++tunable_policy(`httpd_enable_cgi && allow_ypbind',`
++	nis_use_ypbind_uncond(httpd_script_type)
++')
++
++optional_policy(`
++	nscd_socket_use(httpd_script_type)
++')
++
++read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++
++tunable_policy(`httpd_builtin_scripting',`
++	allow httpd_t httpd_content_type:dir search_dir_perms;
++	allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
++
++	allow httpd_t httpd_content_type:dir list_dir_perms;
++	read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++	read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++
++	allow httpd_t httpd_content_type:dir list_dir_perms;
++	read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++	read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
++')
++
++
diff --git a/policy-F16.patch b/policy-F16.patch
index f8bdf5a9..7ae3dcf8 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -15080,45 +15080,10 @@ index 08f01e7..1c2562c 100644
 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
  allow devices_unconfined_type mtrr_device_t:file *;
 diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..3ded83e 100644
+index 6a1e4d1..cf3d50b 100644
 --- a/policy/modules/kernel/domain.if
 +++ b/policy/modules/kernel/domain.if
-@@ -75,34 +75,6 @@ interface(`domain_base_type',`
- interface(`domain_type',`
- 	# start with basic domain
- 	domain_base_type($1)
--
--	ifdef(`distro_redhat',`
--		optional_policy(`
--			unconfined_use_fds($1)
--		')
--	')
--
--	# send init a sigchld and signull
--	optional_policy(`
--		init_sigchld($1)
--		init_signull($1)
--	')
--
--	# these seem questionable:
--
--	optional_policy(`
--		rpm_use_fds($1)
--		rpm_read_pipes($1)
--	')
--
--	optional_policy(`
--		selinux_dontaudit_getattr_fs($1)
--		selinux_dontaudit_read_fs($1)
--	')
--
--	optional_policy(`
--		seutil_dontaudit_read_config($1)
--	')
- ')
- 
- ########################################
-@@ -631,7 +603,7 @@ interface(`domain_read_all_domains_state',`
+@@ -631,7 +631,7 @@ interface(`domain_read_all_domains_state',`
  
  ########################################
  ## <summary>
@@ -15127,7 +15092,7 @@ index 6a1e4d1..3ded83e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -655,7 +627,7 @@ interface(`domain_getattr_all_domains',`
+@@ -655,7 +655,7 @@ interface(`domain_getattr_all_domains',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -15136,7 +15101,7 @@ index 6a1e4d1..3ded83e 100644
  ##	</summary>
  ## </param>
  #
-@@ -1530,4 +1502,29 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1530,29 @@ interface(`domain_unconfined',`
  	typeattribute $1 can_change_object_identity;
  	typeattribute $1 set_curr_context;
  	typeattribute $1 process_uncond_exempt;
@@ -15167,7 +15132,7 @@ index 6a1e4d1..3ded83e 100644
 +	dontaudit $1 domain:socket_class_set { read write };
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..db2a183 100644
+index fae1ab1..00e20f7 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -15260,7 +15225,7 @@ index fae1ab1..db2a183 100644
  # Act upon any other process.
  allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
  
-@@ -160,3 +197,118 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +197,91 @@ allow unconfined_domain_type domain:key *;
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -15352,33 +15317,6 @@ index fae1ab1..db2a183 100644
 +# broken kernel
 +dontaudit can_change_object_identity can_change_object_identity:key link;
 +
-+ifdef(`distro_redhat',`
-+	optional_policy(`
-+		unconfined_use_fds(domain)
-+	')
-+')
-+
-+# send init a sigchld and signull
-+optional_policy(`
-+	init_sigchld(domain)
-+	init_signull(domain)
-+')
-+
-+# these seem questionable:
-+
-+optional_policy(`
-+	rpm_use_fds(domain)
-+	rpm_read_pipes(domain)
-+')
-+
-+optional_policy(`
-+	selinux_dontaudit_getattr_fs(domain)
-+	selinux_dontaudit_read_fs(domain)
-+')
-+
-+optional_policy(`
-+	seutil_dontaudit_read_config(domain)
-+')
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
 index c19518a..12e8e9c 100644
 --- a/policy/modules/kernel/files.fc
diff --git a/ptrace.patch b/ptrace.patch
new file mode 100644
index 00000000..219b5be0
--- /dev/null
+++ b/ptrace.patch
@@ -0,0 +1,3727 @@
+diff -up serefpolicy-3.10.0/policy/global_tunables.ptrace serefpolicy-3.10.0/policy/global_tunables
+--- serefpolicy-3.10.0/policy/global_tunables.ptrace	2011-10-05 14:34:03.252103292 -0400
++++ serefpolicy-3.10.0/policy/global_tunables	2011-10-05 14:34:03.751103821 -0400
+@@ -6,6 +6,13 @@
+ 
+ ## <desc>
+ ## <p>
++## Allow sysadm to debug or ptrace all processes.
++## </p>
++## </desc>
++gen_tunable(allow_ptrace, false)
++
++## <desc>
++## <p>
+ ## Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+ ## </p>
+ ## </desc>
+diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kdump.if
+--- serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace	2011-10-05 14:34:03.265103305 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/kdump.if	2011-10-05 14:34:03.752103823 -0400
+@@ -140,8 +140,11 @@ interface(`kdump_admin',`
+ 		type kdump_initrc_exec_t;
+ 	')
+ 
+-	allow $1 kdump_t:process { ptrace signal_perms };
++	allow $1 kdump_t:process signal_perms;
+ 	ps_process_pattern($1, kdump_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 kdump_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kismet.if
+--- serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/kismet.if	2011-10-05 14:34:03.753103824 -0400
+@@ -239,7 +239,10 @@ interface(`kismet_admin',`
+ 	')
+ 
+ 	ps_process_pattern($1, kismet_t)
+-	allow $1 kismet_t:process { ptrace signal_perms };
++	allow $1 kismet_t:process signal_perms;
++	tunable_policy(`allow_ptrace',`
++		allow $1 kismet_t:process ptrace;
++	')
+ 
+ 	kismet_manage_pid_files($1)
+ 	kismet_manage_lib($1)
+diff -up serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace serefpolicy-3.10.0/policy/modules/admin/kudzu.te
+--- serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace	2011-10-05 14:34:03.267103307 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/kudzu.te	2011-10-05 14:34:03.753103824 -0400
+@@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t)
+ # Local policy
+ #
+ 
+-allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
++allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+ dontaudit kudzu_t self:capability sys_tty_config;
+ allow kudzu_t self:process { signal_perms execmem };
+ allow kudzu_t self:fifo_file rw_fifo_file_perms;
+diff -up serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace serefpolicy-3.10.0/policy/modules/admin/logrotate.te
+--- serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace	2011-10-05 14:34:03.268103309 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/logrotate.te	2011-10-05 14:34:03.754103825 -0400
+@@ -31,7 +31,7 @@ files_type(logrotate_var_lib_t)
+ # Change ownership on log files.
+ allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
+ # for mailx
+-dontaudit logrotate_t self:capability { sys_ptrace };
++dontaudit logrotate_t self:capability sys_ptrace;
+ 
+ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ 
+diff -up serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace serefpolicy-3.10.0/policy/modules/admin/ncftool.te
+--- serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace	2011-10-05 14:34:03.273103314 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/ncftool.te	2011-10-05 14:34:03.754103825 -0400
+@@ -17,7 +17,11 @@ role system_r types ncftool_t;
+ # ncftool local policy
+ #
+ 
+-allow ncftool_t self:capability { net_admin sys_ptrace };
++allow ncftool_t self:capability net_admin;
++tunable_policy(`allow_ptrace',`
++	allow ncftool_t self:capability sys_ptrace;
++')
++
+ 
+ allow ncftool_t self:process signal;
+ 
+diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/rpm.te
+--- serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace	2011-10-05 14:34:03.700103767 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/rpm.te	2011-10-05 14:34:03.755103826 -0400
+@@ -248,7 +248,11 @@ optional_policy(`
+ # rpm-script Local policy
+ #
+ 
+-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
++allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
++tunable_policy(`allow_ptrace',`
++	allow rpm_script_t self:capability sys_ptrace;
++')
++
+ allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
+ allow rpm_script_t self:fd use;
+ allow rpm_script_t self:fifo_file rw_fifo_file_perms;
+diff -up serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sectoolm.te
+--- serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace	2011-10-05 14:34:03.288103330 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/sectoolm.te	2011-10-05 14:34:03.755103826 -0400
+@@ -23,7 +23,11 @@ files_tmp_file(sectool_tmp_t)
+ # sectool local policy
+ #
+ 
+-allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
++allow sectoolm_t self:capability { dac_override net_admin sys_nice };
++tunable_policy(`allow_ptrace',`
++	allow sectoolm_t self:capability sys_ptrace;
++')
++
+ allow sectoolm_t self:process { getcap getsched	signull setsched };
+ dontaudit sectoolm_t self:process { execstack execmem };
+ allow sectoolm_t self:fifo_file rw_fifo_file_perms;
+diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.if
+--- serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace	2011-10-05 14:34:03.288103330 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/shorewall.if	2011-10-05 14:34:03.756103827 -0400
+@@ -139,8 +139,11 @@ interface(`shorewall_admin',`
+ 		type shorewall_tmp_t, shorewall_etc_t;
+ 	')
+ 
+-	allow $1 shorewall_t:process { ptrace signal_perms };
++	allow $1 shorewall_t:process signal_perms;
+ 	ps_process_pattern($1, shorewall_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 shorewall_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.te
+--- serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace	2011-10-05 14:34:03.289103331 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/shorewall.te	2011-10-05 14:34:03.757103828 -0400
+@@ -37,8 +37,8 @@ logging_log_file(shorewall_log_t)
+ # shorewall local policy
+ #
+ 
+-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
+-dontaudit shorewall_t self:capability sys_tty_config;
++allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice };
++dontaudit shorewall_t self:capability { sys_tty_config sys_ptrace };
+ allow shorewall_t self:fifo_file rw_fifo_file_perms;
+ 
+ read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
+diff -up serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sosreport.te
+--- serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace	2011-10-05 14:34:03.291103333 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/sosreport.te	2011-10-05 14:34:03.757103828 -0400
+@@ -21,7 +21,11 @@ files_tmpfs_file(sosreport_tmpfs_t)
+ # sosreport local policy
+ #
+ 
+-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
++allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
++tunable_policy(`allow_ptrace',`
++	allow sosreport_t self:capability sys_ptrace;
++')
++
+ allow sosreport_t self:process { setsched signull };
+ allow sosreport_t self:fifo_file rw_fifo_file_perms;
+ allow sosreport_t self:tcp_socket create_stream_socket_perms;
+diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace serefpolicy-3.10.0/policy/modules/admin/usermanage.te
+--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace	2011-10-05 14:34:03.722103791 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te	2011-10-05 14:34:03.758103829 -0400
+@@ -433,7 +433,11 @@ optional_policy(`
+ # Useradd local policy
+ #
+ 
+-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
++allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
++tunable_policy(`allow_ptrace',`
++	allow useradd_t self:capability sys_ptrace;
++')
++
+ dontaudit useradd_t self:capability sys_tty_config;
+ allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow useradd_t self:process setfscreate;
+diff -up serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/chrome.te
+--- serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace	2011-10-05 14:34:03.302103345 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/chrome.te	2011-10-05 14:34:03.758103829 -0400
+@@ -21,7 +21,9 @@ ubac_constrained(chrome_sandbox_tmpfs_t)
+ #
+ # chrome_sandbox local policy
+ #
+-allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
++allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
++dontaudit chrome_sandbox_t self:capability sys_ptrace;
++
+ allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+ allow chrome_sandbox_t self:process setsched;
+ allow chrome_sandbox_t self:fifo_file manage_file_perms;
+diff -up serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te.ptrace serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te
+--- serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te.ptrace	2011-10-05 14:34:03.302103345 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te	2011-10-05 14:34:03.759103830 -0400
+@@ -14,7 +14,11 @@ application_domain(cpufreqselector_t, cp
+ # cpufreq-selector local policy
+ #
+ 
+-allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
++allow cpufreqselector_t self:capability sys_nice;
++tunable_policy(`allow_ptrace',`
++	allow cpufreqselector_t self:capability sys_ptrace;
++')
++
+ allow cpufreqselector_t self:process getsched;
+ allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
+ allow cpufreqselector_t self:process getsched;
+diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace serefpolicy-3.10.0/policy/modules/apps/execmem.if
+--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace	2011-10-05 14:34:03.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/execmem.if	2011-10-05 14:35:10.651174871 -0400
+@@ -59,7 +59,7 @@ template(`execmem_role_template',`
+ 	userdom_unpriv_usertype($1, $1_execmem_t)
+ 
+ 	allow $1_execmem_t self:process { execmem execstack };
+-	allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
++	allow $3 $1_execmem_t:process { getattr noatsecure signal_perms };
+ 	domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
+ 
+ 	files_execmod_tmp($1_execmem_t)
+diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.if
+--- serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace	2011-10-05 14:34:03.307103350 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/gnome.if	2011-10-05 14:34:03.760103831 -0400
+@@ -91,8 +91,7 @@ interface(`gnome_role_gkeyringd',`
+ 	auth_use_nsswitch($1_gkeyringd_t)
+ 
+ 	ps_process_pattern($3, $1_gkeyringd_t)
+-	allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+-
++	allow $3 $1_gkeyringd_t:process signal_perms;
+ 	dontaudit $3 gkeyringd_exec_t:file entrypoint;
+ 
+ 	stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
+diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.te
+--- serefpolicy-3.10.0/policy/modules/apps/gnome.te.ptrace	2011-10-05 14:34:03.308103351 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/gnome.te	2011-10-05 14:34:03.761103832 -0400
+@@ -119,7 +119,11 @@ optional_policy(`
+ # gconf-defaults-mechanisms local policy
+ #
+ 
+-allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace };
++allow gconfdefaultsm_t self:capability { dac_override sys_nice };
++tunable_policy(`allow_ptrace',`
++	allow gconfdefaultsm_t self:capability sys_ptrace;
++')
++
+ allow gconfdefaultsm_t self:process getsched;
+ allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
+ 
+@@ -168,7 +172,10 @@ tunable_policy(`use_samba_home_dirs',`
+ # gnome-system-monitor-mechanisms local policy
+ #
+ 
+-allow gnomesystemmm_t self:capability { sys_nice sys_ptrace };
++allow gnomesystemmm_t self:capability sys_nice;
++tunable_policy(`allow_ptrace',`
++	allow gnomesystemmm_t self:capability sys_ptrace;
++')
+ allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+ 
+ kernel_read_system_state(gnomesystemmm_t)
+diff -up serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace serefpolicy-3.10.0/policy/modules/apps/irc.if
+--- serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace	2011-10-05 14:34:03.311103354 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/irc.if	2011-10-05 14:34:03.761103832 -0400
+@@ -33,7 +33,7 @@ interface(`irc_role',`
+ 
+ 	domtrans_pattern($2, irssi_exec_t, irssi_t)
+ 
+-	allow $2 irssi_t:process { ptrace signal_perms };
++	allow $2 irssi_t:process signal_perms;
+ 	ps_process_pattern($2, irssi_t)
+ 
+ 	manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
+diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace serefpolicy-3.10.0/policy/modules/apps/java.if
+--- serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace	2011-10-05 14:34:03.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/java.if	2011-10-05 14:35:00.396163979 -0400
+@@ -76,11 +76,11 @@ template(`java_role_template',`
+ 	userdom_manage_tmpfs_role($2)
+ 	userdom_manage_tmpfs($1_java_t)
+ 
+-	allow $1_java_t self:process { ptrace signal getsched execmem execstack };
++	allow $1_java_t self:process { signal getsched execmem execstack };
+ 
+ 	dontaudit $1_java_t $3:tcp_socket { read write };
+ 
+-	allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms };
++	allow $3 $1_java_t:process { getattr noatsecure signal_perms };
+ 
+ 	domtrans_pattern($3, java_exec_t, $1_java_t)
+ 
+diff -up serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace serefpolicy-3.10.0/policy/modules/apps/livecd.te
+--- serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace	2011-10-05 14:34:03.315103358 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/livecd.te	2011-10-05 14:34:03.763103834 -0400
+@@ -20,7 +20,10 @@ files_tmp_file(livecd_tmp_t)
+ 
+ dontaudit livecd_t self:capability2 mac_admin;
+ 
+-domain_ptrace_all_domains(livecd_t)
++tunable_policy(`allow_ptrace',`
++	domain_ptrace_all_domains(livecd_t)
++')
++
+ domain_interactive_fd(livecd_t)
+ 
+ manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
+diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.if
+--- serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace	2011-10-05 14:34:03.724103793 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/mono.if	2011-10-05 14:34:03.764103835 -0400
+@@ -40,8 +40,8 @@ template(`mono_role_template',`
+ 	domain_interactive_fd($1_mono_t)
+ 	application_type($1_mono_t)
+ 
+-	allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
+-	allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
++	allow $1_mono_t self:process { signal getsched execheap execmem execstack };
++	allow $3 $1_mono_t:process { getattr noatsecure signal_perms };
+ 
+ 	domtrans_pattern($3, mono_exec_t, $1_mono_t)
+ 
+diff -up serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.te
+--- serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/mono.te	2011-10-05 14:34:03.765103836 -0400
+@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
+ # Local policy
+ #
+ 
+-allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
++allow mono_t self:process { signal getsched execheap execmem execstack };
+ 
+ init_dbus_chat_script(mono_t)
+ 
+diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.if
+--- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace	2011-10-05 14:34:03.724103793 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if	2011-10-05 14:34:03.765103836 -0400
+@@ -221,7 +221,7 @@ interface(`mozilla_domtrans_plugin',`
+ 	allow mozilla_plugin_t $1:sem create_sem_perms;
+ 
+ 	ps_process_pattern($1, mozilla_plugin_t)
+-	allow $1 mozilla_plugin_t:process { ptrace signal_perms };
++	allow $1 mozilla_plugin_t:process signal_perms;
+ ')
+ 
+ ########################################
+diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.if
+--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace	2011-10-05 14:34:03.726103795 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if	2011-10-05 14:34:03.766103837 -0400
+@@ -93,7 +93,7 @@ ifdef(`hide_broken_symptoms', `
+ 	dontaudit nsplugin_t $2:shm destroy;
+ 	allow $2 nsplugin_t:sem rw_sem_perms;
+ 
+-	allow $2 nsplugin_t:process { getattr ptrace signal_perms };
++	allow $2 nsplugin_t:process { getattr signal_perms };
+ 	allow $2 nsplugin_t:unix_stream_socket connectto;
+ 
+ 	# Connect to pulseaudit server
+diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.te
+--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace	2011-10-05 14:34:03.726103795 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te	2011-10-05 14:34:03.766103837 -0400
+@@ -54,7 +54,7 @@ application_executable_file(nsplugin_con
+ #
+ dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
+ allow nsplugin_t self:fifo_file rw_file_perms;
+-allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms };
++allow nsplugin_t self:process { setpgid getsched setsched signal_perms };
+ 
+ allow nsplugin_t self:sem create_sem_perms;
+ allow nsplugin_t self:shm create_shm_perms;
+diff -up serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace serefpolicy-3.10.0/policy/modules/apps/openoffice.if
+--- serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace	2011-10-05 14:34:03.323103367 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/openoffice.if	2011-10-05 14:34:03.767103838 -0400
+@@ -69,7 +69,7 @@ interface(`openoffice_role_template',`
+ 
+ 	allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
+ 
+-	allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
++	allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh };
+ 	allow $1_openoffice_t $3:tcp_socket { read write };
+ 
+ 	domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
+diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace serefpolicy-3.10.0/policy/modules/apps/podsleuth.te
+--- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace	2011-10-05 14:34:03.705103773 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te	2011-10-05 14:34:03.768103840 -0400
+@@ -27,7 +27,8 @@ ubac_constrained(podsleuth_tmpfs_t)
+ # podsleuth local policy
+ #
+ allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
+-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
++allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
++
+ allow podsleuth_t self:fifo_file rw_file_perms;
+ allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
+ allow podsleuth_t self:sem create_sem_perms;
+diff -up serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.if
+--- serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/uml.if	2011-10-05 14:34:03.768103840 -0400
+@@ -31,9 +31,9 @@ interface(`uml_role',`
+ 	allow $2 uml_t:unix_dgram_socket sendto;
+ 	allow uml_t $2:unix_dgram_socket sendto;
+ 
+-	# allow ps, ptrace, signal
++	# allow ps, signal
+ 	ps_process_pattern($2, uml_t)
+-	allow $2 uml_t:process { ptrace signal_perms };
++	allow $2 uml_t:process signal_perms;
+ 
+ 	allow $2 uml_ro_t:dir list_dir_perms;
+ 	read_files_pattern($2, uml_ro_t, uml_ro_t)
+diff -up serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.te
+--- serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace	2011-10-05 14:34:03.335103380 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/uml.te	2011-10-05 14:34:03.769103841 -0400
+@@ -53,7 +53,7 @@ files_pid_file(uml_switch_var_run_t)
+ #
+ 
+ allow uml_t self:fifo_file rw_fifo_file_perms;
+-allow uml_t self:process { signal_perms ptrace };
++allow uml_t self:process signal_perms;
+ allow uml_t self:unix_stream_socket create_stream_socket_perms;
+ allow uml_t self:unix_dgram_socket create_socket_perms;
+ # Use the network.
+diff -up serefpolicy-3.10.0/policy/modules/apps/vmware.te.ptrace serefpolicy-3.10.0/policy/modules/apps/vmware.te
+--- serefpolicy-3.10.0/policy/modules/apps/vmware.te.ptrace	2011-10-05 14:34:03.338103383 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/vmware.te	2011-10-05 14:34:03.770103842 -0400
+@@ -72,7 +72,11 @@ ifdef(`enable_mcs',`
+ # VMWare host local policy
+ #
+ 
+-allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
++allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override };
++tunable_policy(`allow_ptrace',`
++	allow vmware_host_t self:capability sys_ptrace;
++')
++
+ dontaudit vmware_host_t self:capability sys_tty_config;
+ allow vmware_host_t self:process { execstack execmem signal_perms };
+ allow vmware_host_t self:fifo_file rw_fifo_file_perms;
+diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace serefpolicy-3.10.0/policy/modules/apps/wine.if
+--- serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace	2011-10-05 14:34:03.729103798 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/wine.if	2011-10-05 14:34:03.771103843 -0400
+@@ -100,7 +100,7 @@ template(`wine_role_template',`
+ 	role $2 types $1_wine_t;
+ 
+ 	allow $1_wine_t self:process { execmem execstack };
+-	allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
++	allow $3 $1_wine_t:process { getattr noatsecure signal_perms };
+ 	domtrans_pattern($3, wine_exec_t, $1_wine_t)
+ 	corecmd_bin_domtrans($1_wine_t, $1_t)
+ 
+diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/domain.te
+--- serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace	2011-10-05 14:34:03.352103398 -0400
++++ serefpolicy-3.10.0/policy/modules/kernel/domain.te	2011-10-05 14:34:03.771103843 -0400
+@@ -181,7 +181,10 @@ allow unconfined_domain_type domain:fifo
+ allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
+ 
+ # Act upon any other process.
+-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
++allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
++tunable_policy(`allow_ptrace',`
++	allow unconfined_domain_type domain:process ptrace;
++')
+ 
+ # Create/access any System V IPC objects.
+ allow unconfined_domain_type domain:{ sem msgq shm } *;
+diff -up serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/kernel.te
+--- serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace	2011-10-05 14:34:03.360103406 -0400
++++ serefpolicy-3.10.0/policy/modules/kernel/kernel.te	2011-10-05 14:34:03.772103844 -0400
+@@ -191,7 +191,11 @@ sid tcp_socket		gen_context(system_u:obj
+ # kernel local policy
+ #
+ 
+-allow kernel_t self:capability *;
++allow kernel_t self:capability ~{ sys_ptrace };
++tunable_policy(`allow_ptrace',`
++	allow kernel_t self:capability sys_ptrace;
++')
++
+ allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow kernel_t self:shm create_shm_perms;
+ allow kernel_t self:sem create_sem_perms;
+@@ -442,7 +446,7 @@ allow kern_unconfined unlabeled_t:dir_fi
+ allow kern_unconfined unlabeled_t:filesystem *;
+ allow kern_unconfined unlabeled_t:association *;
+ allow kern_unconfined unlabeled_t:packet *;
+-allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
++allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap };
+ 
+ gen_require(`
+ 	bool secure_mode_insmod;
+diff -up serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/dbadm.te
+--- serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace	2011-10-05 14:34:03.367103414 -0400
++++ serefpolicy-3.10.0/policy/modules/roles/dbadm.te	2011-10-05 14:34:03.772103844 -0400
+@@ -28,7 +28,7 @@ userdom_base_user_template(dbadm)
+ # database admin local policy
+ #
+ 
+-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
++allow dbadm_t self:capability { dac_override dac_read_search };
+ 
+ files_dontaudit_search_all_dirs(dbadm_t)
+ files_delete_generic_locks(dbadm_t)
+diff -up serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/logadm.te
+--- serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/roles/logadm.te	2011-10-05 14:34:03.773103845 -0400
+@@ -14,6 +14,5 @@ userdom_base_user_template(logadm)
+ # logadmin local policy
+ #
+ 
+-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+-
++allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
+ logging_admin(logadm_t, logadm_r)
+diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/sysadm.te
+--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace	2011-10-05 14:34:03.706103774 -0400
++++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te	2011-10-05 14:34:03.774103846 -0400
+@@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1)
+ # Declarations
+ #
+ 
+-## <desc>
+-## <p>
+-## Allow sysadm to debug or ptrace all processes.
+-## </p>
+-## </desc>
+-gen_tunable(allow_ptrace, false)
+-
+ role sysadm_r;
+ 
+ userdom_admin_user_template(sysadm)
+diff -up serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/webadm.te
+--- serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace	2011-10-05 14:34:03.372103419 -0400
++++ serefpolicy-3.10.0/policy/modules/roles/webadm.te	2011-10-05 14:34:03.774103846 -0400
+@@ -28,7 +28,7 @@ userdom_base_user_template(webadm)
+ # webadmin local policy
+ #
+ 
+-allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
++allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
+ 
+ files_dontaudit_search_all_dirs(webadm_t)
+ files_manage_generic_locks(webadm_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace serefpolicy-3.10.0/policy/modules/services/abrt.if
+--- serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace	2011-10-05 14:34:03.374103421 -0400
++++ serefpolicy-3.10.0/policy/modules/services/abrt.if	2011-10-05 14:34:03.775103847 -0400
+@@ -333,9 +333,13 @@ interface(`abrt_admin',`
+ 		type abrt_initrc_exec_t;
+ 	')
+ 
+-	allow $1 abrt_t:process { ptrace signal_perms };
++	allow $1 abrt_t:process { signal_perms };
+ 	ps_process_pattern($1, abrt_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 abrt_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, abrt_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 abrt_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.if
+--- serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace	2011-10-05 14:34:03.375103422 -0400
++++ serefpolicy-3.10.0/policy/modules/services/accountsd.if	2011-10-05 14:34:03.775103847 -0400
+@@ -138,8 +138,12 @@ interface(`accountsd_admin',`
+ 		type accountsd_t;
+ 	')
+ 
+-	allow $1 accountsd_t:process { ptrace signal_perms };
++	allow $1 accountsd_t:process signal_perms;
+ 	ps_process_pattern($1, accountsd_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 acountsd_t:process ptrace;
++	')
++
+ 	accountsd_manage_lib_files($1)
+ ')
+diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.te
+--- serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace	2011-10-05 14:34:03.376103423 -0400
++++ serefpolicy-3.10.0/policy/modules/services/accountsd.te	2011-10-05 14:34:03.776103848 -0400
+@@ -19,10 +19,14 @@ files_type(accountsd_var_lib_t)
+ # accountsd local policy
+ #
+ 
+-allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
++allow accountsd_t self:capability { dac_override setuid setgid };
+ allow accountsd_t self:process signal;
+ allow accountsd_t self:fifo_file rw_fifo_file_perms;
+ 
++tunable_policy(`allow_ptrace',`
++	allow accountsd_t self:capability sys_ptrace;
++')
++
+ manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+ manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
+ files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir })
+diff -up serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace serefpolicy-3.10.0/policy/modules/services/afs.if
+--- serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace	2011-10-05 14:34:03.376103423 -0400
++++ serefpolicy-3.10.0/policy/modules/services/afs.if	2011-10-05 14:34:03.776103848 -0400
+@@ -97,9 +97,13 @@ interface(`afs_admin',`
+ 		type afs_t, afs_initrc_exec_t;
+ 	')
+ 
+-	allow $1 afs_t:process { ptrace signal_perms };
++	allow $1 afs_t:process signal_perms;
+ 	ps_process_pattern($1, afs_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 afs_t:process ptrace;
++	')
++
+ 	# Allow afs_admin to restart the afs service
+ 	afs_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace serefpolicy-3.10.0/policy/modules/services/aiccu.if
+--- serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/aiccu.if	2011-10-05 14:34:03.777103849 -0400
+@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
+ 		type aiccu_var_run_t;
+ 	')
+ 
+-	allow $1 aiccu_t:process { ptrace signal_perms };
++	allow $1 aiccu_t:process signal_perms;
+ 	ps_process_pattern($1, aiccu_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 aiccu_t:process ptrace;
++	')
++
+ 	aiccu_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 aiccu_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace serefpolicy-3.10.0/policy/modules/services/aide.if
+--- serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace	2011-10-05 14:34:03.378103425 -0400
++++ serefpolicy-3.10.0/policy/modules/services/aide.if	2011-10-05 14:34:03.778103850 -0400
+@@ -61,9 +61,13 @@ interface(`aide_admin',`
+ 		type aide_t, aide_db_t, aide_log_t;
+ 	')
+ 
+-	allow $1 aide_t:process { ptrace signal_perms };
++	allow $1 aide_t:process signal_perms;
+ 	ps_process_pattern($1, aide_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 aide_t:process ptrace;
++	')
++
+ 	files_list_etc($1)
+ 	admin_pattern($1, aide_db_t)
+ 
+diff -up serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace serefpolicy-3.10.0/policy/modules/services/aisexec.if
+--- serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace	2011-10-05 14:34:03.379103426 -0400
++++ serefpolicy-3.10.0/policy/modules/services/aisexec.if	2011-10-05 14:34:03.778103850 -0400
+@@ -82,9 +82,13 @@ interface(`aisexecd_admin',`
+ 		type aisexec_initrc_exec_t;
+ 	')
+ 
+-	allow $1 aisexec_t:process { ptrace signal_perms };
++	allow $1 aisexec_t:process signal_perms;
+ 	ps_process_pattern($1, aisexec_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 aisexec_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 aisexec_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace serefpolicy-3.10.0/policy/modules/services/ajaxterm.if
+--- serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace	2011-10-05 14:34:03.381103429 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ajaxterm.if	2011-10-05 14:34:03.779103851 -0400
+@@ -76,9 +76,13 @@ interface(`ajaxterm_admin',`
+ 		type ajaxterm_t, ajaxterm_initrc_exec_t;
+ 	')
+ 
+-	allow $1 ajaxterm_t:process { ptrace signal_perms };
++	allow $1 ajaxterm_t:process signal_perms;
+ 	ps_process_pattern($1, ajaxterm_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 ajaxterm_t:process ptrace;
++	')
++
+ 	ajaxterm_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 ajaxterm_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace serefpolicy-3.10.0/policy/modules/services/amavis.if
+--- serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/amavis.if	2011-10-05 14:34:03.779103851 -0400
+@@ -231,9 +231,13 @@ interface(`amavis_admin',`
+ 		type amavis_initrc_exec_t;
+ 	')
+ 
+-	allow $1 amavis_t:process { ptrace signal_perms };
++	allow $1 amavis_t:process signal_perms;
+ 	ps_process_pattern($1, amavis_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 amavis_t:process ptrace;
++	')
++
+ 	amavis_initrc_domtrans($1)
+  	domain_system_change_exemption($1)
+  	role_transition $2 amavis_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace serefpolicy-3.10.0/policy/modules/services/apache.if
+--- serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace	2011-10-05 14:34:03.744103814 -0400
++++ serefpolicy-3.10.0/policy/modules/services/apache.if	2011-10-05 14:34:03.780103852 -0400
+@@ -1301,9 +1301,13 @@ interface(`apache_admin',`
+ 		type httpd_unit_file_t;
+ 	')
+ 
+-	allow $1 httpd_t:process { ptrace signal_perms };
++	allow $1 httpd_t:process signal_perms;
+ 	ps_process_pattern($1, httpd_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 httpd_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 httpd_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/apcupsd.if
+--- serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/apcupsd.if	2011-10-05 14:34:03.781103853 -0400
+@@ -146,9 +146,13 @@ interface(`apcupsd_admin',`
+ 		type apcupsd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 apcupsd_t:process { ptrace signal_perms };
++	allow $1 apcupsd_t:process signal_perms;
+ 	ps_process_pattern($1, apcupsd_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 apcupsd_t:process ptrace;
++	')
++
+ 	apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 apcupsd_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace serefpolicy-3.10.0/policy/modules/services/arpwatch.if
+--- serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace	2011-10-05 14:34:03.387103435 -0400
++++ serefpolicy-3.10.0/policy/modules/services/arpwatch.if	2011-10-05 14:34:03.781103853 -0400
+@@ -137,9 +137,13 @@ interface(`arpwatch_admin',`
+ 		type arpwatch_initrc_exec_t;
+ 	')
+ 
+-	allow $1 arpwatch_t:process { ptrace signal_perms };
++	allow $1 arpwatch_t:process signal_perms;
+ 	ps_process_pattern($1, arpwatch_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 arpwatch_t:process ptrace;
++	')
++
+ 	arpwatch_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 arpwatch_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace serefpolicy-3.10.0/policy/modules/services/asterisk.if
+--- serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace	2011-10-05 14:34:03.389103437 -0400
++++ serefpolicy-3.10.0/policy/modules/services/asterisk.if	2011-10-05 14:34:03.782103854 -0400
+@@ -64,9 +64,13 @@ interface(`asterisk_admin',`
+ 		type asterisk_initrc_exec_t;
+ 	')
+ 
+-	allow $1 asterisk_t:process { ptrace signal_perms };
++	allow $1 asterisk_t:process signal_perms;
+ 	ps_process_pattern($1, asterisk_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 asterisk_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 asterisk_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace serefpolicy-3.10.0/policy/modules/services/automount.if
+--- serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace	2011-10-05 14:34:03.390103438 -0400
++++ serefpolicy-3.10.0/policy/modules/services/automount.if	2011-10-05 14:34:03.783103855 -0400
+@@ -150,9 +150,13 @@ interface(`automount_admin',`
+ 		type automount_var_run_t, automount_initrc_exec_t;
+ 	')
+ 
+-	allow $1 automount_t:process { ptrace signal_perms };
++	allow $1 automount_t:process signal_perms;
+ 	ps_process_pattern($1, automount_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 automount_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, automount_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 automount_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace serefpolicy-3.10.0/policy/modules/services/avahi.if
+--- serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace	2011-10-05 14:34:03.391103439 -0400
++++ serefpolicy-3.10.0/policy/modules/services/avahi.if	2011-10-05 14:34:03.783103855 -0400
+@@ -154,9 +154,13 @@ interface(`avahi_admin',`
+ 		type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
+ 	')
+ 
+-	allow $1 avahi_t:process { ptrace signal_perms };
++	allow $1 avahi_t:process signal_perms;
+ 	ps_process_pattern($1, avahi_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 avahi_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 avahi_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace serefpolicy-3.10.0/policy/modules/services/bind.if
+--- serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace	2011-10-05 14:34:03.393103441 -0400
++++ serefpolicy-3.10.0/policy/modules/services/bind.if	2011-10-05 14:34:03.784103857 -0400
+@@ -409,12 +409,20 @@ interface(`bind_admin',`
+ 		type dnssec_t, ndc_t, named_keytab_t;
+ 	')
+ 
+-	allow $1 named_t:process { ptrace signal_perms };
++	allow $1 named_t:process signal_perms;
+ 	ps_process_pattern($1, named_t)
+ 
+-	allow $1 ndc_t:process { ptrace signal_perms };
++	tunable_policy(`allow_ptrace',`
++		allow $1 named_t:process ptrace;
++	')
++
++	allow $1 ndc_t:process signal_perms;
+ 	ps_process_pattern($1, ndc_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 ndc_t:process ptrace;
++	')
++
+ 	bind_run_ndc($1, $2)
+ 
+ 	init_labeled_script_domtrans($1, named_initrc_exec_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace serefpolicy-3.10.0/policy/modules/services/bitlbee.if
+--- serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/bitlbee.if	2011-10-05 14:34:03.784103857 -0400
+@@ -43,9 +43,13 @@ interface(`bitlbee_admin',`
+ 		type bitlbee_initrc_exec_t;
+ 	')
+ 
+-	allow $1 bitlbee_t:process { ptrace signal_perms };
++	allow $1 bitlbee_t:process signal_perms;
+ 	ps_process_pattern($1, bitlbee_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 bitlbee_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 bitlbee_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpolicy-3.10.0/policy/modules/services/bluetooth.if
+--- serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace	2011-10-05 14:34:03.395103443 -0400
++++ serefpolicy-3.10.0/policy/modules/services/bluetooth.if	2011-10-05 14:34:03.785103858 -0400
+@@ -28,7 +28,11 @@ interface(`bluetooth_role',`
+ 
+ 	# allow ps to show cdrecord and allow the user to kill it
+ 	ps_process_pattern($2, bluetooth_helper_t)
+-	allow $2 bluetooth_helper_t:process { ptrace signal_perms };
++	allow $2 bluetooth_helper_t:process signal_perms;
++
++	tunable_policy(`allow_ptrace',`
++		allow $2 bluetooth_helper_t:process ptrace;
++	')
+ 
+ 	manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+ 	manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
+@@ -220,9 +224,13 @@ interface(`bluetooth_admin',`
+ 		type bluetooth_conf_t, bluetooth_conf_rw_t;
+ 	')
+ 
+-	allow $1 bluetooth_t:process { ptrace signal_perms };
++	allow $1 bluetooth_t:process signal_perms;
+ 	ps_process_pattern($1, bluetooth_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 bluetooth_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 bluetooth_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.if
+--- serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace	2011-10-05 14:34:03.396103444 -0400
++++ serefpolicy-3.10.0/policy/modules/services/boinc.if	2011-10-05 14:34:03.785103858 -0400
+@@ -137,9 +137,13 @@ interface(`boinc_admin',`
+ 		type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
+ 	')
+ 
+-	allow $1 boinc_t:process { ptrace signal_perms };
++	allow $1 boinc_t:process signal_perms;
+ 	ps_process_pattern($1, boinc_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 boic_t:process ptrace;
++	')
++
+ 	boinc_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 boinc_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.te
+--- serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace	2011-10-05 14:34:03.709103777 -0400
++++ serefpolicy-3.10.0/policy/modules/services/boinc.te	2011-10-05 14:34:03.786103859 -0400
+@@ -121,9 +121,13 @@ mta_send_mail(boinc_t)
+ domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+ allow boinc_t boinc_project_t:process sigkill;
+ 
+-allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { setpgid setsched signal signull sigkill sigstop };
+ allow boinc_project_t self:process { execmem execstack };
+ 
++tunable_policy(`allow_ptrace',`
++	allow boinc_project_t self:process ptrace;
++')
++
+ allow boinc_project_t self:fifo_file rw_fifo_file_perms;
+ allow boinc_project_t self:sem create_sem_perms;
+ 
+diff -up serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace serefpolicy-3.10.0/policy/modules/services/bugzilla.if
+--- serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace	2011-10-05 14:34:03.398103447 -0400
++++ serefpolicy-3.10.0/policy/modules/services/bugzilla.if	2011-10-05 14:34:03.787103860 -0400
+@@ -62,9 +62,13 @@ interface(`bugzilla_admin',`
+         type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
+     ')
+ 
+-	allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
++	allow $1 httpd_bugzilla_script_t:process signal_perms;
+ 	ps_process_pattern($1, httpd_bugzilla_script_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 httpd_bugzilla_script_t:process ptrace;
++	')
++
+ 	files_list_tmp($1)
+ 	admin_pattern($1, httpd_bugzilla_tmp_t)
+ 
+diff -up serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace serefpolicy-3.10.0/policy/modules/services/callweaver.if
+--- serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace	2011-10-05 14:34:03.400103449 -0400
++++ serefpolicy-3.10.0/policy/modules/services/callweaver.if	2011-10-05 14:34:03.787103860 -0400
+@@ -336,9 +336,13 @@ interface(`callweaver_admin',`
+ 		type callweaver_spool_t;
+ 	')
+ 
+-	allow $1 callweaver_t:process { ptrace signal_perms };
++	allow $1 callweaver_t:process signal_perms;
+ 	ps_process_pattern($1, callweaver_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 callweaver_t:process ptrace;
++	')
++
+ 	callweaver_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 callweaver_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace serefpolicy-3.10.0/policy/modules/services/canna.if
+--- serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/canna.if	2011-10-05 14:34:03.788103861 -0400
+@@ -42,9 +42,13 @@ interface(`canna_admin',`
+ 		type canna_var_run_t, canna_initrc_exec_t;
+ 	')
+ 
+-	allow $1 canna_t:process { ptrace signal_perms };
++	allow $1 canna_t:process signal_perms;
+ 	ps_process_pattern($1, canna_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 canna_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, canna_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 canna_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmaster.if
+--- serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace	2011-10-05 14:34:03.403103452 -0400
++++ serefpolicy-3.10.0/policy/modules/services/certmaster.if	2011-10-05 14:34:03.788103861 -0400
+@@ -119,9 +119,13 @@ interface(`certmaster_admin',`
+ 		type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
+ 	')
+ 
+-	allow $1 certmaster_t:process { ptrace signal_perms };
++	allow $1 certmaster_t:process signal_perms;
+ 	ps_process_pattern($1, certmaster_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 certmaster_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 certmaster_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmonger.if
+--- serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace	2011-10-05 14:34:03.405103454 -0400
++++ serefpolicy-3.10.0/policy/modules/services/certmonger.if	2011-10-05 14:34:03.790103863 -0400
+@@ -158,7 +158,11 @@ interface(`certmonger_admin',`
+ 	')
+ 
+ 	ps_process_pattern($1, certmonger_t)
+-	allow $1 certmonger_t:process { ptrace signal_perms };
++	allow $1 certmonger_t:process signal_perms;
++
++	tunable_policy(`allow_ptrace',`
++		allow $1 certmonger_t:process ptrace;
++	')
+ 
+ 	# Allow certmonger_t to restart the apache service
+ 	certmonger_initrc_domtrans($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.if
+--- serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace	2011-10-05 14:34:03.407103456 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cgroup.if	2011-10-05 14:34:03.790103863 -0400
+@@ -171,15 +171,27 @@ interface(`cgroup_admin',`
+ 		type cgrules_etc_t, cgclear_t;
+ 	')
+ 
+-	allow $1 cgclear_t:process { ptrace signal_perms };
++	allow $1 cgclear_t:process signal_perms;
+ 	ps_process_pattern($1, cgclear_t)
+ 
+-	allow $1 cgconfig_t:process { ptrace signal_perms };
++	tunable_policy(`allow_ptrace',`
++		allow $1 cglear_t:process ptrace;
++	')
++
++	allow $1 cgconfig_t:process signal_perms;
+ 	ps_process_pattern($1, cgconfig_t)
+ 
+-	allow $1 cgred_t:process { ptrace signal_perms };
++	tunable_policy(`allow_ptrace',`
++		allow $1 cgconfig_t:process ptrace;
++	')
++
++	allow $1 cgred_t:process signal_perms;
+ 	ps_process_pattern($1, cgred_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 cgred_t:process ptrace;
++	')
++
+ 	admin_pattern($1, cgconfig_etc_t)
+ 	admin_pattern($1, cgrules_etc_t)
+ 	files_list_etc($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.te
+--- serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace	2011-10-05 14:34:03.407103456 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cgroup.te	2011-10-05 14:34:03.791103864 -0400
+@@ -76,7 +76,11 @@ fs_unmount_cgroup(cgconfig_t)
+ # cgred personal policy.
+ #
+ 
+-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override };
++tunable_policy(`allow_ptrace',`
++	allow cgred_t self:capability sys_ptrace;
++')
++
+ allow cgred_t self:netlink_socket { write bind create read };
+ allow cgred_t self:unix_dgram_socket { write create connect };
+ 
+diff -up serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/chronyd.if
+--- serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace	2011-10-05 14:34:03.408103457 -0400
++++ serefpolicy-3.10.0/policy/modules/services/chronyd.if	2011-10-05 14:34:03.791103864 -0400
+@@ -218,9 +218,13 @@ interface(`chronyd_admin',`
+ 		type chronyd_keys_t;
+ 	')
+ 
+-	allow $1 chronyd_t:process { ptrace signal_perms };
++	allow $1 chronyd_t:process signal_perms;
+ 	ps_process_pattern($1, chronyd_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 chronyd_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 chronyd_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace serefpolicy-3.10.0/policy/modules/services/clamav.if
+--- serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace	2011-10-05 14:34:03.410103459 -0400
++++ serefpolicy-3.10.0/policy/modules/services/clamav.if	2011-10-05 14:34:03.792103865 -0400
+@@ -176,13 +176,19 @@ interface(`clamav_admin',`
+ 		type freshclam_t, freshclam_var_log_t;
+ 	')
+ 
+-	allow $1 clamd_t:process { ptrace signal_perms };
++	allow $1 clamd_t:process signal_perms;
+ 	ps_process_pattern($1, clamd_t)
+ 
+-	allow $1 clamscan_t:process { ptrace signal_perms };
++	tunable_policy(`allow_ptrace',`
++		allow $1 clamd_t:process ptrace;
++		allow $1 clamscan_t:process ptrace;
++		allow $1 freshclam_t:process ptrace;
++	')
++
++	allow $1 clamscan_t:process signal_perms;
+ 	ps_process_pattern($1, clamscan_t)
+ 
+-	allow $1 freshclam_t:process { ptrace signal_perms };
++	allow $1 freshclam_t:process signal_perms;
+ 	ps_process_pattern($1, freshclam_t)
+ 
+ 	init_labeled_script_domtrans($1, clamd_initrc_exec_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace serefpolicy-3.10.0/policy/modules/services/cmirrord.if
+--- serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace	2011-10-05 14:34:03.413103463 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cmirrord.if	2011-10-05 14:34:03.792103865 -0400
+@@ -101,9 +101,13 @@ interface(`cmirrord_admin',`
+ 		type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
+ 	')
+ 
+-	allow $1 cmirrord_t:process { ptrace signal_perms };
++	allow $1 cmirrord_t:process signal_perms;
+ 	ps_process_pattern($1, cmirrord_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 cmorrord_t:process ptrace;
++	')
++
+ 	cmirrord_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 cmirrord_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.if
+--- serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace	2011-10-05 14:34:03.414103464 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cobbler.if	2011-10-05 14:34:03.793103866 -0400
+@@ -189,9 +189,13 @@ interface(`cobblerd_admin',`
+ 		type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
+ 	')
+ 
+-	allow $1 cobblerd_t:process { ptrace signal_perms };
++	allow $1 cobblerd_t:process signal_perms;
+ 	ps_process_pattern($1, cobblerd_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 cobblerd_t:process ptrace;
++	')
++
+ 	files_list_etc($1)
+ 	admin_pattern($1, cobbler_etc_t)
+ 
+diff -up serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace serefpolicy-3.10.0/policy/modules/services/collectd.if
+--- serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace	2011-10-05 14:34:03.416103466 -0400
++++ serefpolicy-3.10.0/policy/modules/services/collectd.if	2011-10-05 14:34:03.794103867 -0400
+@@ -142,9 +142,13 @@ interface(`collectd_admin',`
+ 	type collectd_var_lib_t;
+ 	')
+ 
+-	allow $1 collectd_t:process { ptrace signal_perms };
++	allow $1 collectd_t:process signal_perms;
+ 	ps_process_pattern($1, collectd_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 collectd_t:process ptrace;
++	')
++
+ 	collectd_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 collectd_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/consolekit.te
+--- serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace	2011-10-05 14:34:03.418103468 -0400
++++ serefpolicy-3.10.0/policy/modules/services/consolekit.te	2011-10-05 14:34:03.794103867 -0400
+@@ -23,7 +23,12 @@ files_tmpfs_file(consolekit_tmpfs_t)
+ # consolekit local policy
+ #
+ 
+-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
++allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice };
++
++tunable_policy(`allow_ptrace',`
++	allow consolekit_t self:capability sys_ptrace;
++')
++
+ allow consolekit_t self:process { getsched signal };
+ allow consolekit_t self:fifo_file rw_fifo_file_perms;
+ allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
+@@ -144,6 +149,8 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	#reading .Xauthity
+-	unconfined_ptrace(consolekit_t)
++	tunable_policy(`allow_ptrace',`
++		unconfined_ptrace(consolekit_t)
++	')
+ 	unconfined_stream_connect(consolekit_t)
+ ')
+diff -up serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.if
+--- serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace	2011-10-05 14:34:03.419103469 -0400
++++ serefpolicy-3.10.0/policy/modules/services/corosync.if	2011-10-05 14:34:03.795103868 -0400
+@@ -101,9 +101,13 @@ interface(`corosyncd_admin',`
+ 		type corosync_initrc_exec_t;
+ 	')
+ 
+-	allow $1 corosync_t:process { ptrace signal_perms };
++	allow $1 corosync_t:process signal_perms;
+ 	ps_process_pattern($1, corosync_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 corosync_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, corosync_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 corosync_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.te
+--- serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace	2011-10-05 14:34:03.419103469 -0400
++++ serefpolicy-3.10.0/policy/modules/services/corosync.te	2011-10-05 14:34:03.795103868 -0400
+@@ -32,9 +32,13 @@ files_pid_file(corosync_var_run_t)
+ # corosync local policy
+ #
+ 
+-allow corosync_t self:capability { dac_override setuid sys_nice sys_ptrace sys_resource ipc_lock };
++allow corosync_t self:capability { dac_override setuid sys_nice sys_resource ipc_lock };
+ allow corosync_t self:process { setpgid setrlimit setsched signal signull };
+ 
++tunable_policy(`allow_ptrace',`
++	allow corosync_t self:capability sys_ptrace;
++')
++
+ allow corosync_t self:fifo_file rw_fifo_file_perms;
+ allow corosync_t self:sem create_sem_perms;
+ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto };
+diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3.10.0/policy/modules/services/cron.if
+--- serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace	2011-10-05 14:34:03.423103473 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cron.if	2011-10-05 14:34:03.796103869 -0400
+@@ -140,7 +140,11 @@ interface(`cron_role',`
+ 
+ 	# crontab shows up in user ps
+ 	ps_process_pattern($2, crontab_t)
+-	allow $2 crontab_t:process { ptrace signal_perms };
++	allow $2 crontab_t:process signal_perms;
++
++	tunable_policy(`allow_ptrace',`
++		allow $2 crontab_t:process ptrace;
++	')
+ 
+ 	# Run helper programs as the user domain
+ 	#corecmd_bin_domtrans(crontab_t, $2)
+@@ -183,7 +187,10 @@ interface(`cron_unconfined_role',`
+ 
+ 	# cronjob shows up in user ps
+ 	ps_process_pattern($2, unconfined_cronjob_t)
+-	allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
++	allow $2 unconfined_cronjob_t:process signal_perms;
++	tunable_policy(`allow_ptrace',`
++		allow $2 unconfined_cronjob_t:process ptrace;
++	')
+ 
+ 	optional_policy(`
+ 		gen_require(`
+@@ -230,7 +237,10 @@ interface(`cron_admin_role',`
+ 
+ 	# crontab shows up in user ps
+ 	ps_process_pattern($2, admin_crontab_t)
+-	allow $2 admin_crontab_t:process { ptrace signal_perms };
++	allow $2 admin_crontab_t:process signal_perms;
++	tunable_policy(`allow_ptrace',`
++		allow $2 admin_crontab_t:process ptrace;
++	')
+ 
+ 	# Run helper programs as the user domain
+ 	#corecmd_bin_domtrans(admin_crontab_t, $2)
+diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.if
+--- serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace	2011-10-05 14:34:03.424103474 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ctdbd.if	2011-10-05 14:34:03.797103870 -0400
+@@ -236,8 +236,11 @@ interface(`ctdbd_admin',`
+ 		type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
+ 	')
+ 
+-	allow $1 ctdbd_t:process { ptrace signal_perms };
++	allow $1 ctdbd_t:process signal_perms;
+ 	ps_process_pattern($1, ctdbd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 ctdbd_t:process ptrace;
++	')
+ 
+ 	ctdbd_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.te
+--- serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace	2011-10-05 14:34:03.425103475 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ctdbd.te	2011-10-05 14:34:03.797103870 -0400
+@@ -33,9 +33,13 @@ files_pid_file(ctdbd_var_run_t)
+ # ctdbd local policy
+ #
+ 
+-allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice sys_ptrace };
++allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
+ allow ctdbd_t self:process { setpgid signal_perms setsched };
+ 
++tunable_policy(`allow_ptrace',`
++	allow ctdbd_t self:capability sys_ptrace;
++')
++
+ allow ctdbd_t self:fifo_file rw_fifo_file_perms;
+ allow ctdbd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
+diff -up serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace serefpolicy-3.10.0/policy/modules/services/cups.if
+--- serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace	2011-10-05 14:34:03.426103476 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cups.if	2011-10-05 14:34:03.798103871 -0400
+@@ -327,9 +327,13 @@ interface(`cups_admin',`
+ 		type ptal_var_run_t;
+ 	')
+ 
+-	allow $1 cupsd_t:process { ptrace signal_perms };
++	allow $1 cupsd_t:process signal_perms;
+ 	ps_process_pattern($1, cupsd_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 cupsd_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 cupsd_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace serefpolicy-3.10.0/policy/modules/services/cvs.if
+--- serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace	2011-10-05 14:34:03.427103477 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cvs.if	2011-10-05 14:34:03.798103871 -0400
+@@ -80,9 +80,13 @@ interface(`cvs_admin',`
+ 		type cvs_data_t, cvs_var_run_t;
+ 	')
+ 
+-	allow $1 cvs_t:process { ptrace signal_perms };
++	allow $1 cvs_t:process signal_perms;
+ 	ps_process_pattern($1, cvs_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 cvs_t:process ptrace;
++	')
++
+ 	# Allow cvs_t to restart the apache service
+ 	init_labeled_script_domtrans($1, cvs_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace serefpolicy-3.10.0/policy/modules/services/cyrus.if
+--- serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cyrus.if	2011-10-05 14:34:03.799103872 -0400
+@@ -62,9 +62,13 @@ interface(`cyrus_admin',`
+ 		type cyrus_var_run_t, cyrus_initrc_exec_t;
+ 	')
+ 
+-	allow $1 cyrus_t:process { ptrace signal_perms };
++	allow $1 cyrus_t:process signal_perms;
+ 	ps_process_pattern($1, cyrus_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 cyrus_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 cyrus_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace serefpolicy-3.10.0/policy/modules/services/dbus.if
+--- serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace	2011-10-05 14:34:03.431103482 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dbus.if	2011-10-05 14:34:03.800103874 -0400
+@@ -71,7 +71,11 @@ template(`dbus_role_template',`
+ 	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
+ 
+ 	ps_process_pattern($3, $1_dbusd_t)
+-	allow $3 $1_dbusd_t:process { ptrace signal_perms };
++	allow $3 $1_dbusd_t:process signal_perms;
++
++	tunable_policy(`allow_ptrace',`
++		allow $3 $1_dbusd_t:process ptrace;
++	')
+ 
+ 	# cjp: this seems very broken
+ 	corecmd_bin_domtrans($1_dbusd_t, $1_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace serefpolicy-3.10.0/policy/modules/services/ddclient.if
+--- serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace	2011-10-05 14:34:03.433103484 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ddclient.if	2011-10-05 14:34:03.800103874 -0400
+@@ -68,9 +68,13 @@ interface(`ddclient_admin',`
+ 		type ddclient_var_run_t;
+ 	')
+ 
+-	allow $1 ddclient_t:process { ptrace signal_perms };
++	allow $1 ddclient_t:process signal_perms;
+ 	ps_process_pattern($1, ddclient_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 ddclient_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 ddclient_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace serefpolicy-3.10.0/policy/modules/services/denyhosts.if
+--- serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace	2011-10-05 14:34:03.434103485 -0400
++++ serefpolicy-3.10.0/policy/modules/services/denyhosts.if	2011-10-05 14:34:03.801103875 -0400
+@@ -67,9 +67,13 @@ interface(`denyhosts_admin',`
+ 		type denyhosts_var_log_t, denyhosts_initrc_exec_t;
+ 	')
+ 
+-	allow $1 denyhosts_t:process { ptrace signal_perms };
++	allow $1 denyhosts_t:process signal_perms;
+ 	ps_process_pattern($1, denyhosts_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 denyhosts_t:process ptrace;
++	')
++
+ 	denyhosts_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 denyhosts_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.if
+--- serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace	2011-10-05 14:34:03.436103487 -0400
++++ serefpolicy-3.10.0/policy/modules/services/devicekit.if	2011-10-05 14:34:03.802103876 -0400
+@@ -308,13 +308,18 @@ interface(`devicekit_admin',`
+ 		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
+ 	')
+ 
+-	allow $1 devicekit_t:process { ptrace signal_perms };
++	allow $1 devicekit_t:process signal_perms;
+ 	ps_process_pattern($1, devicekit_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 devicekit_t:process ptrace;
++		allow $1 devicekit_disk_t:process ptrace;
++		allow $1 devicekit_power_t:process ptrace;
++	')
+ 
+-	allow $1 devicekit_disk_t:process { ptrace signal_perms };
++	allow $1 devicekit_disk_t:process signal_perms;
+ 	ps_process_pattern($1, devicekit_disk_t)
+ 
+-	allow $1 devicekit_power_t:process { ptrace signal_perms };
++	allow $1 devicekit_power_t:process signal_perms;
+ 	ps_process_pattern($1, devicekit_power_t)
+ 
+ 	admin_pattern($1, devicekit_tmp_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.te
+--- serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace	2011-10-05 14:34:03.437103488 -0400
++++ serefpolicy-3.10.0/policy/modules/services/devicekit.te	2011-10-05 14:34:03.802103876 -0400
+@@ -65,7 +65,10 @@ optional_policy(`
+ # DeviceKit disk local policy
+ #
+ 
+-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio };
++tunable_policy(`allow_ptrace',`
++	allow devicekit_disk_t self:capability sys_ptrace;
++')
+ allow devicekit_disk_t self:process { getsched signal_perms };
+ allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+ allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -199,7 +202,10 @@ optional_policy(`
+ # DeviceKit-Power local policy
+ #
+ 
+-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
++allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
++tunable_policy(`allow_ptrace',`
++	allow devicekit_power_t self:capability sys_ptrace;
++')
+ allow devicekit_power_t self:process { getsched signal_perms };
+ allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
+ allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+diff -up serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace serefpolicy-3.10.0/policy/modules/services/dhcp.if
+--- serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace	2011-10-05 14:34:03.438103489 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dhcp.if	2011-10-05 14:34:03.803103877 -0400
+@@ -105,8 +105,11 @@ interface(`dhcpd_admin',`
+ 		type dhcpd_var_run_t, dhcpd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 dhcpd_t:process { ptrace signal_perms };
++	allow $1 dhcpd_t:process signal_perms;
+ 	ps_process_pattern($1, dhcpd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 dhcpd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace serefpolicy-3.10.0/policy/modules/services/dictd.if
+--- serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dictd.if	2011-10-05 14:34:03.803103877 -0400
+@@ -38,8 +38,11 @@ interface(`dictd_admin',`
+ 		type dictd_var_run_t, dictd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 dictd_t:process { ptrace signal_perms };
++	allow $1 dictd_t:process signal_perms;
+ 	ps_process_pattern($1, dictd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 dictd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, dictd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace serefpolicy-3.10.0/policy/modules/services/dnsmasq.if
+--- serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace	2011-10-05 14:34:03.443103494 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dnsmasq.if	2011-10-05 14:34:03.804103878 -0400
+@@ -282,8 +282,11 @@ interface(`dnsmasq_admin',`
+ 		type dnsmasq_initrc_exec_t;
+ 	')
+ 
+-	allow $1 dnsmasq_t:process { ptrace signal_perms };
++	allow $1 dnsmasq_t:process signal_perms;
+ 	ps_process_pattern($1, dnsmasq_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 dnsmasq_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace serefpolicy-3.10.0/policy/modules/services/dovecot.if
+--- serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace	2011-10-05 14:34:03.445103496 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dovecot.if	2011-10-05 14:34:03.805103879 -0400
+@@ -119,8 +119,11 @@ interface(`dovecot_admin',`
+ 		type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
+ 	')
+ 
+-	allow $1 dovecot_t:process { ptrace signal_perms };
++	allow $1 dovecot_t:process signal_perms;
+ 	ps_process_pattern($1, dovecot_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 dovecot_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/drbd.if
+--- serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace	2011-10-05 14:34:03.446103498 -0400
++++ serefpolicy-3.10.0/policy/modules/services/drbd.if	2011-10-05 14:34:03.806103880 -0400
+@@ -120,8 +120,11 @@ interface(`drbd_admin',`
+                 type drbd_var_lib_t;
+ 	')
+ 
+-	allow $1 drbd_t:process { ptrace signal_perms };
++	allow $1 drbd_t:process signal_perms;
+ 	ps_process_pattern($1, drbd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 drbd_t:process ptrace;
++	')
+ 
+ 	files_search_var_lib($1)
+ 	admin_pattern($1, drbd_var_lib_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace serefpolicy-3.10.0/policy/modules/services/dspam.if
+--- serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace	2011-10-05 14:34:03.447103499 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dspam.if	2011-10-05 14:34:03.806103880 -0400
+@@ -244,8 +244,11 @@ interface(`dspam_admin',`
+ 		type dspam_var_run_t;
+ 	')
+ 
+-	allow $1 dspam_t:process { ptrace signal_perms };
++	allow $1 dspam_t:process signal_perms;
+ 	ps_process_pattern($1, dspam_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 dspam_t:process ptrace;
++	')
+ 
+ 	dspam_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace serefpolicy-3.10.0/policy/modules/services/exim.if
+--- serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace	2011-10-05 14:34:03.449103501 -0400
++++ serefpolicy-3.10.0/policy/modules/services/exim.if	2011-10-05 14:34:03.807103881 -0400
+@@ -260,8 +260,11 @@ interface(`exim_admin',`
+ 		type exim_tmp_t, exim_spool_t, exim_var_run_t;
+ 	')
+ 
+-	allow $1 exim_t:process { ptrace signal_perms };
++	allow $1 exim_t:process signal_perms;
+ 	ps_process_pattern($1, exim_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 exim_t:process ptrace;
++	')
+ 
+ 	exim_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace serefpolicy-3.10.0/policy/modules/services/fail2ban.if
+--- serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace	2011-10-05 14:34:03.450103502 -0400
++++ serefpolicy-3.10.0/policy/modules/services/fail2ban.if	2011-10-05 14:34:03.807103881 -0400
+@@ -199,8 +199,11 @@ interface(`fail2ban_admin',`
+ 		type fail2ban_client_t;
+ 	')
+ 
+-	allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
++	allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
+ 	ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
++	tunable_policy(`allow_ptrace',`
++		allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace serefpolicy-3.10.0/policy/modules/services/fcoemon.if
+--- serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace	2011-10-05 14:34:03.452103504 -0400
++++ serefpolicy-3.10.0/policy/modules/services/fcoemon.if	2011-10-05 14:34:03.808103882 -0400
+@@ -81,8 +81,11 @@ interface(`fcoemon_admin',`
+ 	type fcoemon_var_run_t;
+ 	')
+ 
+-	allow $1 fcoemon_t:process { ptrace signal_perms };
++	allow $1 fcoemon_t:process signal_perms;
+ 	ps_process_pattern($1, fcoemon_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 fcoemon_t:process ptrace;
++	')
+ 
+ 	files_search_pids($1)
+ 	admin_pattern($1, fcoemon_var_run_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/fetchmail.if
+--- serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace	2011-10-05 14:34:03.453103505 -0400
++++ serefpolicy-3.10.0/policy/modules/services/fetchmail.if	2011-10-05 14:34:03.809103883 -0400
+@@ -18,8 +18,11 @@ interface(`fetchmail_admin',`
+ 		type fetchmail_var_run_t;
+ 	')
+ 
+-	allow $1 fetchmail_t:process { ptrace signal_perms };
++	allow $1 fetchmail_t:process signal_perms;
+ 	ps_process_pattern($1, fetchmail_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 fetchmail_t:process ptrace;
++	')
+ 
+ 	files_list_etc($1)
+ 	admin_pattern($1, fetchmail_etc_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace serefpolicy-3.10.0/policy/modules/services/firewalld.if
+--- serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace	2011-10-05 14:34:03.454103506 -0400
++++ serefpolicy-3.10.0/policy/modules/services/firewalld.if	2011-10-05 14:34:03.809103883 -0400
+@@ -62,8 +62,11 @@ interface(`firewalld_admin',`
+ 		type firewalld_initrc_exec_t;
+ 	')
+ 
+-	allow $1 firewalld_t:process { ptrace signal_perms };
++	allow $1 firewalld_t:process signal_perms;
+ 	ps_process_pattern($1, firewalld_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 firewalld_t:process ptrace;
++	')
+ 
+ 	firewalld_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace serefpolicy-3.10.0/policy/modules/services/fprintd.te
+--- serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace	2011-10-05 14:34:03.456103508 -0400
++++ serefpolicy-3.10.0/policy/modules/services/fprintd.te	2011-10-05 14:34:03.810103884 -0400
+@@ -17,7 +17,11 @@ files_type(fprintd_var_lib_t)
+ # Local policy
+ #
+ 
+-allow fprintd_t self:capability { sys_nice sys_ptrace };
++allow fprintd_t self:capability sys_nice;
++tunable_policy(`allow_ptrace',`
++	allow fprintd_t self:capability sys_ptrace;
++')
++
+ allow fprintd_t self:fifo_file rw_fifo_file_perms;
+ allow fprintd_t self:process { getsched setsched signal };
+ 
+diff -up serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ftp.if
+--- serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace	2011-10-05 14:34:03.457103509 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ftp.if	2011-10-05 14:34:03.810103884 -0400
+@@ -238,8 +238,11 @@ interface(`ftp_admin',`
+ 		type ftpd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 ftpd_t:process { ptrace signal_perms };
++	allow $1 ftpd_t:process signal_perms;
+ 	ps_process_pattern($1, ftpd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 ftpd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/git.if.ptrace serefpolicy-3.10.0/policy/modules/services/git.if
+--- serefpolicy-3.10.0/policy/modules/services/git.if.ptrace	2011-10-05 14:34:03.459103511 -0400
++++ serefpolicy-3.10.0/policy/modules/services/git.if	2011-10-05 14:34:03.811103885 -0400
+@@ -42,8 +42,11 @@ interface(`git_session_role',`
+ 
+ 	domtrans_pattern($2, gitd_exec_t, git_session_t)
+ 
+-	allow $2 git_session_t:process { ptrace signal_perms };
++	allow $2 git_session_t:process signal_perms;
+ 	ps_process_pattern($2, git_session_t)
++	tunable_policy(`allow_ptrace',`
++		allow $2 git_session_t:process ptrace;
++	')
+ ')
+ 
+ ########################################
+diff -up serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace serefpolicy-3.10.0/policy/modules/services/glance.if
+--- serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace	2011-10-05 14:34:03.461103513 -0400
++++ serefpolicy-3.10.0/policy/modules/services/glance.if	2011-10-05 14:34:03.811103885 -0400
+@@ -245,10 +245,14 @@ interface(`glance_admin',`
+ 		type glance_api_initrc_exec_t;
+ 	')
+ 
+-	allow $1 glance_registry_t:process { ptrace signal_perms };
++	allow $1 glance_registry_t:process signal_perms;
+ 	ps_process_pattern($1, glance_registry_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 glance_registry_t:process ptrace;
++		allow $1 glance_api_t:process ptrace;
++	')
+ 
+-	allow $1 glance_api_t:process { ptrace signal_perms };
++	allow $1 glance_api_t:process signal_perms;
+ 	ps_process_pattern($1, glance_api_t)
+ 
+ 	init_labeled_script_domtrans($1, glance_registry_initrc_exec_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace serefpolicy-3.10.0/policy/modules/services/gnomeclock.te
+--- serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace	2011-10-05 14:34:03.463103516 -0400
++++ serefpolicy-3.10.0/policy/modules/services/gnomeclock.te	2011-10-05 14:34:03.812103886 -0400
+@@ -16,7 +16,10 @@ systemd_systemctl_domain(gnomeclock)
+ # gnomeclock local policy
+ #
+ 
+-allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
++allow gnomeclock_t self:capability { sys_nice sys_time };
++tunable_policy(`allow_ptrace',`
++	allow gnomeclock_t self:capability sys_ptrace;
++')
+ allow gnomeclock_t self:process { getattr getsched signal };
+ allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
+ allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy-3.10.0/policy/modules/services/hadoop.if
+--- serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace	2011-10-05 14:34:03.711103779 -0400
++++ serefpolicy-3.10.0/policy/modules/services/hadoop.if	2011-10-05 14:34:03.813103887 -0400
+@@ -222,14 +222,21 @@ interface(`hadoop_role',`
+ 	hadoop_domtrans($2)
+ 	role $1 types hadoop_t;
+ 
+-	allow $2 hadoop_t:process { ptrace signal_perms };
++	allow $2 hadoop_t:process signal_perms;
+ 	ps_process_pattern($2, hadoop_t)
++	tunable_policy(`allow_ptrace',`
++		allow $2 hadoop_t:process ptrace;
++	')
+ 
+ 	hadoop_domtrans_zookeeper_client($2)
+ 	role $1 types zookeeper_t;
+ 
+-	allow $2 zookeeper_t:process { ptrace signal_perms };
++	allow $2 zookeeper_t:process signal_perms;
+ 	ps_process_pattern($2, zookeeper_t)
++	tunable_policy(`allow_ptrace',`
++		allow $2 zookeeper_t:process ptrace;
++	')
++
+ ')
+ 
+ ########################################
+diff -up serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace serefpolicy-3.10.0/policy/modules/services/hal.if
+--- serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace	2011-10-05 14:34:03.466103519 -0400
++++ serefpolicy-3.10.0/policy/modules/services/hal.if	2011-10-05 14:34:03.814103888 -0400
+@@ -70,7 +70,9 @@ interface(`hal_ptrace',`
+ 		type hald_t;
+ 	')
+ 
+-	allow $1 hald_t:process ptrace;
++	tunable_policy(`allow_ptrace',`
++		allow $1 hald_t:process ptrace;
++	')
+ ')
+ 
+ ########################################
+diff -up serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace serefpolicy-3.10.0/policy/modules/services/hddtemp.if
+--- serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace	2011-10-05 14:34:03.467103520 -0400
++++ serefpolicy-3.10.0/policy/modules/services/hddtemp.if	2011-10-05 14:34:03.814103888 -0400
+@@ -60,8 +60,11 @@ interface(`hddtemp_admin',`
+ 		type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
+ 	')
+ 
+-	allow $1 hddtemp_t:process { ptrace signal_perms };
++	allow $1 hddtemp_t:process signal_perms;
+ 	ps_process_pattern($1, hddtemp_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 hddtemp_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace serefpolicy-3.10.0/policy/modules/services/icecast.if
+--- serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace	2011-10-05 14:34:03.469103522 -0400
++++ serefpolicy-3.10.0/policy/modules/services/icecast.if	2011-10-05 14:34:03.815103889 -0400
+@@ -173,8 +173,11 @@ interface(`icecast_admin',`
+ 		type icecast_t, icecast_initrc_exec_t;
+ 	')
+ 
+-	allow $1 icecast_t:process { ptrace signal_perms };
++	allow $1 icecast_t:process signal_perms;
+ 	ps_process_pattern($1, icecast_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 icecast_t:process ptrace;
++	')
+ 
+ 	# Allow icecast_t to restart the apache service
+ 	icecast_initrc_domtrans($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.if
+--- serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace	2011-10-05 14:34:03.470103523 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ifplugd.if	2011-10-05 14:34:03.815103889 -0400
+@@ -117,7 +117,7 @@ interface(`ifplugd_admin',`
+ 		type ifplugd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 ifplugd_t:process { ptrace signal_perms };
++	allow $1 ifplugd_t:process signal_perms;
+ 	ps_process_pattern($1, ifplugd_t)
+ 
+ 	init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace serefpolicy-3.10.0/policy/modules/services/inn.if
+--- serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace	2011-10-05 14:34:03.472103525 -0400
++++ serefpolicy-3.10.0/policy/modules/services/inn.if	2011-10-05 14:34:03.816103890 -0400
+@@ -202,8 +202,11 @@ interface(`inn_admin',`
+ 		type innd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 innd_t:process { ptrace signal_perms };
++	allow $1 innd_t:process signal_perms;
+ 	ps_process_pattern($1, innd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 innd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, innd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace serefpolicy-3.10.0/policy/modules/services/jabber.if
+--- serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace	2011-10-05 14:34:03.474103527 -0400
++++ serefpolicy-3.10.0/policy/modules/services/jabber.if	2011-10-05 14:34:03.816103890 -0400
+@@ -143,10 +143,14 @@ interface(`jabber_admin',`
+ 		type jabberd_initrc_exec_t, jabberd_router_t;
+ 	')
+ 
+-	allow $1 jabberd_t:process { ptrace signal_perms };
++	allow $1 jabberd_t:process signal_perms;
+ 	ps_process_pattern($1, jabberd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 jabberd_t:process ptrace;
++		allow $1 jabberd_router_t:process ptrace;
++	')
+ 
+-	allow $1 jabberd_router_t:process { ptrace signal_perms };
++	allow $1 jabberd_router_t:process signal_perms;
+ 	ps_process_pattern($1, jabberd_router_t)
+ 
+ 	init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerberos.if
+--- serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace	2011-10-05 14:34:03.476103529 -0400
++++ serefpolicy-3.10.0/policy/modules/services/kerberos.if	2011-10-05 14:34:03.817103892 -0400
+@@ -340,13 +340,18 @@ interface(`kerberos_admin',`
+ 		type krb5kdc_var_run_t, krb5_host_rcache_t;
+ 	')
+ 
+-	allow $1 kadmind_t:process { ptrace signal_perms };
++	allow $1 kadmind_t:process signal_perms;
+ 	ps_process_pattern($1, kadmind_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 kadmind_t:process ptrace;
++		allow $1 krb5kdc_t:process ptrace;
++		allow $1 kpropd_t:process ptrace;
++	')
+ 
+-	allow $1 krb5kdc_t:process { ptrace signal_perms };
++	allow $1 krb5kdc_t:process signal_perms;
+ 	ps_process_pattern($1, krb5kdc_t)
+ 
+-	allow $1 kpropd_t:process { ptrace signal_perms };
++	allow $1 kpropd_t:process signal_perms;
+ 	ps_process_pattern($1, kpropd_t)
+ 
+ 	init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerneloops.if
+--- serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace	2011-10-05 14:34:03.477103530 -0400
++++ serefpolicy-3.10.0/policy/modules/services/kerneloops.if	2011-10-05 14:34:03.818103893 -0400
+@@ -101,8 +101,11 @@ interface(`kerneloops_admin',`
+ 		type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
+ 	')
+ 
+-	allow $1 kerneloops_t:process { ptrace signal_perms };
++	allow $1 kerneloops_t:process signal_perms;
+ 	ps_process_pattern($1, kerneloops_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 kerneloops_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.if
+--- serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace	2011-10-05 14:34:03.479103533 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.if	2011-10-05 14:34:03.818103893 -0400
+@@ -58,8 +58,11 @@ interface(`ksmtuned_admin',`
+ 		type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t;
+ 	')
+ 
+-	allow $1 ksmtuned_t:process { ptrace signal_perms };
++	allow $1 ksmtuned_t:process signal_perms;
+ 	ps_process_pattern($1, ksmtuned_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 ksmtuned_t:process ptrace;
++	')
+ 
+ 	files_list_pids($1)
+ 	admin_pattern($1, ksmtuned_var_run_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.te
+--- serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace	2011-10-05 14:34:03.480103534 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.te	2011-10-05 14:34:03.819103894 -0400
+@@ -23,7 +23,11 @@ files_pid_file(ksmtuned_var_run_t)
+ # ksmtuned local policy
+ #
+ 
+-allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
++allow ksmtuned_t self:capability sys_tty_config;
++tunable_policy(`allow_ptrace',`
++	allow ksmtuned_t self:capability sys_ptrace;
++')
++
+ allow ksmtuned_t self:fifo_file rw_file_perms;
+ 
+ manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/l2tpd.if
+--- serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace	2011-10-05 14:34:03.481103535 -0400
++++ serefpolicy-3.10.0/policy/modules/services/l2tpd.if	2011-10-05 14:34:03.819103894 -0400
+@@ -101,8 +101,11 @@ interface(`l2tpd_admin',`
+ 	type l2tpd_var_run_t;
+ 	')
+ 
+-	allow $1 l2tpd_t:process { ptrace signal_perms };
++	allow $1 l2tpd_t:process signal_perms;
+ 	ps_process_pattern($1, l2tpd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 l2tpd_t:process ptrace;
++	')
+ 
+ 	l2tpd_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace serefpolicy-3.10.0/policy/modules/services/ldap.if
+--- serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace	2011-10-05 14:34:03.482103536 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ldap.if	2011-10-05 14:34:03.820103895 -0400
+@@ -175,8 +175,11 @@ interface(`ldap_admin',`
+ 		type slapd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 slapd_t:process { ptrace signal_perms };
++	allow $1 slapd_t:process signal_perms;
+ 	ps_process_pattern($1, slapd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 slapd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lircd.if
+--- serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/lircd.if	2011-10-05 14:34:03.821103896 -0400
+@@ -80,8 +80,11 @@ interface(`lircd_admin',`
+ 		type lircd_initrc_exec_t, lircd_etc_t;
+ 	')
+ 
+-	allow $1 lircd_t:process { ptrace signal_perms };
++	allow $1 lircd_t:process signal_perms;
+ 	ps_process_pattern($1, lircd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 lircd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, lircd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace serefpolicy-3.10.0/policy/modules/services/lldpad.if
+--- serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace	2011-10-05 14:34:03.486103540 -0400
++++ serefpolicy-3.10.0/policy/modules/services/lldpad.if	2011-10-05 14:34:03.821103896 -0400
+@@ -180,8 +180,11 @@ interface(`lldpad_admin',`
+ 	type lldpad_var_run_t;
+ 	')
+ 
+-	allow $1 lldpad_t:process { ptrace signal_perms };
++	allow $1 lldpad_t:process signal_perms;
+ 	ps_process_pattern($1, lldpad_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 lldpad_t:process ptrace;
++	')
+ 
+ 	lldpad_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lpd.if
+--- serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace	2011-10-05 14:34:03.487103541 -0400
++++ serefpolicy-3.10.0/policy/modules/services/lpd.if	2011-10-05 14:34:03.822103897 -0400
+@@ -28,7 +28,10 @@ interface(`lpd_role',`
+ 	dontaudit lpr_t $2:unix_stream_socket { read write };
+ 
+ 	ps_process_pattern($2, lpr_t)
+-	allow $2 lpr_t:process { ptrace signal_perms };
++	allow $2 lpr_t:process signal_perms;
++	tunable_policy(`allow_ptrace',`
++		allow $2 lpr_t:process ptrace;
++	')
+ 
+ 	optional_policy(`
+ 		cups_read_config($2)
+diff -up serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace serefpolicy-3.10.0/policy/modules/services/mailscanner.if
+--- serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace	2011-10-05 14:34:03.490103544 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mailscanner.if	2011-10-05 14:34:03.823103898 -0400
+@@ -47,8 +47,11 @@ interface(`mailscanner_admin',`
+ 	role_transition $2 mscan_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
+-	allow $1 mscan_t:process { ptrace signal_perms };
++	allow $1 mscan_t:process signal_perms;
+ 	ps_process_pattern($1, mscan_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 mscan_t:process ptrace;
++	')
+ 
+ 	admin_pattern($1, mscan_etc_t)
+ 	files_list_etc($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.if
+--- serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace	2011-10-05 14:34:03.491103545 -0400
++++ serefpolicy-3.10.0/policy/modules/services/matahari.if	2011-10-05 14:34:03.823103898 -0400
+@@ -229,13 +229,18 @@ interface(`matahari_admin',`
+ 	role_transition $2 matahari_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
+-	allow $1 matahari_netd_t:process { ptrace signal_perms };
++	allow $1 matahari_netd_t:process signal_perms;
+ 	ps_process_pattern($1, matahari_netd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 matahari_netd_t:process ptrace;
++		allow $1 matahari_hostd_t:process ptrace;
++		allow $1 matahari_serviced_t:process ptrace;
++	')
+ 
+-	allow $1 matahari_hostd_t:process { ptrace signal_perms };
++	allow $1 matahari_hostd_t:process signal_perms;
+ 	ps_process_pattern($1, matahari_hostd_t)
+ 
+-	allow $1 matahari_serviced_t:process { ptrace signal_perms };
++	allow $1 matahari_serviced_t:process signal_perms;
+ 	ps_process_pattern($1, matahari_serviced_t)
+ 
+ 	files_search_var_lib($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.te
+--- serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace	2011-10-05 14:34:03.491103545 -0400
++++ serefpolicy-3.10.0/policy/modules/services/matahari.te	2011-10-05 14:34:03.824103899 -0400
+@@ -24,8 +24,9 @@ files_pid_file(matahari_var_run_t)
+ #
+ # matahari_hostd local policy
+ #
+-
+-allow matahari_hostd_t self:capability sys_ptrace;
++tunable_policy(`allow_ptrace',`
++	allow matahari_hostd_t self:capability sys_ptrace;
++')
+ 
+ kernel_read_network_state(matahari_hostd_t)
+ 
+diff -up serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace serefpolicy-3.10.0/policy/modules/services/memcached.if
+--- serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace	2011-10-05 14:34:03.493103547 -0400
++++ serefpolicy-3.10.0/policy/modules/services/memcached.if	2011-10-05 14:34:03.824103899 -0400
+@@ -59,8 +59,11 @@ interface(`memcached_admin',`
+ 		type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
+ 	')
+ 
+-	allow $1 memcached_t:process { ptrace signal_perms };
++	allow $1 memcached_t:process signal_perms;
+ 	ps_process_pattern($1, memcached_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 memcached_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, memcached_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace serefpolicy-3.10.0/policy/modules/services/mock.if
+--- serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace	2011-10-05 14:34:03.495103550 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mock.if	2011-10-05 14:34:03.825103900 -0400
+@@ -245,7 +245,10 @@ interface(`mock_role',`
+ 	mock_run($2, $1)
+ 
+ 	ps_process_pattern($2, mock_t)
+-	allow $2 mock_t:process { ptrace signal_perms };
++	allow $2 mock_t:process signal_perms;
++	tunable_policy(`allow_ptrace',`
++		allow $2 mock_t:process ptrace;
++	')
+ ')
+ 
+ #######################################
+@@ -289,10 +292,14 @@ interface(`mock_admin',`
+ 		type mock_build_t, mock_etc_t, mock_tmp_t;
+ 	')
+ 
+-	allow $1 mock_t:process { ptrace signal_perms };
++	allow $1 mock_t:process signal_perms;
+ 	ps_process_pattern($1, mock_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 mock_t:process ptrace;
++		allow $1 mock_build_t:process ptrace;
++	')
+ 
+-	allow $1 mock_build_t:process { ptrace signal_perms };
++	allow $1 mock_build_t:process signal_perms;
+ 	ps_process_pattern($1, mock_build_t)
+ 
+ 	files_list_var_lib($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace serefpolicy-3.10.0/policy/modules/services/mock.te
+--- serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace	2011-10-05 14:34:03.496103551 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mock.te	2011-10-05 14:34:03.825103900 -0400
+@@ -41,7 +41,7 @@ files_config_file(mock_etc_t)
+ # mock local policy
+ #
+ 
+-allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
++allow mock_t self:capability { sys_admin setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
+ allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
+ # Needed because mock can run java and mono withing build environment
+ allow mock_t self:process { execmem execstack };
+@@ -164,7 +164,7 @@ optional_policy(`
+ #
+ # mock_build local policy
+ #
+-allow mock_build_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
++allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
+ dontaudit mock_build_t self:capability audit_write;
+ allow mock_build_t self:process { fork setsched setpgid signal_perms };
+ allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
+diff -up serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace serefpolicy-3.10.0/policy/modules/services/mojomojo.if
+--- serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace	2011-10-05 14:34:03.497103552 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mojomojo.if	2011-10-05 14:34:03.826103901 -0400
+@@ -24,8 +24,11 @@ interface(`mojomojo_admin',`
+ 		type httpd_mojomojo_script_exec_t;
+ 	')
+ 
+-	allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
++	allow $1 httpd_mojomojo_script_t:process signal_perms;
+ 	ps_process_pattern($1, httpd_mojomojo_script_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 httpd_mojomo_script_t:process ptrace;
++	')
+ 
+ 	files_list_tmp($1)
+ 	admin_pattern($1, httpd_mojomojo_tmp_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/mpd.if
+--- serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mpd.if	2011-10-05 14:34:03.827103902 -0400
+@@ -244,8 +244,11 @@ interface(`mpd_admin',`
+ 		type mpd_tmpfs_t;
+ 	')
+ 
+-	allow $1 mpd_t:process { ptrace signal_perms };
++	allow $1 mpd_t:process signal_perms;
+ 	ps_process_pattern($1, mpd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 mpd_t:process ptrace;
++	')
+ 
+ 	mpd_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace serefpolicy-3.10.0/policy/modules/services/munin.if
+--- serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace	2011-10-05 14:34:03.502103557 -0400
++++ serefpolicy-3.10.0/policy/modules/services/munin.if	2011-10-05 14:34:03.827103902 -0400
+@@ -183,8 +183,11 @@ interface(`munin_admin',`
+ 		type httpd_munin_content_t, munin_initrc_exec_t;
+ 	')
+ 
+-	allow $1 munin_t:process { ptrace signal_perms };
++	allow $1 munin_t:process signal_perms;
+ 	ps_process_pattern($1, munin_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 munin_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, munin_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.if
+--- serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace	2011-10-05 14:34:03.503103558 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mysql.if	2011-10-05 14:34:03.828103903 -0400
+@@ -389,8 +389,11 @@ interface(`mysql_admin',`
+ 		type mysqld_etc_t;
+ 	')
+ 
+-	allow $1 mysqld_t:process { ptrace signal_perms };
++	allow $1 mysqld_t:process signal_perms;
+ 	ps_process_pattern($1, mysqld_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 mysqld_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace serefpolicy-3.10.0/policy/modules/services/nagios.if
+--- serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace	2011-10-05 14:34:03.505103560 -0400
++++ serefpolicy-3.10.0/policy/modules/services/nagios.if	2011-10-05 14:34:03.829103904 -0400
+@@ -225,8 +225,11 @@ interface(`nagios_admin',`
+ 		type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
+ 	')
+ 
+-	allow $1 nagios_t:process { ptrace signal_perms };
++	allow $1 nagios_t:process signal_perms;
+ 	ps_process_pattern($1, nagios_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 nagios_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, nagios_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/networkmanager.te
+--- serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace	2011-10-05 14:34:03.507103562 -0400
++++ serefpolicy-3.10.0/policy/modules/services/networkmanager.te	2011-10-05 14:34:03.830103905 -0400
+@@ -44,13 +44,17 @@ init_system_domain(wpa_cli_t, wpa_cli_ex
+ 
+ # networkmanager will ptrace itself if gdb is installed
+ # and it receives a unexpected signal (rh bug #204161)
+-allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+ dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+ ifdef(`hide_broken_symptoms',`
+ 	# caused by some bogus kernel code
+ 	dontaudit NetworkManager_t self:capability sys_module;
+ ')
+-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
++allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
++tunable_policy(`allow_ptrace',`
++	allow NetworkManager_t self:process ptrace;
++')
++
+ allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
+ allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+ allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+diff -up serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace serefpolicy-3.10.0/policy/modules/services/nis.if
+--- serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace	2011-10-05 14:34:03.509103564 -0400
++++ serefpolicy-3.10.0/policy/modules/services/nis.if	2011-10-05 14:34:03.830103905 -0400
+@@ -392,16 +392,22 @@ interface(`nis_admin',`
+ 		type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
+ 	')
+ 
+-	allow $1 ypbind_t:process { ptrace signal_perms };
++	allow $1 ypbind_t:process signal_perms;
+ 	ps_process_pattern($1, ypbind_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 ypbind_t:process ptrace;
++		allow $1 yppasswdd_t:process ptrace;
++		allow $1 ypserv_t:process ptrace;
++		allow $1 ypxfr_t:process ptrace;
++	')
+ 
+-	allow $1 yppasswdd_t:process { ptrace signal_perms };
++	allow $1 yppasswdd_t:process signal_perms;
+ 	ps_process_pattern($1, yppasswdd_t)
+ 
+-	allow $1 ypserv_t:process { ptrace signal_perms };
++	allow $1 ypserv_t:process signal_perms;
+ 	ps_process_pattern($1, ypserv_t)
+ 
+-	allow $1 ypxfr_t:process { ptrace signal_perms };
++	allow $1 ypxfr_t:process signal_perms;
+ 	ps_process_pattern($1, ypxfr_t)
+ 
+ 	nis_initrc_domtrans($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.if
+--- serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace	2011-10-05 14:34:03.510103566 -0400
++++ serefpolicy-3.10.0/policy/modules/services/nscd.if	2011-10-05 14:34:03.831103906 -0400
+@@ -322,8 +322,11 @@ interface(`nscd_admin',`
+ 		type nscd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 nscd_t:process { ptrace signal_perms };
++	allow $1 nscd_t:process signal_perms;
+ 	ps_process_pattern($1, nscd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 nscd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.te
+--- serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace	2011-10-05 14:34:03.511103567 -0400
++++ serefpolicy-3.10.0/policy/modules/services/nscd.te	2011-10-05 14:34:03.831103906 -0400
+@@ -40,7 +40,11 @@ logging_log_file(nscd_log_t)
+ # Local policy
+ #
+ 
+-allow nscd_t self:capability { kill setgid setuid sys_ptrace };
++allow nscd_t self:capability { kill setgid setuid };
++tunable_policy(`allow_ptrace',`
++	allow nscd_t self:capability sys_ptrace;
++')
++
+ dontaudit nscd_t self:capability sys_tty_config;
+ allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
+ allow nscd_t self:fifo_file read_fifo_file_perms;
+diff -up serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nslcd.if
+--- serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace	2011-10-05 14:34:03.511103567 -0400
++++ serefpolicy-3.10.0/policy/modules/services/nslcd.if	2011-10-05 14:34:03.832103907 -0400
+@@ -98,7 +98,10 @@ interface(`nslcd_admin',`
+ 	')
+ 
+ 	ps_process_pattern($1, nslcd_t)
+-	allow $1 nslcd_t:process { ptrace signal_perms };
++	allow $1 nslcd_t:process signal_perms;
++	tunable_policy(`allow_ptrace',`
++		allow $1 nslcd_t:process ptrace;
++	')
+ 
+ 	# Allow nslcd_t to restart the apache service
+ 	nslcd_initrc_domtrans($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ntp.if
+--- serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace	2011-10-05 14:34:03.513103569 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ntp.if	2011-10-05 14:34:03.832103907 -0400
+@@ -205,8 +205,11 @@ interface(`ntp_admin',`
+ 		type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 ntpd_t:process { ptrace signal_perms };
++	allow $1 ntpd_t:process signal_perms;
+ 	ps_process_pattern($1, ntpd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 ntpd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace serefpolicy-3.10.0/policy/modules/services/oident.if
+--- serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace	2011-10-05 14:34:03.518103574 -0400
++++ serefpolicy-3.10.0/policy/modules/services/oident.if	2011-10-05 14:34:03.833103909 -0400
+@@ -89,8 +89,11 @@ interface(`oident_admin',`
+ 		type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
+ 	')
+ 
+-	allow $1 oidentd_t:process { ptrace signal_perms };
++	allow $1 oidentd_t:process signal_perms;
+ 	ps_process_pattern($1, oidentd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 oidentd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace serefpolicy-3.10.0/policy/modules/services/openvpn.if
+--- serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/openvpn.if	2011-10-05 14:34:03.834103910 -0400
+@@ -144,8 +144,11 @@ interface(`openvpn_admin',`
+ 		type openvpn_var_run_t, openvpn_initrc_exec_t;
+ 	')
+ 
+-	allow $1 openvpn_t:process { ptrace signal_perms };
++	allow $1 openvpn_t:process signal_perms;
+ 	ps_process_pattern($1, openvpn_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 openvpn_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace serefpolicy-3.10.0/policy/modules/services/pads.if
+--- serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace	2011-10-05 14:34:03.521103577 -0400
++++ serefpolicy-3.10.0/policy/modules/services/pads.if	2011-10-05 14:34:03.834103910 -0400
+@@ -31,8 +31,11 @@ interface(`pads_admin',`
+ 		type pads_var_run_t;
+ 	')
+ 
+-	allow $1 pads_t:process { ptrace signal_perms };
++	allow $1 pads_t:process signal_perms;
+ 	ps_process_pattern($1, pads_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 pads_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, pads_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace serefpolicy-3.10.0/policy/modules/services/pingd.if
+--- serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace	2011-10-05 14:34:03.524103580 -0400
++++ serefpolicy-3.10.0/policy/modules/services/pingd.if	2011-10-05 14:34:03.835103911 -0400
+@@ -80,8 +80,11 @@ interface(`pingd_admin',`
+ 		type pingd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 pingd_t:process { ptrace signal_perms };
++	allow $1 pingd_t:process signal_perms;
+ 	ps_process_pattern($1, pingd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 pingd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, pingd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace serefpolicy-3.10.0/policy/modules/services/piranha.te
+--- serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace	2011-10-05 14:34:03.526103583 -0400
++++ serefpolicy-3.10.0/policy/modules/services/piranha.te	2011-10-05 14:34:03.835103911 -0400
+@@ -65,7 +65,11 @@ init_domtrans_script(piranha_fos_t)
+ #
+ 
+ allow piranha_web_t self:capability { setuid sys_nice kill setgid };
+-allow piranha_web_t self:process { getsched setsched signal signull ptrace };
++allow piranha_web_t self:process { getsched setsched signal signull };
++tunable_policy(`allow_ptrace',`
++	allow piranha_web_t self:process ptrace;
++')
++
+ allow piranha_web_t self:rawip_socket create_socket_perms;
+ allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
+ allow piranha_web_t self:sem create_sem_perms;
+diff -up serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace serefpolicy-3.10.0/policy/modules/services/plymouthd.if
+--- serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace	2011-10-05 14:34:03.527103584 -0400
++++ serefpolicy-3.10.0/policy/modules/services/plymouthd.if	2011-10-05 14:34:03.836103912 -0400
+@@ -291,8 +291,11 @@ interface(`plymouthd_admin',`
+ 		type plymouthd_var_run_t;
+ 	')
+ 
+-	allow $1 plymouthd_t:process { ptrace signal_perms };
++	allow $1 plymouthd_t:process signal_perms;
+ 	ps_process_pattern($1, plymouthd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 plymouthd_t:process ptrace;
++	')
+ 
+ 	files_list_var_lib($1)
+ 	admin_pattern($1, plymouthd_spool_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace serefpolicy-3.10.0/policy/modules/services/policykit.te
+--- serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace	2011-10-05 14:34:03.529103586 -0400
++++ serefpolicy-3.10.0/policy/modules/services/policykit.te	2011-10-05 14:34:03.837103913 -0400
+@@ -38,7 +38,11 @@ files_pid_file(policykit_var_run_t)
+ # policykit local policy
+ #
+ 
+-allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace };
++allow policykit_t self:capability { dac_override dac_read_search setgid setuid };
++tunable_policy(`allow_ptrace',`
++	allow policykit_t self:capability sys_ptrace;
++')
++
+ allow policykit_t self:process { getsched getattr signal };
+ allow policykit_t self:fifo_file rw_fifo_file_perms;
+ allow policykit_t self:unix_dgram_socket create_socket_perms;
+@@ -233,7 +237,11 @@ optional_policy(`
+ # polkit_resolve local policy
+ #
+ 
+-allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
++allow policykit_resolve_t self:capability { setuid sys_nice };
++tunable_policy(`allow_ptrace',`
++	allow policykit_resolve_t self:capability sys_ptrace;
++')
++
+ allow policykit_resolve_t self:process getattr;
+ allow policykit_resolve_t self:fifo_file rw_fifo_file_perms;
+ 
+diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy-3.10.0/policy/modules/services/polipo.if
+--- serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace	2011-10-05 14:34:03.530103587 -0400
++++ serefpolicy-3.10.0/policy/modules/services/polipo.if	2011-10-05 14:34:03.838103914 -0400
+@@ -32,8 +32,11 @@ template(`polipo_role',`
+ 	# Policy
+ 	#
+ 
+-	allow $2 polipo_session_t:process { ptrace signal_perms };
++	allow $2 polipo_session_t:process signal_perms;
+ 	ps_process_pattern($2, polipo_session_t)
++	tunable_policy(`allow_ptrace',`
++		allow $2 polipo_session_t:process ptrace;
++	')
+ 
+ 	tunable_policy(`polipo_session_users',`
+ 		domtrans_pattern($2, polipo_exec_t, polipo_session_t)
+@@ -163,8 +166,11 @@ interface(`polipo_admin',`
+ 		type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
+ 	')
+ 
+-	allow $1 polipo_t:process { ptrace signal_perms };
++	allow $1 polipo_t:process signal_perms;
+ 	ps_process_pattern($1, polipo_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 polipo_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, polipo_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace serefpolicy-3.10.0/policy/modules/services/portreserve.if
+--- serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/portreserve.if	2011-10-05 14:34:03.838103914 -0400
+@@ -104,8 +104,11 @@ interface(`portreserve_admin',`
+ 		type portreserve_initrc_exec_t;
+ 	')
+ 
+-	allow $1 portreserve_t:process { ptrace signal_perms };
++	allow $1 portreserve_t:process signal_perms;
+ 	ps_process_pattern($1, portreserve_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 portreserve_t:process ptrace;
++	')
+ 
+ 	portreserve_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfix.if
+--- serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace	2011-10-05 14:34:03.534103591 -0400
++++ serefpolicy-3.10.0/policy/modules/services/postfix.if	2011-10-05 14:34:03.839103915 -0400
+@@ -729,25 +729,36 @@ interface(`postfix_admin',`
+ 		type postfix_smtpd_t, postfix_var_run_t;
+ 	')
+ 
+-	allow $1 postfix_bounce_t:process { ptrace signal_perms };
++	allow $1 postfix_bounce_t:process signal_perms;
+ 	ps_process_pattern($1, postfix_bounce_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 postfix_bounce_t:process ptrace;
++	')
+ 
+-	allow $1 postfix_cleanup_t:process { ptrace signal_perms };
++	allow $1 postfix_cleanup_t:process signal_perms;
+ 	ps_process_pattern($1, postfix_cleanup_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 postfix_cleanup_t:process ptrace;
++		allow $1 postfix_local_t:process ptrace;
++		allow $1 postfix_master_t:process ptrace;
++		allow $1 postfix_pickup_t:process ptrace;
++		allow $1 postfix_qmgr_t:process ptrace;
++		allow $1 postfix_smtpd_t:process ptrace;
++	')
+ 
+-	allow $1 postfix_local_t:process { ptrace signal_perms };
++	allow $1 postfix_local_t:process signal_perms;
+ 	ps_process_pattern($1, postfix_local_t)
+ 
+-	allow $1 postfix_master_t:process { ptrace signal_perms };
++	allow $1 postfix_master_t:process signal_perms;
+ 	ps_process_pattern($1, postfix_master_t)
+ 
+-	allow $1 postfix_pickup_t:process { ptrace signal_perms };
++	allow $1 postfix_pickup_t:process signal_perms;
+ 	ps_process_pattern($1, postfix_pickup_t)
+ 
+-	allow $1 postfix_qmgr_t:process { ptrace signal_perms };
++	allow $1 postfix_qmgr_t:process signal_perms;
+ 	ps_process_pattern($1, postfix_qmgr_t)
+ 
+-	allow $1 postfix_smtpd_t:process { ptrace signal_perms };
++	allow $1 postfix_smtpd_t:process signal_perms;
+ 	ps_process_pattern($1, postfix_smtpd_t)
+ 
+ 	postfix_run_map($1, $2)
+diff -up serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if
+--- serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace	2011-10-05 14:34:03.535103592 -0400
++++ serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if	2011-10-05 14:34:03.840103916 -0400
+@@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',`
+ 		type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 postfix_policyd_t:process { ptrace signal_perms };
++	allow $1 postfix_policyd_t:process signal_perms;
+ 	ps_process_pattern($1, postfix_policyd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 postfix_policyd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgresql.if
+--- serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace	2011-10-05 14:34:03.537103594 -0400
++++ serefpolicy-3.10.0/policy/modules/services/postgresql.if	2011-10-05 14:34:03.840103916 -0400
+@@ -541,8 +541,11 @@ interface(`postgresql_admin',`
+ 
+ 	typeattribute $1 sepgsql_admin_type;
+ 
+-	allow $1 postgresql_t:process { ptrace signal_perms };
++	allow $1 postgresql_t:process signal_perms;
+ 	ps_process_pattern($1, postgresql_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 postgresql_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgrey.if
+--- serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace	2011-10-05 14:34:03.538103595 -0400
++++ serefpolicy-3.10.0/policy/modules/services/postgrey.if	2011-10-05 14:34:03.841103917 -0400
+@@ -62,8 +62,11 @@ interface(`postgrey_admin',`
+ 		type postgrey_var_lib_t, postgrey_var_run_t;
+ 	')
+ 
+-	allow $1 postgrey_t:process { ptrace signal_perms };
++	allow $1 postgrey_t:process signal_perms;
+ 	ps_process_pattern($1, postgrey_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 postgrey_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ppp.if
+--- serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace	2011-10-05 14:34:03.539103596 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ppp.if	2011-10-05 14:34:03.841103917 -0400
+@@ -387,10 +387,14 @@ interface(`ppp_admin',`
+ 		type pppd_initrc_exec_t, pppd_etc_rw_t;
+ 	')
+ 
+-	allow $1 pppd_t:process { ptrace signal_perms };
++	allow $1 pppd_t:process signal_perms;
+ 	ps_process_pattern($1, pppd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 pppd_t:process ptrace;
++		allow $1 pptp_t:process ptrace;
++	')
+ 
+-	allow $1 pptp_t:process { ptrace signal_perms };
++	allow $1 pptp_t:process signal_perms;
+ 	ps_process_pattern($1, pptp_t)
+ 
+ 	ppp_initrc_domtrans($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace serefpolicy-3.10.0/policy/modules/services/prelude.if
+--- serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace	2011-10-05 14:34:03.541103598 -0400
++++ serefpolicy-3.10.0/policy/modules/services/prelude.if	2011-10-05 14:34:03.842103918 -0400
+@@ -118,13 +118,18 @@ interface(`prelude_admin',`
+ 		type prelude_lml_t;
+ 	')
+ 
+-	allow $1 prelude_t:process { ptrace signal_perms };
++	allow $1 prelude_t:process signal_perms;
+ 	ps_process_pattern($1, prelude_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 prelude_t:process ptrace;
++		allow $1 prelude_audisp_t:process ptrace;
++		allow $1 prelude_lml_t:process ptrace;
++	')
+ 
+-	allow $1 prelude_audisp_t:process { ptrace signal_perms };
++	allow $1 prelude_audisp_t:process signal_perms;
+ 	ps_process_pattern($1, prelude_audisp_t)
+ 
+-	allow $1 prelude_lml_t:process { ptrace signal_perms };
++	allow $1 prelude_lml_t:process signal_perms;
+ 	ps_process_pattern($1, prelude_lml_t)
+ 
+ 	init_labeled_script_domtrans($1, prelude_initrc_exec_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace serefpolicy-3.10.0/policy/modules/services/privoxy.if
+--- serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/privoxy.if	2011-10-05 14:34:03.843103919 -0400
+@@ -23,8 +23,11 @@ interface(`privoxy_admin',`
+ 		type privoxy_etc_rw_t, privoxy_var_run_t;
+ 	')
+ 
+-	allow $1 privoxy_t:process { ptrace signal_perms };
++	allow $1 privoxy_t:process signal_perms;
+ 	ps_process_pattern($1, privoxy_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 privoxy_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace serefpolicy-3.10.0/policy/modules/services/psad.if
+--- serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace	2011-10-05 14:34:03.544103602 -0400
++++ serefpolicy-3.10.0/policy/modules/services/psad.if	2011-10-05 14:34:03.843103919 -0400
+@@ -295,8 +295,11 @@ interface(`psad_admin',`
+ 		type psad_tmp_t;
+ 	')
+ 
+-	allow $1 psad_t:process { ptrace signal_perms };
++	allow $1 psad_t:process signal_perms;
+ 	ps_process_pattern($1, psad_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 psad_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, psad_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace serefpolicy-3.10.0/policy/modules/services/puppet.te
+--- serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace	2011-10-05 14:34:03.546103604 -0400
++++ serefpolicy-3.10.0/policy/modules/services/puppet.te	2011-10-05 14:34:03.844103920 -0400
+@@ -62,7 +62,11 @@ files_tmp_file(puppetmaster_tmp_t)
+ # Puppet personal policy
+ #
+ 
+-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
++allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
++tunable_policy(`allow_ptrace',`
++	allow puppet_t self:capability sys_ptrace;
++')
++
+ allow puppet_t self:process { signal signull getsched setsched };
+ allow puppet_t self:fifo_file rw_fifo_file_perms;
+ allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
+diff -up serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace serefpolicy-3.10.0/policy/modules/services/pyzor.if
+--- serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace	2011-10-05 14:34:03.548103606 -0400
++++ serefpolicy-3.10.0/policy/modules/services/pyzor.if	2011-10-05 14:34:03.845103921 -0400
+@@ -29,7 +29,10 @@ interface(`pyzor_role',`
+ 
+ 	# allow ps to show pyzor and allow the user to kill it 
+ 	ps_process_pattern($2, pyzor_t)
+-	allow $2 pyzor_t:process { ptrace signal_perms };
++	allow $2 pyzor_t:process signal_perms;
++	tunable_policy(`allow_ptrace',`
++		allow $2 pyzor_t:process ptrace;
++	')
+ ')
+ 
+ ########################################
+@@ -113,8 +116,11 @@ interface(`pyzor_admin',`
+ 		type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
+ 	')
+ 
+-	allow $1 pyzord_t:process { ptrace signal_perms };
++	allow $1 pyzord_t:process signal_perms;
+ 	ps_process_pattern($1, pyzord_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 pyzord_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace serefpolicy-3.10.0/policy/modules/services/qpid.if
+--- serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace	2011-10-05 14:34:03.551103609 -0400
++++ serefpolicy-3.10.0/policy/modules/services/qpid.if	2011-10-05 14:34:03.845103921 -0400
+@@ -177,8 +177,11 @@ interface(`qpidd_admin',`
+ 		type qpidd_t, qpidd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 qpidd_t:process { ptrace signal_perms };
++	allow $1 qpidd_t:process signal_perms;
+ 	ps_process_pattern($1, qpidd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 qpidd_t:process ptrace;
++	')
+ 
+ 	# Allow qpidd_t to restart the apache service
+ 	qpidd_initrc_domtrans($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace serefpolicy-3.10.0/policy/modules/services/radius.if
+--- serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/radius.if	2011-10-05 14:34:03.846103922 -0400
+@@ -38,8 +38,11 @@ interface(`radius_admin',`
+ 		type radiusd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 radiusd_t:process { ptrace signal_perms };
++	allow $1 radiusd_t:process signal_perms;
+ 	ps_process_pattern($1, radiusd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 radiusd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace serefpolicy-3.10.0/policy/modules/services/radvd.if
+--- serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace	2011-10-05 14:34:03.553103611 -0400
++++ serefpolicy-3.10.0/policy/modules/services/radvd.if	2011-10-05 14:34:03.846103922 -0400
+@@ -23,8 +23,11 @@ interface(`radvd_admin',`
+ 		type radvd_var_run_t;
+ 	')
+ 
+-	allow $1 radvd_t:process { ptrace signal_perms };
++	allow $1 radvd_t:process signal_perms;
+ 	ps_process_pattern($1, radvd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 radvd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, radvd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace serefpolicy-3.10.0/policy/modules/services/razor.if
+--- serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace	2011-10-05 14:34:03.554103612 -0400
++++ serefpolicy-3.10.0/policy/modules/services/razor.if	2011-10-05 14:34:03.847103923 -0400
+@@ -132,7 +132,10 @@ interface(`razor_role',`
+ 
+ 	# allow ps to show razor and allow the user to kill it 
+ 	ps_process_pattern($2, razor_t)
+-	allow $2 razor_t:process { ptrace signal_perms };
++	allow $2 razor_t:process signal_perms;
++	tunable_policy(`allow_ptrace',`
++		allow $2 razor_t:process ptrace;
++	')
+ 
+ 	manage_dirs_pattern($2, razor_home_t, razor_home_t)
+ 	manage_files_pattern($2, razor_home_t, razor_home_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.if
+--- serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace	2011-10-05 14:34:03.557103615 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rgmanager.if	2011-10-05 14:34:03.848103924 -0400
+@@ -117,8 +117,11 @@ interface(`rgmanager_admin',`
+ 		type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
+ 	')
+ 
+-	allow $1 rgmanager_t:process { ptrace signal_perms };
++	allow $1 rgmanager_t:process signal_perms;
+ 	ps_process_pattern($1, rgmanager_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 rgmanager_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if
+--- serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace	2011-10-05 14:34:03.562103621 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if	2011-10-05 14:34:03.848103924 -0400
+@@ -284,8 +284,11 @@ interface(`rhsmcertd_admin',`
+ 	type rhsmcertd_var_run_t;
+ 	')
+ 
+-	allow $1 rhsmcertd_t:process { ptrace signal_perms };
++	allow $1 rhsmcertd_t:process signal_perms;
+ 	ps_process_pattern($1, rhsmcertd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 rhsmcertd_t:process ptrace;
++	')
+ 
+ 	rhsmcertd_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace serefpolicy-3.10.0/policy/modules/services/ricci.if
+--- serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace	2011-10-05 14:34:03.563103622 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ricci.if	2011-10-05 14:34:03.849103926 -0400
+@@ -245,8 +245,11 @@ interface(`ricci_admin',`
+ 		type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
+ 	')
+ 
+-	allow $1 ricci_t:process { ptrace signal_perms };
++	allow $1 ricci_t:process signal_perms;
+ 	ps_process_pattern($1, ricci_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 ricci_t:process ptrace;
++	')
+ 
+ 	ricci_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace serefpolicy-3.10.0/policy/modules/services/roundup.if
+--- serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/roundup.if	2011-10-05 14:34:03.849103926 -0400
+@@ -23,8 +23,11 @@ interface(`roundup_admin',`
+ 		type roundup_initrc_exec_t;
+ 	')
+ 
+-	allow $1 roundup_t:process { ptrace signal_perms };
++	allow $1 roundup_t:process signal_perms;
+ 	ps_process_pattern($1, roundup_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 roundup_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, roundup_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace serefpolicy-3.10.0/policy/modules/services/rpcbind.if
+--- serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace	2011-10-05 14:34:03.568103627 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rpcbind.if	2011-10-05 14:34:03.850103927 -0400
+@@ -155,8 +155,11 @@ interface(`rpcbind_admin',`
+ 		type rpcbind_initrc_exec_t;
+ 	')
+ 
+-	allow $1 rpcbind_t:process { ptrace signal_perms };
++	allow $1 rpcbind_t:process signal_perms;
+ 	ps_process_pattern($1, rpcbind_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 rpcbind_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace serefpolicy-3.10.0/policy/modules/services/rtkit.te
+--- serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace	2011-10-05 14:34:03.571103630 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rtkit.te	2011-10-05 14:34:03.851103928 -0400
+@@ -15,7 +15,10 @@ init_system_domain(rtkit_daemon_t, rtkit
+ # rtkit_daemon local policy
+ #
+ 
+-allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
++allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice };
++tunable_policy(`allow_ptrace',`
++	allow rtkit_daemon_t self:capability sys_ptrace;
++')
+ allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
+ 
+ kernel_read_system_state(rtkit_daemon_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace serefpolicy-3.10.0/policy/modules/services/rwho.if
+--- serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace	2011-10-05 14:34:03.572103631 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rwho.if	2011-10-05 14:34:03.851103928 -0400
+@@ -138,8 +138,11 @@ interface(`rwho_admin',`
+ 		type rwho_initrc_exec_t;
+ 	')
+ 
+-	allow $1 rwho_t:process { ptrace signal_perms };
++	allow $1 rwho_t:process signal_perms;
+ 	ps_process_pattern($1, rwho_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 rwho_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, rwho_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace serefpolicy-3.10.0/policy/modules/services/samba.if
+--- serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace	2011-10-05 14:34:03.574103633 -0400
++++ serefpolicy-3.10.0/policy/modules/services/samba.if	2011-10-05 14:34:03.852103929 -0400
+@@ -785,13 +785,18 @@ interface(`samba_admin',`
+ 		type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
+ 	')
+ 
+-	allow $1 smbd_t:process { ptrace signal_perms };
++	allow $1 smbd_t:process signal_perms;
+ 	ps_process_pattern($1, smbd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 smbd_t:process ptrace;
++		allow $1 nmbd_t:process ptrace;
++		allow $1 samba_unconfined_script_t:process ptrace;
++	')
+ 
+-	allow $1 nmbd_t:process { ptrace signal_perms };
++	allow $1 nmbd_t:process signal_perms;
+ 	ps_process_pattern($1, nmbd_t)
+ 
+-	allow $1 samba_unconfined_script_t:process { ptrace signal_perms };
++	allow $1 samba_unconfined_script_t:process signal_perms;
+ 	ps_process_pattern($1, samba_unconfined_script_t)
+ 
+ 	samba_run_smbcontrol($1, $2, $3)
+diff -up serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace serefpolicy-3.10.0/policy/modules/services/samhain.if
+--- serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/samhain.if	2011-10-05 14:34:03.853103930 -0400
+@@ -271,10 +271,14 @@ interface(`samhain_admin',`
+ 		type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
+ 	')
+ 
+-	allow $1 samhain_t:process { ptrace signal_perms };
++	allow $1 samhain_t:process signal_perms;
+ 	ps_process_pattern($1, samhain_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 samhain_t:process ptrace;
++		allow $1 samhaind_t:process ptrace;
++	')
+ 
+-	allow $1 samhaind_t:process { ptrace signal_perms };
++	allow $1 samhaind_t:process signal_perms;
+ 	ps_process_pattern($1, samhaind_t)
+ 
+ 	files_list_var_lib($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace serefpolicy-3.10.0/policy/modules/services/sanlock.if
+--- serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace	2011-10-05 14:34:03.576103636 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sanlock.if	2011-10-05 14:34:03.854103931 -0400
+@@ -99,8 +99,11 @@ interface(`sanlock_admin',`
+ 		type sanlock_initrc_exec_t;
+ 	')
+ 
+-	allow $1 sanlock_t:process { ptrace signal_perms };
++	allow $1 sanlock_t:process signal_perms;
+ 	ps_process_pattern($1, sanlock_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 sanlock_t:process ptrace;
++	')
+ 
+ 	sanlock_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace serefpolicy-3.10.0/policy/modules/services/sasl.if
+--- serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace	2011-10-05 14:34:03.577103637 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sasl.if	2011-10-05 14:34:03.854103931 -0400
+@@ -42,8 +42,11 @@ interface(`sasl_admin',`
+ 		type saslauthd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 saslauthd_t:process { ptrace signal_perms };
++	allow $1 saslauthd_t:process signal_perms;
+ 	ps_process_pattern($1, saslauthd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 saslauthd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.if
+--- serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace	2011-10-05 14:34:03.578103638 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sblim.if	2011-10-05 14:34:03.855103932 -0400
+@@ -65,11 +65,15 @@ interface(`sblim_admin',`
+ 		type sblim_var_run_t;
+ 	')
+ 
+-	allow $1 sblim_gatherd_t:process { ptrace signal_perms };
++	allow $1 sblim_gatherd_t:process signal_perms;
+ 	ps_process_pattern($1, sblim_gatherd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 sblim_gatherd_t:process ptrace;
++		allow $1 sblim_reposd_t:process ptrace;
++	')
+ 
+-	allow $1 sblim_reposd_t:process { ptrace signal_perms };
+-    ps_process_pattern($1, sblim_reposd_t)
++	allow $1 sblim_reposd_t:process signal_perms;
++	ps_process_pattern($1, sblim_reposd_t)
+ 
+ 	files_search_pids($1)
+ 	admin_pattern($1, sblim_var_run_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.te
+--- serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace	2011-10-05 14:34:03.578103638 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sblim.te	2011-10-05 14:34:03.855103932 -0400
+@@ -24,7 +24,8 @@ files_pid_file(sblim_var_run_t)
+ #
+ 
+ #needed by ps
+-allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override };
++allow sblim_gatherd_t self:capability { kill dac_override };
++dontaudit sblim_gatherd_t self:capability sys_ptrace;
+ allow sblim_gatherd_t self:process signal;
+ 
+ allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
+diff -up serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/sendmail.if
+--- serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace	2011-10-05 14:34:03.579103639 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sendmail.if	2011-10-05 14:34:03.856103933 -0400
+@@ -334,10 +334,14 @@ interface(`sendmail_admin',`
+ 		type mail_spool_t;
+ 	')
+ 
+-	allow $1 sendmail_t:process { ptrace signal_perms };
++	allow $1 sendmail_t:process signal_perms;
+ 	ps_process_pattern($1, sendmail_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 sendmail_t:process ptrace;
++		allow $1 unconfined_sendmail_t:process ptrace;
++	')
+ 
+-	allow $1 unconfined_sendmail_t:process { ptrace signal_perms };
++	allow $1 unconfined_sendmail_t:process signal_perms;
+ 	ps_process_pattern($1, unconfined_sendmail_t)
+ 
+ 	sendmail_initrc_domtrans($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if
+--- serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace	2011-10-05 14:34:03.581103641 -0400
++++ serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if	2011-10-05 14:34:03.856103933 -0400
+@@ -140,8 +140,11 @@ interface(`setroubleshoot_admin',`
+ 		type setroubleshoot_var_lib_t;
+ 	')
+ 
+-	allow $1 setroubleshootd_t:process { ptrace signal_perms };
++	allow $1 setroubleshootd_t:process signal_perms;
+ 	ps_process_pattern($1, setroubleshootd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 setroubleshootd_t:process ptrace;
++	')
+ 
+ 	logging_list_logs($1)
+ 	admin_pattern($1, setroubleshoot_var_log_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace serefpolicy-3.10.0/policy/modules/services/smartmon.if
+--- serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace	2011-10-05 14:34:03.582103642 -0400
++++ serefpolicy-3.10.0/policy/modules/services/smartmon.if	2011-10-05 14:34:03.857103934 -0400
+@@ -42,8 +42,11 @@ interface(`smartmon_admin',`
+ 		type fsdaemon_initrc_exec_t;
+ 	')
+ 
+-	allow $1 fsdaemon_t:process { ptrace signal_perms };
++	allow $1 fsdaemon_t:process signal_perms;
+ 	ps_process_pattern($1, fsdaemon_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 smartmon_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace serefpolicy-3.10.0/policy/modules/services/smokeping.if
+--- serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/smokeping.if	2011-10-05 14:34:03.857103934 -0400
+@@ -153,8 +153,11 @@ interface(`smokeping_admin',`
+ 		type smokeping_t, smokeping_initrc_exec_t;
+ 	')
+ 
+-	allow $1 smokeping_t:process { ptrace signal_perms };
++	allow $1 smokeping_t:process signal_perms;
+ 	ps_process_pattern($1, smokeping_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 smokeping_t:process ptrace;
++	')
+ 
+ 	smokeping_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.if
+--- serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace	2011-10-05 14:34:03.584103644 -0400
++++ serefpolicy-3.10.0/policy/modules/services/snmp.if	2011-10-05 14:34:03.858103935 -0400
+@@ -168,8 +168,11 @@ interface(`snmp_admin',`
+ 		type snmpd_var_lib_t, snmpd_var_run_t;
+ 	')
+ 
+-	allow $1 snmpd_t:process { ptrace signal_perms };
++	allow $1 snmpd_t:process signal_perms;
+ 	ps_process_pattern($1, snmpd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 snmpd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.te
+--- serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace	2011-10-05 14:34:03.585103645 -0400
++++ serefpolicy-3.10.0/policy/modules/services/snmp.te	2011-10-05 14:34:03.858103935 -0400
+@@ -26,7 +26,11 @@ files_type(snmpd_var_lib_t)
+ # Local policy
+ #
+ 
+-allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
++allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config };
++tunable_policy(`allow_ptrace',`
++	allow snmpd_t self:capability sys_ptrace;
++')
++
+ dontaudit snmpd_t self:capability { sys_module sys_tty_config };
+ allow snmpd_t self:process { signal_perms getsched setsched };
+ allow snmpd_t self:fifo_file rw_fifo_file_perms;
+diff -up serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace serefpolicy-3.10.0/policy/modules/services/snort.if
+--- serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace	2011-10-05 14:34:03.585103645 -0400
++++ serefpolicy-3.10.0/policy/modules/services/snort.if	2011-10-05 14:34:03.859103936 -0400
+@@ -41,8 +41,11 @@ interface(`snort_admin',`
+ 		type snort_etc_t, snort_initrc_exec_t;
+ 	')
+ 
+-	allow $1 snort_t:process { ptrace signal_perms };
++	allow $1 snort_t:process signal_perms;
+ 	ps_process_pattern($1, snort_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 snort_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, snort_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace serefpolicy-3.10.0/policy/modules/services/soundserver.if
+--- serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace	2011-10-05 14:34:03.586103646 -0400
++++ serefpolicy-3.10.0/policy/modules/services/soundserver.if	2011-10-05 14:34:03.860103937 -0400
+@@ -37,8 +37,11 @@ interface(`soundserver_admin',`
+ 		type soundd_tmp_t, soundd_var_run_t;
+ 	')
+ 
+-	allow $1 soundd_t:process { ptrace signal_perms };
++	allow $1 soundd_t:process signal_perms;
+ 	ps_process_pattern($1, soundd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 soundd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, soundd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace serefpolicy-3.10.0/policy/modules/services/spamassassin.if
+--- serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace	2011-10-05 14:34:03.587103647 -0400
++++ serefpolicy-3.10.0/policy/modules/services/spamassassin.if	2011-10-05 14:34:03.861103938 -0400
+@@ -27,12 +27,12 @@ interface(`spamassassin_role',`
+ 
+ 	domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
+ 
+-	allow $2 spamassassin_t:process { ptrace signal_perms };
++	allow $2 spamassassin_t:process signal_perms;
+ 	ps_process_pattern($2, spamassassin_t)
+ 
+ 	domtrans_pattern($2, spamc_exec_t, spamc_t)
+ 
+-	allow $2 spamc_t:process { ptrace signal_perms };
++	allow $2 spamc_t:process signal_perms;
+ 	ps_process_pattern($2, spamc_t)
+ 
+ 	manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
+@@ -337,8 +337,11 @@ interface(`spamassassin_spamd_admin',`
+ 		type spamd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 spamd_t:process { ptrace signal_perms };
++	allow $1 spamd_t:process signal_perms;
+ 	ps_process_pattern($1, spamd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 spamd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, spamd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace serefpolicy-3.10.0/policy/modules/services/squid.if
+--- serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace	2011-10-05 14:34:03.590103650 -0400
++++ serefpolicy-3.10.0/policy/modules/services/squid.if	2011-10-05 14:34:03.861103938 -0400
+@@ -209,8 +209,11 @@ interface(`squid_admin',`
+ 		type squid_log_t, squid_var_run_t, squid_initrc_exec_t;
+ 	')
+ 
+-	allow $1 squid_t:process { ptrace signal_perms };
++	allow $1 squid_t:process signal_perms;
+ 	ps_process_pattern($1, squid_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 squid_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, squid_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace serefpolicy-3.10.0/policy/modules/services/ssh.if
+--- serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace	2011-10-05 14:34:03.732103801 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ssh.if	2011-10-05 14:34:03.862103939 -0400
+@@ -367,7 +367,7 @@ template(`ssh_role_template',`
+ 
+ 	# allow ps to show ssh
+ 	ps_process_pattern($3, ssh_t)
+-	allow $3 ssh_t:process { ptrace signal_perms };
++	allow $3 ssh_t:process signal_perms;
+ 
+ 	# for rsync
+ 	allow ssh_t $3:unix_stream_socket rw_socket_perms;
+@@ -402,7 +402,7 @@ template(`ssh_role_template',`
+ 	stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
+ 
+ 	# Allow the user shell to signal the ssh program.
+-	allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
++	allow $3 $1_ssh_agent_t:process signal_perms;
+ 
+ 	# allow ps to show ssh
+ 	ps_process_pattern($3, $1_ssh_agent_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace serefpolicy-3.10.0/policy/modules/services/sssd.if
+--- serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace	2011-10-05 14:34:03.593103654 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sssd.if	2011-10-05 14:34:03.863103940 -0400
+@@ -232,8 +232,11 @@ interface(`sssd_admin',`
+ 		type sssd_t, sssd_public_t, sssd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 sssd_t:process { ptrace signal_perms };
++	allow $1 sssd_t:process signal_perms;
+ 	ps_process_pattern($1, sssd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 sssd_t:process ptrace;
++	')
+ 
+ 	# Allow sssd_t to restart the apache service
+ 	sssd_initrc_domtrans($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/tcsd.if
+--- serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace	2011-10-05 14:34:03.597103658 -0400
++++ serefpolicy-3.10.0/policy/modules/services/tcsd.if	2011-10-05 14:34:03.863103940 -0400
+@@ -137,8 +137,11 @@ interface(`tcsd_admin',`
+ 		type tcsd_var_lib_t;
+ 	')
+ 
+-	allow $1 tcsd_t:process { ptrace signal_perms };
++	allow $1 tcsd_t:process signal_perms;
+ 	ps_process_pattern($1, tcsd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 tcsd_t:process ptrace;
++	')
+ 
+ 	tcsd_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/tftp.if
+--- serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace	2011-10-05 14:34:03.598103659 -0400
++++ serefpolicy-3.10.0/policy/modules/services/tftp.if	2011-10-05 14:34:03.864103941 -0400
+@@ -109,8 +109,11 @@ interface(`tftp_admin',`
+ 		type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
+ 	')
+ 
+-	allow $1 tftpd_t:process { ptrace signal_perms };
++	allow $1 tftpd_t:process signal_perms;
+ 	ps_process_pattern($1, tftpd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 tftp_t:process ptrace;
++	')
+ 
+ 	files_list_var_lib($1)
+ 	admin_pattern($1, tftpdir_rw_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace serefpolicy-3.10.0/policy/modules/services/tor.if
+--- serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace	2011-10-05 14:34:03.600103661 -0400
++++ serefpolicy-3.10.0/policy/modules/services/tor.if	2011-10-05 14:34:03.864103941 -0400
+@@ -42,8 +42,11 @@ interface(`tor_admin',`
+ 		type tor_initrc_exec_t;
+ 	')
+ 
+-	allow $1 tor_t:process { ptrace signal_perms };
++	allow $1 tor_t:process signal_perms;
+ 	ps_process_pattern($1, tor_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 tor_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, tor_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/tuned.if
+--- serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace	2011-10-05 14:34:03.601103662 -0400
++++ serefpolicy-3.10.0/policy/modules/services/tuned.if	2011-10-05 14:34:03.865103943 -0400
+@@ -115,8 +115,11 @@ interface(`tuned_admin',`
+ 		type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
+ 	')
+ 
+-	allow $1 tuned_t:process { ptrace signal_perms };
++	allow $1 tuned_t:process signal_perms;
+ 	ps_process_pattern($1, tuned_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 tuned_t:process ptrace;
++	')
+ 
+ 	tuned_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ulogd.if
+--- serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ulogd.if	2011-10-05 14:34:03.865103943 -0400
+@@ -123,8 +123,11 @@ interface(`ulogd_admin',`
+ 		type ulogd_var_log_t, ulogd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 ulogd_t:process { ptrace signal_perms };
++	allow $1 ulogd_t:process signal_perms;
+ 	ps_process_pattern($1, ulogd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 ulogd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace serefpolicy-3.10.0/policy/modules/services/uucp.if
+--- serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/uucp.if	2011-10-05 14:34:03.866103944 -0400
+@@ -99,8 +99,11 @@ interface(`uucp_admin',`
+ 		type uucpd_var_run_t;
+ 	')
+ 
+-	allow $1 uucpd_t:process { ptrace signal_perms };
++	allow $1 uucpd_t:process signal_perms;
+ 	ps_process_pattern($1, uucpd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 uucpd_t:process ptrace;
++	')
+ 
+ 	logging_list_logs($1)
+ 	admin_pattern($1, uucpd_log_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace serefpolicy-3.10.0/policy/modules/services/uuidd.if
+--- serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace	2011-10-05 14:34:03.606103667 -0400
++++ serefpolicy-3.10.0/policy/modules/services/uuidd.if	2011-10-05 14:34:03.866103944 -0400
+@@ -177,8 +177,11 @@ interface(`uuidd_admin',`
+ 	type uuidd_var_run_t;
+ 	')
+ 
+-	allow $1 uuidd_t:process { ptrace signal_perms };
++	allow $1 uuidd_t:process signal_perms;
+ 	ps_process_pattern($1, uuidd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 uuidd_t:process ptrace;
++	')
+ 
+ 	uuidd_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace serefpolicy-3.10.0/policy/modules/services/varnishd.if
+--- serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace	2011-06-27 14:18:04.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/services/varnishd.if	2011-10-05 14:34:03.867103945 -0400
+@@ -155,8 +155,11 @@ interface(`varnishd_admin_varnishlog',`
+ 		type varnishlog_var_run_t;
+ 	')
+ 
+-	allow $1 varnishlog_t:process { ptrace signal_perms };
++	allow $1 varnishlog_t:process signal_perms;
+ 	ps_process_pattern($1, varnishlog_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 varnishd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+@@ -194,8 +197,11 @@ interface(`varnishd_admin',`
+ 		type varnishd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 varnishd_t:process { ptrace signal_perms };
++	allow $1 varnishd_t:process signal_perms;
+ 	ps_process_pattern($1, varnishd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 varnishd_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace serefpolicy-3.10.0/policy/modules/services/vdagent.if
+--- serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace	2011-10-05 14:34:03.608103670 -0400
++++ serefpolicy-3.10.0/policy/modules/services/vdagent.if	2011-10-05 14:34:03.868103946 -0400
+@@ -118,8 +118,11 @@ interface(`vdagent_admin',`
+                 type vdagent_var_run_t;
+ 	')
+ 
+-	allow $1 vdagent_t:process { ptrace signal_perms };
++	allow $1 vdagent_t:process signal_perms;
+ 	ps_process_pattern($1, vdagent_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 vdagent_t:process ptrace;
++	')
+ 
+ 	files_search_pids($1)
+ 	admin_pattern($1, vdagent_var_run_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vhostmd.if
+--- serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace	2011-10-05 14:34:03.609103671 -0400
++++ serefpolicy-3.10.0/policy/modules/services/vhostmd.if	2011-10-05 14:34:03.869103947 -0400
+@@ -210,8 +210,11 @@ interface(`vhostmd_admin',`
+ 		type vhostmd_t, vhostmd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 vhostmd_t:process { ptrace signal_perms };
++	allow $1 vhostmd_t:process signal_perms;
+ 	ps_process_pattern($1, vhostmd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 vhostmd_t:process ptrace;
++	')
+ 
+ 	vhostmd_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace serefpolicy-3.10.0/policy/modules/services/virt.if
+--- serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace	2011-10-05 14:34:03.611103673 -0400
++++ serefpolicy-3.10.0/policy/modules/services/virt.if	2011-10-05 14:34:03.870103948 -0400
+@@ -618,10 +618,14 @@ interface(`virt_admin',`
+ 		type virt_lxc_t;
+ 	')
+ 
+-	allow $1 virtd_t:process { ptrace signal_perms };
++	allow $1 virtd_t:process signal_perms;
+ 	ps_process_pattern($1, virtd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 virtd_t:process ptrace;
++		allow $1 virt_lxc_t:process ptrace;
++	')
+ 
+-	allow $1 virt_lxc_t:process { ptrace signal_perms };
++	allow $1 virt_lxc_t:process signal_perms;
+ 	ps_process_pattern($1, virt_lxc_t)
+ 
+ 	init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+@@ -637,7 +641,7 @@ interface(`virt_admin',`
+ 
+ 	virt_manage_images($1)
+ 
+-	allow $1 virt_domain:process { ptrace signal_perms };
++	allow $1 virt_domain:process signal_perms;
+ ')
+ 
+ ########################################
+diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace serefpolicy-3.10.0/policy/modules/services/virt.te
+--- serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace	2011-10-05 14:34:03.685103751 -0400
++++ serefpolicy-3.10.0/policy/modules/services/virt.te	2011-10-05 14:34:03.870103948 -0400
+@@ -247,7 +247,11 @@ optional_policy(`
+ # virtd local policy
+ #
+ 
+-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
++allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
++tunable_policy(`allow_ptrace',`
++	allow virtd_t self:capability sys_ptrace;
++')
++
+ allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+ ifdef(`hide_broken_symptoms',`
+ 	# caused by some bogus kernel code
+diff -up serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vnstatd.if
+--- serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace	2011-10-05 14:34:03.613103675 -0400
++++ serefpolicy-3.10.0/policy/modules/services/vnstatd.if	2011-10-05 14:34:03.871103949 -0400
+@@ -136,8 +136,11 @@ interface(`vnstatd_admin',`
+ 		type vnstatd_t, vnstatd_var_lib_t;
+ 	')
+ 
+-	allow $1 vnstatd_t:process { ptrace signal_perms };
++	allow $1 vnstatd_t:process signal_perms;
+ 	ps_process_pattern($1, vnstatd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 vnstatd_t:process ptrace;
++	')
+ 
+ 	files_list_var_lib($1)
+ 	admin_pattern($1, vnstatd_var_lib_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/wdmd.if
+--- serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace	2011-10-05 14:34:03.615103677 -0400
++++ serefpolicy-3.10.0/policy/modules/services/wdmd.if	2011-10-05 14:34:03.872103950 -0400
+@@ -62,8 +62,11 @@ interface(`wdmd_admin',`
+ 		type wdmd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 wdmd_t:process { ptrace signal_perms };
++	allow $1 wdmd_t:process signal_perms;
+ 	ps_process_pattern($1, wdmd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 wdmd_t:process ptrace;
++	')
+ 
+ 	wdmd_initrc_domtrans($1)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace serefpolicy-3.10.0/policy/modules/services/xserver.te
+--- serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace	2011-10-05 14:34:03.734103803 -0400
++++ serefpolicy-3.10.0/policy/modules/services/xserver.te	2011-10-05 14:34:03.873103951 -0400
+@@ -417,8 +417,14 @@ optional_policy(`
+ # XDM Local policy
+ #
+ 
+-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
+-allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate ptrace };
++allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
++dontaudit xdm_t self:capability sys_ptrace;
++
++allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
++tunable_policy(`allow_ptrace',`
++	allow xdm_t self:process ptrace;
++')
++
+ allow xdm_t self:fifo_file rw_fifo_file_perms;
+ allow xdm_t self:shm create_shm_perms;
+ allow xdm_t self:sem create_sem_perms;
+@@ -929,7 +935,11 @@ allow xserver_t input_xevent_t:x_event s
+ # execheap needed until the X module loader is fixed.
+ # NVIDIA Needs execstack
+ 
+-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
++allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
++tunable_policy(`allow_ptrace',`
++	allow xserver_t self:capability sys_ptrace;
++')
++
+ dontaudit xserver_t self:capability chown;
+ allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow xserver_t self:fd use;
+diff -up serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace serefpolicy-3.10.0/policy/modules/services/zabbix.if
+--- serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace	2011-10-05 14:34:03.621103683 -0400
++++ serefpolicy-3.10.0/policy/modules/services/zabbix.if	2011-10-05 14:34:03.873103951 -0400
+@@ -142,8 +142,11 @@ interface(`zabbix_admin',`
+ 		type zabbix_initrc_exec_t;
+ 	')
+ 
+-	allow $1 zabbix_t:process { ptrace signal_perms };
++	allow $1 zabbix_t:process signal_perms;
+ 	ps_process_pattern($1, zabbix_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 zabbix_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace serefpolicy-3.10.0/policy/modules/services/zebra.if
+--- serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace	2011-10-05 14:34:03.623103686 -0400
++++ serefpolicy-3.10.0/policy/modules/services/zebra.if	2011-10-05 14:34:03.874103952 -0400
+@@ -64,8 +64,11 @@ interface(`zebra_admin',`
+ 		type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
+ 	')
+ 
+-	allow $1 zebra_t:process { ptrace signal_perms };
++	allow $1 zebra_t:process signal_perms;
+ 	ps_process_pattern($1, zebra_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 zebra_t:process ptrace;
++	')
+ 
+ 	init_labeled_script_domtrans($1, zebra_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/system/init.if.ptrace serefpolicy-3.10.0/policy/modules/system/init.if
+--- serefpolicy-3.10.0/policy/modules/system/init.if.ptrace	2011-10-05 14:34:03.634103697 -0400
++++ serefpolicy-3.10.0/policy/modules/system/init.if	2011-10-05 14:34:03.875103953 -0400
+@@ -1123,7 +1123,9 @@ interface(`init_ptrace',`
+ 		type init_t;
+ 	')
+ 
+-	allow $1 init_t:process ptrace;
++	tunable_policy(`allow_ptrace',`
++		allow $1 init_t:process ptrace;
++	')
+ ')
+ 
+ ########################################
+diff -up serefpolicy-3.10.0/policy/modules/system/init.te.ptrace serefpolicy-3.10.0/policy/modules/system/init.te
+--- serefpolicy-3.10.0/policy/modules/system/init.te.ptrace	2011-10-05 14:34:03.713103781 -0400
++++ serefpolicy-3.10.0/policy/modules/system/init.te	2011-10-05 14:34:03.875103953 -0400
+@@ -121,7 +121,7 @@ ifdef(`enable_mls',`
+ #
+ 
+ # Use capabilities. old rule:
+-allow init_t self:capability ~{ audit_control audit_write sys_module };
++allow init_t self:capability ~{ sys_ptrace audit_control audit_write sys_module };
+ # is ~sys_module really needed? observed:
+ # sys_boot
+ # sys_tty_config
+@@ -406,7 +406,8 @@ optional_policy(`
+ #
+ 
+ allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
+-allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
++allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
++
+ dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
+ allow initrc_t self:passwd rootok;
+ allow initrc_t self:key manage_key_perms;
+diff -up serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace serefpolicy-3.10.0/policy/modules/system/ipsec.te
+--- serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace	2011-10-05 14:34:03.637103700 -0400
++++ serefpolicy-3.10.0/policy/modules/system/ipsec.te	2011-10-05 14:34:03.876103954 -0400
+@@ -194,7 +194,7 @@ optional_policy(`
+ 
+ allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
+ dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
+-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
++allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
+ allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
+ allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
+diff -up serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace serefpolicy-3.10.0/policy/modules/system/locallogin.te
+--- serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace	2011-10-05 14:34:03.642103706 -0400
++++ serefpolicy-3.10.0/policy/modules/system/locallogin.te	2011-10-05 14:34:03.877103955 -0400
+@@ -32,7 +32,7 @@ role system_r types sulogin_t;
+ # Local login local policy
+ #
+ 
+-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_ptrace sys_resource sys_tty_config };
++allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
+ allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
+ allow local_login_t self:fd use;
+ allow local_login_t self:fifo_file rw_fifo_file_perms;
+diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy-3.10.0/policy/modules/system/logging.if
+--- serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace	2011-10-05 14:34:03.643103707 -0400
++++ serefpolicy-3.10.0/policy/modules/system/logging.if	2011-10-05 14:34:03.878103956 -0400
+@@ -1095,9 +1095,13 @@ interface(`logging_admin_audit',`
+ 		type auditd_initrc_exec_t;
+ 	')
+ 
+-	allow $1 auditd_t:process { ptrace signal_perms };
++	allow $1 auditd_t:process signal_perms;
+ 	ps_process_pattern($1, auditd_t)
+ 
++	tunable_policy(`allow_ptrace',`
++		allow $1 auditd_t:process ptrace;
++	')
++
+ 	manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
+ 	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+ 
+@@ -1142,10 +1146,14 @@ interface(`logging_admin_syslog',`
+ 	')
+ 
+ 	allow $1 self:capability2 syslog;
+-	allow $1 syslogd_t:process { ptrace signal_perms };
+-	allow $1 klogd_t:process { ptrace signal_perms };
++	allow $1 syslogd_t:process signal_perms;
++	allow $1 klogd_t:process signal_perms;
+ 	ps_process_pattern($1, syslogd_t)
+ 	ps_process_pattern($1, klogd_t)
++	tunable_policy(`allow_ptrace',`
++		allow $1 syslogd_t:process ptrace;
++		allow $1 klogd_t:process ptrace;
++	')
+ 
+ 	manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
+ 	manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
+diff -up serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace serefpolicy-3.10.0/policy/modules/system/mount.te
+--- serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace	2011-10-05 14:34:03.650103714 -0400
++++ serefpolicy-3.10.0/policy/modules/system/mount.te	2011-10-05 14:34:03.878103956 -0400
+@@ -48,7 +48,11 @@ role system_r types showmount_t;
+ 
+ # setuid/setgid needed to mount cifs 
+ allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
+-allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal };
++allow mount_t self:process { getcap getsched setcap setrlimit signal };
++tunable_policy(`allow_ptrace',`
++	allow mount_t self:process ptrace;
++')
++
+ allow mount_t self:fifo_file rw_fifo_file_perms;
+ allow mount_t self:unix_stream_socket create_stream_socket_perms;
+ allow mount_t self:unix_dgram_socket create_socket_perms; 
+diff -up serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace serefpolicy-3.10.0/policy/modules/system/sysnetwork.te
+--- serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace	2011-10-05 14:34:03.658103723 -0400
++++ serefpolicy-3.10.0/policy/modules/system/sysnetwork.te	2011-10-05 14:34:03.879103957 -0400
+@@ -54,7 +54,10 @@ allow dhcpc_t self:capability { dac_over
+ dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
++allow dhcpc_t self:process { getsched getcap setcap setfscreate signal_perms };
++tunable_policy(`allow_ptrace',`
++	allow dhcpc_t self:process ptrace;
++')
+ 
+ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
+ allow dhcpc_t self:tcp_socket create_stream_socket_perms;
+diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace serefpolicy-3.10.0/policy/modules/system/udev.te
+--- serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace	2011-10-05 14:34:03.661103726 -0400
++++ serefpolicy-3.10.0/policy/modules/system/udev.te	2011-10-05 14:34:03.879103957 -0400
+@@ -34,7 +34,11 @@ ifdef(`enable_mcs',`
+ # Local policy
+ #
+ 
+-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
++allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
++tunable_policy(`allow_ptrace',`
++	allow udev_t self:capability sys_ptrace;
++')
++
+ dontaudit udev_t self:capability sys_tty_config;
+ 
+ ifdef(`hide_broken_symptoms',`
+@@ -42,7 +46,11 @@ ifdef(`hide_broken_symptoms',`
+ 	dontaudit udev_t self:capability sys_module;
+ ')
+ 
+-allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++tunable_policy(`allow_ptrace',`
++	allow udev_t self:process ptrace;
++')
++
+ allow udev_t self:process { execmem setfscreate };
+ allow udev_t self:fd use;
+ allow udev_t self:fifo_file rw_fifo_file_perms;
+diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace serefpolicy-3.10.0/policy/modules/system/unconfined.if
+--- serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace	2011-10-05 14:34:03.676103742 -0400
++++ serefpolicy-3.10.0/policy/modules/system/unconfined.if	2011-10-05 14:34:03.880103958 -0400
+@@ -18,7 +18,12 @@ interface(`unconfined_domain_noaudit',`
+ 	')
+ 
+ 	# Use any Linux capability.
+-	allow $1 self:capability ~sys_module;
++
++	allow $1 self:capability ~{ sys_module sys_ptrace };
++	tunable_policy(`allow_ptrace',`
++		allow $1 self:capability sys_ptrace;
++	')
++
+ 	allow $1 self:capability2 syslog;
+ 	allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
+ 
+diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpolicy-3.10.0/policy/modules/system/userdomain.if
+--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace	2011-10-05 14:34:03.736103806 -0400
++++ serefpolicy-3.10.0/policy/modules/system/userdomain.if	2011-10-05 14:34:03.881103960 -0400
+@@ -40,7 +40,10 @@ template(`userdom_base_user_template',`
+ 	role $1_r types $1_t;
+ 	allow system_r $1_r;
+ 
+-	allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
++	allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
++	tunable_policy(`allow_ptrace',`
++		allow $1_usertype $1_usertype:process ptrace;
++	')
+ 	allow $1_usertype $1_usertype:fd use;
+ 	allow $1_usertype $1_usertype:key { create view read write search link setattr };
+ 
+@@ -594,7 +597,7 @@ template(`userdom_login_user_template',
+ 	allow $1_t self:capability { setgid chown fowner };
+ 	dontaudit $1_t self:capability { sys_nice fsetid };
+ 
+-	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
++	allow $1_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+ 	dontaudit $1_t self:process setrlimit;
+ 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+ 
+@@ -1052,7 +1055,7 @@ template(`userdom_admin_user_template',`
+ 	# $1_t local policy
+ 	#
+ 
+-	allow $1_t self:capability ~{ sys_module audit_control audit_write };
++	allow $1_t self:capability ~{ sys_ptrace sys_module audit_control audit_write };
+ 	allow $1_t self:capability2 syslog;
+ 	allow $1_t self:process { setexec setfscreate };
+ 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+@@ -3638,7 +3641,9 @@ interface(`userdom_ptrace_all_users',`
+ 		attribute userdomain;
+ 	')
+ 
+-	allow $1 userdomain:process ptrace;
++	tunable_policy(`allow_ptrace',`
++		allow $1 userdomain:process ptrace;
++	')
+ ')
+ 
+ ########################################
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 25fe1b98..11ecaf74 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 38%{?dist}
+Release: 38.1%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -246,7 +246,7 @@ Based off of reference policy: Checked out revision  2.20091117
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1 -b .execmem
-#%patch5 -p1 -b .userdomain
+%patch5 -p1 -b .userdomain
 %patch6 -p1 -b .apache
 #%patch7 -p1 -b .ptrace
 
@@ -480,6 +480,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Oct 6 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-38.1
+- Shrink size of policy through use of attributes for userdomain and apache
+
 * Wed Oct 5 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-38
 - Allow virsh to read xenstored pid file
 - Backport corenetwork fixes from upstream
diff --git a/userdomain.patch b/userdomain.patch
new file mode 100644
index 00000000..8556ed4d
--- /dev/null
+++ b/userdomain.patch
@@ -0,0 +1,1395 @@
+diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
+index 66cf96c..a6d907b 100644
+--- a/policy/modules/admin/usermanage.if
++++ b/policy/modules/admin/usermanage.if
+@@ -308,7 +308,7 @@ interface(`usermanage_run_useradd',`
+ 	role $2 types useradd_t;
+ 
+ 	# Add/remove user home directories
+-	userdom_manage_home_role($2, useradd_t)
++	userdom_manage_home_role($2)
+ 
+ 	seutil_run_semanage(useradd_t, $2)
+ 
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index 4779a8d..7d7efd7 100644
+--- a/policy/modules/admin/usermanage.te
++++ b/policy/modules/admin/usermanage.te
+@@ -509,7 +509,7 @@ seutil_domtrans_setfiles(useradd_t)
+ userdom_use_unpriv_users_fds(useradd_t)
+ # Add/remove user home directories
+ userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_manage_home_role(system_r, useradd_t)
++userdom_manage_home(useradd_t)
+ 
+ mta_manage_spool(useradd_t)
+ 
+diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
+index e23f640..182d6d1 100644
+--- a/policy/modules/apps/execmem.if
++++ b/policy/modules/apps/execmem.if
+@@ -57,8 +57,6 @@ template(`execmem_role_template',`
+ 	role $2 types $1_execmem_t;
+ 
+ 	userdom_unpriv_usertype($1, $1_execmem_t)
+-	userdom_manage_tmp_role($2, $1_execmem_t)
+-	userdom_manage_tmpfs_role($2, $1_execmem_t)
+ 
+ 	allow $1_execmem_t self:process { execmem execstack };
+ 	allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
+diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
+index 7c398c0..c64cced 100644
+--- a/policy/modules/apps/java.if
++++ b/policy/modules/apps/java.if
+@@ -73,7 +73,8 @@ template(`java_role_template',`
+ 	domain_interactive_fd($1_java_t)
+ 
+ 	userdom_unpriv_usertype($1, $1_java_t)
+-	userdom_manage_tmpfs_role($2, $1_java_t)
++	userdom_manage_tmpfs_role($2)
++	userdom_manage_tmpfs($1_java_t)
+ 
+ 	allow $1_java_t self:process { ptrace signal getsched execmem execstack };
+ 
+diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
+index 1fa8573..8179185 100644
+--- a/policy/modules/apps/mono.if
++++ b/policy/modules/apps/mono.if
+@@ -49,7 +49,8 @@ template(`mono_role_template',`
+ 	corecmd_bin_domtrans($1_mono_t, $1_t)
+ 
+ 	userdom_unpriv_usertype($1, $1_mono_t)
+-	userdom_manage_tmpfs_role($2, $1_mono_t)
++	userdom_manage_tmpfs_role($2)
++	userdom_manage_tmpfs($1_mono_t)
+ 
+ 	optional_policy(`
+ 		xserver_role($1_r, $1_mono_t)
+diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
+index 83fc139..596232f 100644
+--- a/policy/modules/apps/mozilla.if
++++ b/policy/modules/apps/mozilla.if
+@@ -51,7 +51,7 @@ interface(`mozilla_role',`
+ 	mozilla_run_plugin(mozilla_t, $1)
+ 	mozilla_dbus_chat($2)
+ 
+-	userdom_manage_tmp_role($1, mozilla_t)
++	userdom_manage_tmp_role($1)
+ 
+ 	optional_policy(`
+ 		nsplugin_role($1, mozilla_t)
+diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
+index 1925bd9..0a794bc 100644
+--- a/policy/modules/apps/nsplugin.if
++++ b/policy/modules/apps/nsplugin.if
+@@ -103,7 +103,7 @@ ifdef(`hide_broken_symptoms', `
+ 	userdom_use_inherited_user_terminals(nsplugin_t)
+ 	userdom_use_inherited_user_terminals(nsplugin_config_t)
+ 	userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
+-	userdom_manage_tmpfs_role($1, nsplugin_t)
++	userdom_manage_tmpfs_role($1)
+ 
+ 	optional_policy(`
+ 		pulseaudio_role($1, nsplugin_t)
+diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
+index 9bf1dd8..564d1ea 100644
+--- a/policy/modules/apps/nsplugin.te
++++ b/policy/modules/apps/nsplugin.te
+@@ -284,6 +284,7 @@ userdom_search_user_home_content(nsplugin_config_t)
+ userdom_read_user_home_content_symlinks(nsplugin_config_t)
+ userdom_read_user_home_content_files(nsplugin_config_t)
+ userdom_dontaudit_search_admin_dir(nsplugin_config_t)
++userdom_manage_tmpfs(nsplugin_t)
+ 
+ tunable_policy(`use_nfs_home_dirs',`
+ 	fs_getattr_nfs(nsplugin_t)
+diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
+index 9a5e99c..1e6cf7d 100644
+--- a/policy/modules/apps/pulseaudio.if
++++ b/policy/modules/apps/pulseaudio.if
+@@ -35,9 +35,9 @@ interface(`pulseaudio_role',`
+ 	allow pulseaudio_t $2:unix_stream_socket connectto;
+ 	allow $2 pulseaudio_t:unix_stream_socket connectto;
+ 
+-	userdom_manage_home_role($1, pulseaudio_t)
+-	userdom_manage_tmp_role($1, pulseaudio_t)
+-	userdom_manage_tmpfs_role($1, pulseaudio_t)
++	userdom_manage_home_role($1)
++	userdom_manage_tmp_role($1)
++	userdom_manage_tmpfs_role($1)
+ 
+ 	allow $2 pulseaudio_t:dbus send_msg;
+ 	allow pulseaudio_t $2:dbus { acquire_svc send_msg };
+diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
+index 8522ab4..6941c29 100644
+--- a/policy/modules/apps/pulseaudio.te
++++ b/policy/modules/apps/pulseaudio.te
+@@ -95,6 +95,10 @@ logging_send_syslog_msg(pulseaudio_t)
+ 
+ miscfiles_read_localization(pulseaudio_t)
+ 
++userdom_manage_home(pulseaudio_t)
++userdom_manage_tmp(pulseaudio_t)
++userdom_manage_tmpfs(pulseaudio_t)
++
+ optional_policy(`
+ 	alsa_read_rw_config(pulseaudio_t)
+ ')
+diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
+index 8895098..19438a5 100644
+--- a/policy/modules/apps/userhelper.if
++++ b/policy/modules/apps/userhelper.if
+@@ -294,7 +294,7 @@ template(`userhelper_console_role_template',`
+ 
+ 	auth_use_pam($1_consolehelper_t)
+ 
+-	userdom_manage_tmpfs_role($2, $1_consolehelper_t)
++	userdom_manage_tmpfs_role($2)
+ 
+ 	optional_policy(`
+ 		dbus_connect_session_bus($1_consolehelper_t)
+diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
+index 8ce8577..f967898 100644
+--- a/policy/modules/apps/userhelper.te
++++ b/policy/modules/apps/userhelper.te
+@@ -65,6 +65,7 @@ userhelper_exec(consolehelper_domain)
+ userdom_use_user_ptys(consolehelper_domain)
+ userdom_use_user_ttys(consolehelper_domain)
+ userdom_read_user_home_content_files(consolehelper_domain)
++userdom_manage_tmpfs(consolehelper_domain)
+ 
+ optional_policy(`
+ 	gnome_read_gconf_home_files(consolehelper_domain)
+diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
+index e10101a..cf453e6 100644
+--- a/policy/modules/apps/wine.if
++++ b/policy/modules/apps/wine.if
+@@ -105,7 +105,8 @@ template(`wine_role_template',`
+ 	corecmd_bin_domtrans($1_wine_t, $1_t)
+ 
+ 	userdom_unpriv_usertype($1, $1_wine_t)
+-	userdom_manage_tmpfs_role($2, $1_wine_t)
++	userdom_manage_tmpfs_role($2)
++	userdom_manage_tmpfs($1_wine_t)
+ 
+ 	domain_mmap_low($1_wine_t)
+ 
+diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
+index 50c1a74..d618395 100644
+--- a/policy/modules/apps/wm.if
++++ b/policy/modules/apps/wm.if
+@@ -77,9 +77,13 @@ template(`wm_role_template',`
+ 	miscfiles_read_fonts($1_wm_t)
+ 	miscfiles_read_localization($1_wm_t)
+ 
+-	userdom_manage_home_role($2, $1_wm_t)
+-	userdom_manage_tmpfs_role($2, $1_wm_t)
+-	userdom_manage_tmp_role($2, $1_wm_t)
++	userdom_manage_home_role($2)
++	userdom_manage_home($1_wm_t)
++	userdom_manage_tmpfs_role($2)
++	userdom_manage_tmpfs($1_wm_t)
++	userdom_manage_tmp_role($2)
++	userdom_manage_tmp($1_wm_t)
++
+ 	userdom_exec_user_tmp_files($1_wm_t)
+ 
+ 	optional_policy(`
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+index e1113e0..5bcd298 100644
+--- a/policy/modules/roles/unconfineduser.te
++++ b/policy/modules/roles/unconfineduser.te
+@@ -45,9 +45,12 @@ gen_tunable(unconfined_login, true)
+ # calls is not correct, however we dont currently
+ # have another method to add access to these types
+ userdom_base_user_template(unconfined)
+-userdom_manage_home_role(unconfined_r, unconfined_t)
+-userdom_manage_tmp_role(unconfined_r, unconfined_t)
+-userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
++userdom_manage_home_role(unconfined_r)
++userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file sock_file fifo_file })
++userdom_manage_tmp_role(unconfined_r)
++userdom_manage_tmp(unconfined_t)
++userdom_manage_tmpfs_role(unconfined_r)
++userdom_manage_tmpfs(unconfined_t)
+ userdom_unpriv_usertype(unconfined, unconfined_t)
+ 
+ type unconfined_exec_t;
+diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
+index 49a4283..7a3ea96 100644
+--- a/policy/modules/services/rshd.te
++++ b/policy/modules/services/rshd.te
+@@ -66,7 +66,7 @@ seutil_read_config(rshd_t)
+ seutil_read_default_contexts(rshd_t)
+ 
+ userdom_search_user_home_content(rshd_t)
+-userdom_manage_tmp_role(system_r, rshd_t)
++userdom_manage_tmp(rshd_t)
+ 
+ tunable_policy(`use_nfs_home_dirs',`
+ 	fs_read_nfs_files(rshd_t)
+diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
+index 8e3e9de..862e108 100644
+--- a/policy/modules/services/ssh.if
++++ b/policy/modules/services/ssh.if
+@@ -380,7 +380,7 @@ template(`ssh_role_template',`
+ 	manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
+ 	manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
+ 	userdom_search_user_home_dirs($1_t)
+-	userdom_manage_tmp_role($2, ssh_t)
++	userdom_manage_tmp(ssh_t)
+ 
+ 	##############################
+ 	#
+diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
+index d81a09f..3fdc1df 100644
+--- a/policy/modules/services/ssh.te
++++ b/policy/modules/services/ssh.te
+@@ -200,6 +200,7 @@ userdom_read_user_tmp_files(ssh_t)
+ userdom_write_user_tmp_files(ssh_t)
+ userdom_read_user_home_content_symlinks(ssh_t)
+ userdom_read_home_certs(ssh_t)
++userdom_manage_tmp(ssh_t)
+ 
+ tunable_policy(`allow_ssh_keysign',`
+ 	domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
+@@ -280,7 +281,7 @@ corenet_sendrecv_xserver_server_packets(sshd_t)
+ 
+ userdom_read_user_home_content_files(sshd_t)
+ userdom_read_user_home_content_symlinks(sshd_t)
+-userdom_manage_tmp_role(system_r, sshd_t)
++userdom_manage_tmp(sshd_t)
+ userdom_spec_domtrans_unpriv_users(sshd_t)
+ userdom_signal_unpriv_users(sshd_t)
+ userdom_dyntransition_unpriv_users(sshd_t)
+diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
+index 7d5a298..36b8a4c 100644
+--- a/policy/modules/services/sssd.te
++++ b/policy/modules/services/sssd.te
+@@ -92,7 +92,7 @@ miscfiles_read_generic_certs(sssd_t)
+ sysnet_dns_name_resolve(sssd_t)
+ sysnet_use_ldap(sssd_t)
+ 
+-userdom_manage_tmp_role(system_r, sssd_t)
++userdom_manage_tmp(sssd_t)
+ 
+ optional_policy(`
+ 	dbus_system_bus_client(sssd_t)
+diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
+index 60e0e2d..fcf2f38 100644
+--- a/policy/modules/services/xserver.te
++++ b/policy/modules/services/xserver.te
+@@ -671,7 +671,7 @@ userdom_stream_connect(xdm_t)
+ userdom_manage_user_tmp_dirs(xdm_t)
+ userdom_manage_user_tmp_files(xdm_t)
+ userdom_manage_user_tmp_sockets(xdm_t)
+-userdom_manage_tmpfs_role(system_r, xdm_t)
++userdom_manage_tmpfs(xdm_t)
+ 
+ application_signal(xdm_t)
+ 
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index e7a65ae..6974244 100644
+--- a/policy/modules/system/userdomain.if
++++ b/policy/modules/system/userdomain.if
+@@ -35,21 +35,14 @@ template(`userdom_base_user_template',`
+ 	type $1_t, userdomain, $1_usertype;
+ 	domain_type($1_t)
+ 	role $1_r;
+-	corecmd_shell_entry_type($1_t)
+-	corecmd_bin_entry_type($1_t)
+ 	domain_user_exemption_target($1_t)
+ 	ubac_constrained($1_t)
+ 	role $1_r types $1_t;
+ 	allow system_r $1_r;
+ 
+-	term_user_pty($1_t, user_devpts_t)
+-
+-	term_user_tty($1_t, user_tty_device_t)
+-	term_dontaudit_getattr_generic_ptys($1_t)
+-
+ 	allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
+ 	allow $1_usertype $1_usertype:fd use;
+-	allow $1_usertype $1_t:key { create view read write search link setattr };
++	allow $1_usertype $1_usertype:key { create view read write search link setattr };
+ 
+ 	allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
+ 	allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
+@@ -61,114 +54,7 @@ template(`userdom_base_user_template',`
+ 	allow $1_usertype $1_usertype:context contains;
+ 	dontaudit $1_usertype $1_usertype:socket create;
+ 
+-	allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms };
+-	term_create_pty($1_usertype, user_devpts_t)
+-	# avoid annoying messages on terminal hangup on role change
+-	dontaudit $1_usertype user_devpts_t:chr_file ioctl;
+-
+-	allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms };
+-	# avoid annoying messages on terminal hangup on role change
+-	dontaudit $1_usertype user_tty_device_t:chr_file ioctl;
+-
+-	application_exec_all($1_usertype)
+-
+-	kernel_read_kernel_sysctls($1_usertype)
+-	kernel_read_all_sysctls($1_usertype)
+-	kernel_dontaudit_list_unlabeled($1_usertype)
+-	kernel_dontaudit_getattr_unlabeled_files($1_usertype)
+-	kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype)
+-	kernel_dontaudit_getattr_unlabeled_pipes($1_usertype)
+-	kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
+-	kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
+-	kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
+-	kernel_dontaudit_list_proc($1_usertype)
+-
+-	dev_dontaudit_getattr_all_blk_files($1_usertype)
+-	dev_dontaudit_getattr_all_chr_files($1_usertype)
+-	dev_getattr_mtrr_dev($1_t)
+-
+-	# When the user domain runs ps, there will be a number of access
+-	# denials when ps tries to search /proc. Do not audit these denials.
+-	domain_dontaudit_read_all_domains_state($1_usertype)
+-	domain_dontaudit_getattr_all_domains($1_usertype)
+-	domain_dontaudit_getsession_all_domains($1_usertype)
+-	dev_dontaudit_all_access_check($1_usertype)
+-
+-	files_read_etc_files($1_usertype)
+-	files_list_mnt($1_usertype)
+-	files_list_var($1_usertype)
+-	files_read_mnt_files($1_usertype)
+-	files_dontaudit_access_check_mnt($1_usertype)
+-	files_read_etc_runtime_files($1_usertype)
+-	files_read_usr_files($1_usertype)
+-	files_read_usr_src_files($1_usertype)
+-	# Read directories and files with the readable_t type.
+-	# This type is a general type for "world"-readable files.
+-	files_list_world_readable($1_usertype)
+-	files_read_world_readable_files($1_usertype)
+-	files_read_world_readable_symlinks($1_usertype)
+-	files_read_world_readable_pipes($1_usertype)
+-	files_read_world_readable_sockets($1_usertype)
+-	# old broswer_domain():
+-	files_dontaudit_getattr_all_dirs($1_usertype)
+-	files_dontaudit_list_non_security($1_usertype)
+-	files_dontaudit_getattr_all_files($1_usertype)
+-	files_dontaudit_getattr_non_security_symlinks($1_usertype)
+-	files_dontaudit_getattr_non_security_pipes($1_usertype)
+-	files_dontaudit_getattr_non_security_sockets($1_usertype)
+-	files_dontaudit_setattr_etc_runtime_files($1_usertype)
+-
+-	files_exec_usr_files($1_t)
+-
+-	fs_list_cgroup_dirs($1_usertype)
+-	fs_dontaudit_rw_cgroup_files($1_usertype)
+-
+-	storage_rw_fuse($1_usertype)
+-
+ 	auth_use_nsswitch($1_t)
+-
+-	init_stream_connect($1_usertype)
+-	# The library functions always try to open read-write first,
+-	# then fall back to read-only if it fails. 
+-	init_dontaudit_rw_utmp($1_usertype)
+-
+-	libs_exec_ld_so($1_usertype)
+-
+-	logging_send_audit_msgs($1_t)
+-
+-	miscfiles_read_localization($1_t)
+-	miscfiles_read_generic_certs($1_t)
+-
+-	miscfiles_read_all_certs($1_usertype)
+-	miscfiles_read_localization($1_usertype)
+-	miscfiles_read_man_pages($1_usertype)
+-	miscfiles_read_public_files($1_usertype)
+-
+-	systemd_dbus_chat_logind($1_usertype)
+-
+-	tunable_policy(`allow_execmem',`
+-		# Allow loading DSOs that require executable stack.
+-		allow $1_t self:process execmem;
+-	')
+-
+-	tunable_policy(`allow_execmem && allow_execstack',`
+-		# Allow making the stack executable via mprotect.
+-		allow $1_t self:process execstack;
+-	')
+-
+-	optional_policy(`
+-		abrt_stream_connect($1_usertype)
+-	')
+-
+-	optional_policy(`
+-		fs_list_cgroup_dirs($1_usertype)
+-	')
+-	
+-	optional_policy(`
+-		ssh_rw_stream_sockets($1_usertype)
+-		ssh_delete_tmp($1_t)
+-		ssh_signal($1_t)
+-	')
+ ')
+ 
+ #######################################
+@@ -242,6 +128,22 @@ interface(`userdom_ro_home_role',`
+ ##	The user role
+ ##	</summary>
+ ## </param>
++## <rolebase/>
++#
++interface(`userdom_manage_home_role',`
++	gen_require(`
++		type user_home_dir_t;
++		attribute user_home_type;
++	')
++
++	role $1 types { user_home_type user_home_dir_t };
++')
++
++#######################################
++## <summary>
++##	Allow a home directory for which the
++##	role has full access.
++## </summary>
+ ## <param name="userdomain">
+ ##	<summary>
+ ##	The user domain
+@@ -249,61 +151,58 @@ interface(`userdom_ro_home_role',`
+ ## </param>
+ ## <rolebase/>
+ #
+-interface(`userdom_manage_home_role',`
++interface(`userdom_manage_home',`
+ 	gen_require(`
+ 		type user_home_t, user_home_dir_t;
+ 		attribute user_home_type;
+ 	')
+ 
+-	role $1 types { user_home_type user_home_dir_t };
+-
+ 	##############################
+ 	#
+ 	# Domain access to home dir
+ 	#
+-
+-	type_member $2 user_home_dir_t:dir user_home_dir_t;
++	type_member $1 user_home_dir_t:dir user_home_dir_t;
+ 
+ 	# full control of the home directory
+-	allow $2 user_home_t:dir mounton;
+-	allow $2 user_home_t:file entrypoint;
++	allow $1 user_home_t:dir mounton;
++	allow $1 user_home_t:file entrypoint;
+ 
+-	allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom };
+-	allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
+-	manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+-	manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+-	manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+-	manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+-	manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+-	relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+-	relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+-	relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+-	relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+-	relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type)
+-	filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+-	files_list_home($2)
++	allow $1 user_home_type:dir_file_class_set { relabelto relabelfrom };
++	allow $1 user_home_dir_t:lnk_file read_lnk_file_perms;
++	manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++	manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++	manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++	manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++	manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++	relabel_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++	relabel_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++	relabel_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++	relabel_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++	relabel_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++	filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
++	files_list_home($1)
+ 
+ 	# cjp: this should probably be removed:
+-	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
++	allow $1 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
+ 
+ 	tunable_policy(`use_nfs_home_dirs',`
+-		fs_mount_nfs($2)
+-		fs_mounton_nfs($2)
+-		fs_manage_nfs_dirs($2)
+-		fs_manage_nfs_files($2)
+-		fs_manage_nfs_symlinks($2)
+-		fs_manage_nfs_named_sockets($2)
+-		fs_manage_nfs_named_pipes($2)
++		fs_mount_nfs($1)
++		fs_mounton_nfs($1)
++		fs_manage_nfs_dirs($1)
++		fs_manage_nfs_files($1)
++		fs_manage_nfs_symlinks($1)
++		fs_manage_nfs_named_sockets($1)
++		fs_manage_nfs_named_pipes($1)
+ 	')
+ 
+ 	tunable_policy(`use_samba_home_dirs',`
+-		fs_mount_cifs($2)
+-		fs_mounton_cifs($2)
+-		fs_manage_cifs_dirs($2)
+-		fs_manage_cifs_files($2)
+-		fs_manage_cifs_symlinks($2)
+-		fs_manage_cifs_named_sockets($2)
+-		fs_manage_cifs_named_pipes($2)
++		fs_mount_cifs($1)
++		fs_mounton_cifs($1)
++		fs_manage_cifs_dirs($1)
++		fs_manage_cifs_files($1)
++		fs_manage_cifs_symlinks($1)
++		fs_manage_cifs_named_sockets($1)
++		fs_manage_cifs_named_pipes($1)
+ 	')
+ ')
+ 
+@@ -316,6 +215,21 @@ interface(`userdom_manage_home_role',`
+ ##	Role allowed access.
+ ##	</summary>
+ ## </param>
++## <rolebase/>
++#
++interface(`userdom_manage_tmp_role',`
++	gen_require(`
++		attribute user_tmp_type;
++		type user_tmp_t;
++	')
++
++	role $1 types user_tmp_t;
++')
++
++#######################################
++## <summary>
++##	Manage user temporary files
++## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+@@ -323,27 +237,25 @@ interface(`userdom_manage_home_role',`
+ ## </param>
+ ## <rolebase/>
+ #
+-interface(`userdom_manage_tmp_role',`
++interface(`userdom_manage_tmp',`
+ 	gen_require(`
+ 		attribute user_tmp_type;
+ 		type user_tmp_t;
+ 	')
+ 
+-	role $1 types user_tmp_t;
+-
+-	files_poly_member_tmp($2, user_tmp_t)
++	files_poly_member_tmp($1, user_tmp_t)
+ 
+-	manage_dirs_pattern($2, user_tmp_type, user_tmp_type)
+-	manage_files_pattern($2, user_tmp_type, user_tmp_type)
+-	manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
+-	manage_sock_files_pattern($2, user_tmp_type, user_tmp_type)
+-	manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
+-	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+-	relabel_dirs_pattern($2, user_tmp_type, user_tmp_type)
+-	relabel_files_pattern($2, user_tmp_type, user_tmp_type)
+-	relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
+-	relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type)
+-	relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type)
++	manage_dirs_pattern($1, user_tmp_type, user_tmp_type)
++	manage_files_pattern($1, user_tmp_type, user_tmp_type)
++	manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
++	manage_sock_files_pattern($1, user_tmp_type, user_tmp_type)
++	manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
++	files_tmp_filetrans($1, user_tmp_t, { dir file lnk_file sock_file fifo_file })
++	relabel_dirs_pattern($1, user_tmp_type, user_tmp_type)
++	relabel_files_pattern($1, user_tmp_type, user_tmp_type)
++	relabel_lnk_files_pattern($1, user_tmp_type, user_tmp_type)
++	relabel_sock_files_pattern($1, user_tmp_type, user_tmp_type)
++	relabel_fifo_files_pattern($1, user_tmp_type, user_tmp_type)
+ ')
+ 
+ #######################################
+@@ -424,6 +336,21 @@ interface(`userdom_exec_user_tmp_files',`
+ ##	Role allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
++#
++interface(`userdom_manage_tmpfs_role',`
++	gen_require(`
++		attribute user_tmpfs_type;
++		type user_tmpfs_t;
++	')
++
++	role $1 types user_tmpfs_t;
++')
++
++#######################################
++## <summary>
++##	Allow access for the user tmpfs type
++## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+@@ -431,25 +358,23 @@ interface(`userdom_exec_user_tmp_files',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`userdom_manage_tmpfs_role',`
++interface(`userdom_manage_tmpfs',`
+ 	gen_require(`
+ 		attribute user_tmpfs_type;
+ 		type user_tmpfs_t;
+ 	')
+ 
+-	role $1 types user_tmpfs_t;
+-
+-	manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+-	relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
+-	relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type)
++	manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
++	manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
++	manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
++	manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
++	manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
++	fs_tmpfs_filetrans($1, user_tmpfs_t, { dir file lnk_file sock_file fifo_file })
++	relabel_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type)
++	relabel_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
++	relabel_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
++	relabel_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
++	relabel_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type)
+ ')
+ 
+ #######################################
+@@ -578,260 +503,31 @@ template(`userdom_change_password_template',`
+ template(`userdom_common_user_template',`
+ 	gen_require(`
+ 		attribute unpriv_userdomain;
++		attribute common_userdomain;
+ 	')
+ 
+-	userdom_basic_networking($1_usertype)
+-
+-	##############################
+-	#
+-	# User domain Local policy
+-	#
+-
+-	# evolution and gnome-session try to create a netlink socket
+-	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+-	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+-	allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
+-	allow $1_t self:socket create_socket_perms;
++	typeattribute $1_t common_userdomain;
+ 
+-	allow $1_usertype unpriv_userdomain:fd use;
++	userdom_basic_networking(common_userdomain)
+ 
+-	kernel_read_system_state($1_usertype)
+-	kernel_read_network_state($1_usertype)
+-	kernel_read_software_raid_state($1_usertype)
+-	kernel_read_net_sysctls($1_usertype)
+-	# Very permissive allowing every domain to see every type:
+-	kernel_get_sysvipc_info($1_usertype)
+-	# Find CDROM devices:
+-	kernel_read_device_sysctls($1_usertype)
+-	kernel_request_load_module($1_usertype)
+-
+-	corenet_udp_bind_generic_node($1_usertype)
+-	corenet_udp_bind_generic_port($1_usertype)
+-
+-	dev_read_rand($1_usertype)
+-	dev_write_sound($1_usertype)
+-	dev_read_sound($1_usertype)
+-	dev_read_sound_mixer($1_usertype)
+-	dev_write_sound_mixer($1_usertype)
+-
+-	files_exec_etc_files($1_usertype)
+-	files_search_locks($1_usertype)
+-	# Check to see if cdrom is mounted
+-	files_search_mnt($1_usertype)
+-	# cjp: perhaps should cut back on file reads:
+-	files_read_var_files($1_usertype)
+-	files_read_var_symlinks($1_usertype)
+-	files_read_generic_spool($1_usertype)
+-	files_read_var_lib_files($1_usertype)
+-	# Stat lost+found.
+-	files_getattr_lost_found_dirs($1_usertype)
+-	files_read_config_files($1_usertype)
+-	fs_read_noxattr_fs_files($1_usertype)
+-	fs_read_noxattr_fs_symlinks($1_usertype)
+-	fs_rw_cgroup_files($1_usertype)
+-
+-	application_getattr_socket($1_usertype)
+-
+-	logging_send_syslog_msg($1_usertype)
+-	logging_send_audit_msgs($1_usertype)
+-	selinux_get_enforce_mode($1_usertype)
+-
+-	# cjp: some of this probably can be removed
+-	selinux_get_fs_mount($1_usertype)
+-	selinux_validate_context($1_usertype)
+-	selinux_compute_access_vector($1_usertype)
+-	selinux_compute_create_context($1_usertype)
+-	selinux_compute_relabel_context($1_usertype)
+-	selinux_compute_user_contexts($1_usertype)
+-
+-	# for eject
+-	storage_getattr_fixed_disk_dev($1_usertype)
+-
+-	auth_read_login_records($1_usertype)
+-	auth_run_pam($1_t,$1_r)
+-	auth_run_utempter($1_t,$1_r)
+-
+-	init_read_utmp($1_usertype)
+-
+-	seutil_read_file_contexts($1_usertype)
+-	seutil_read_default_contexts($1_usertype)
+-	seutil_run_newrole($1_t,$1_r)
+-	seutil_exec_checkpolicy($1_t)
+-	seutil_exec_setfiles($1_usertype)
+-	# for when the network connection is killed
+-	# this is needed when a login role can change
+-	# to this one.
+-	seutil_dontaudit_signal_newrole($1_t)
+-
+-	tunable_policy(`user_direct_mouse',`
+-		dev_read_mouse($1_usertype)
+-	')
+-
+-	tunable_policy(`user_ttyfile_stat',`
+-		term_getattr_all_ttys($1_t)
+-	')
+-
+-	optional_policy(`
+-		# Allow graphical boot to check battery lifespan
+-		apm_stream_connect($1_usertype)
+-	')
++	auth_run_pam(common_userdomain,$1_r)
++	auth_run_utempter(common_userdomain,$1_r)
++	seutil_run_newrole(common_userdomain,$1_r)
+ 
+ 	optional_policy(`
+-		canna_stream_connect($1_usertype)
++		chrome_role($1_r, common_userdomain)
+ 	')
+ 
+ 	optional_policy(`
+-		chrome_role($1_r, $1_usertype)
++		git_session_role($1_r, common_userdomain)
+ 	')
+ 
+ 	optional_policy(`
+-		colord_read_lib_files($1_usertype)
+-	')
+-
+-	optional_policy(`
+-		dbus_system_bus_client($1_usertype)
+-
+-		allow $1_usertype $1_usertype:dbus  send_msg;
+-
+-		optional_policy(`
+-			avahi_dbus_chat($1_usertype)
+-		')
+-
+-		optional_policy(`
+-			policykit_dbus_chat($1_usertype)
+-		')
+-
+-		optional_policy(`
+-			bluetooth_dbus_chat($1_usertype)
+-		')
+-
+-		optional_policy(`
+-			consolekit_dbus_chat($1_usertype)
+-			consolekit_read_log($1_usertype)
+-		')
+-
+-		optional_policy(`
+-			devicekit_dbus_chat($1_usertype)
+-			devicekit_dbus_chat_power($1_usertype)
+-			devicekit_dbus_chat_disk($1_usertype)
+-		')
+-
+-		optional_policy(`
+-			evolution_dbus_chat($1_usertype)
+-			evolution_alarm_dbus_chat($1_usertype)
+-		')
+-
+-		optional_policy(`
+-			gnome_dbus_chat_gconfdefault($1_usertype)
+-		')
+-
+-		optional_policy(`
+-			hal_dbus_chat($1_usertype)
+-		')
+-
+-		optional_policy(`
+-			kde_dbus_chat_backlighthelper($1_usertype)
+-		')
+-
+-		optional_policy(`
+-			modemmanager_dbus_chat($1_usertype)
+-		')
+-
+-		optional_policy(`
+-			networkmanager_dbus_chat($1_usertype)
+-			networkmanager_read_lib_files($1_usertype)
+-		')
+-
+-		optional_policy(`
+-			vpn_dbus_chat($1_usertype)
+-		')
++		nsplugin_role($1_r, common_userdomain)
+ 	')
+ 
+ 	optional_policy(`
+-		git_session_role($1_r, $1_usertype)
+-	')
+-
+-	optional_policy(`
+-		inetd_use_fds($1_usertype)
+-		inetd_rw_tcp_sockets($1_usertype)
+-	')
+-
+-	optional_policy(`
+-		inn_read_config($1_usertype)
+-		inn_read_news_lib($1_usertype)
+-		inn_read_news_spool($1_usertype)
+-	')
+-
+-	optional_policy(`
+-		lircd_stream_connect($1_usertype)
+-	')
+-
+-	optional_policy(`
+-		locate_read_lib_files($1_usertype)
+-	')
+-
+-	# for running depmod as part of the kernel packaging process
+-	optional_policy(`
+-		modutils_read_module_config($1_usertype)
+-	')
+-
+-	optional_policy(`
+-		mta_rw_spool($1_usertype)
+-		mta_manage_queue($1_usertype)
+-		mta_filetrans_home_content($1_usertype)
+-	')
+-
+-	optional_policy(`
+-		nsplugin_role($1_r, $1_usertype)
+-	')
+-
+-	optional_policy(`
+-		tunable_policy(`allow_user_mysql_connect',`
+-			mysql_stream_connect($1_t)
+-		')
+-	')
+-
+-	optional_policy(`
+-		oident_manage_user_content($1_t)
+-		oident_relabel_user_content($1_t)
+-	')
+-
+-	optional_policy(`
+-		# to allow monitoring of pcmcia status
+-		pcmcia_read_pid($1_usertype)
+-	')
+-
+-	optional_policy(`
+-		pcscd_read_pub_files($1_usertype)
+-		pcscd_stream_connect($1_usertype)
+-	')
+-
+-	optional_policy(`
+-		tunable_policy(`allow_user_postgresql_connect',`
+-			postgresql_stream_connect($1_usertype)
+-			postgresql_tcp_connect($1_usertype)
+-		')
+-	')
+-
+-	optional_policy(`
+-		resmgr_stream_connect($1_usertype)
+-	')
+-
+-	optional_policy(`
+-		rpc_dontaudit_getattr_exports($1_usertype)
+-		rpc_manage_nfs_rw_content($1_usertype)
+-	')
+-
+-	optional_policy(`
+-		rpcbind_stream_connect($1_usertype)
+-	')
+-
+-	optional_policy(`
+-		samba_stream_connect_winbind($1_usertype)
+-	')
+-
+-	optional_policy(`
+-		sandbox_transition($1_usertype, $1_r)
++		sandbox_transition(common_userdomain, $1_r)
+ 	')
+ 
+ 	optional_policy(`
+@@ -839,11 +535,7 @@ template(`userdom_common_user_template',`
+ 	')
+ 
+ 	optional_policy(`
+-		slrnpull_search_spool($1_usertype)
+-	')
+-
+-	optional_policy(`
+-		thumb_role($1_r, $1_usertype)
++		thumb_role($1_r, common_userdomain)
+ 	')
+ ')
+ 
+@@ -872,10 +564,9 @@ template(`userdom_login_user_template', `
+ 
+ 	userdom_base_user_template($1)
+ 
+-	userdom_manage_home_role($1_r, $1_usertype)
+-
+-	userdom_manage_tmp_role($1_r, $1_usertype)
+-	userdom_manage_tmpfs_role($1_r, $1_usertype)
++	userdom_manage_home_role($1_r)
++	userdom_manage_tmp_role($1_r)
++	userdom_manage_tmpfs_role($1_r)
+ 
+ 	ifelse(`$1',`unconfined',`',`
+ 		gen_tunable(allow_$1_exec_content, true)
+@@ -1010,9 +701,6 @@ template(`userdom_restricted_user_template',`
+ 	typeattribute $1_t unpriv_userdomain;
+ 	domain_interactive_fd($1_t)
+ 
+-	allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
+-	dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
+-
+ 	##############################
+ 	#
+ 	# Local policy
+@@ -3918,6 +3606,10 @@ template(`userdom_unpriv_usertype',`
+ 	
+ 	auth_use_nsswitch($2)
+ 	ubac_constrained($2)
++
++	userdom_manage_home_role($1_r)
++	userdom_manage_tmp_role($1_r)
++	userdom_manage_tmpfs_role($1_r)
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 04d748b..c636356 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -69,6 +69,8 @@ attribute userdomain;
+ 
+ # unprivileged user domains
+ attribute unpriv_userdomain;
++# common user domains
++attribute common_userdomain;
+ 
+ attribute untrusted_content_type;
+ attribute untrusted_content_tmp_type;
+@@ -141,16 +143,17 @@ miscfiles_cert_type(home_cert_t)
+ userdom_user_home_content(home_cert_t)
+ ubac_constrained(home_cert_t)
+ 
+-tunable_policy(`allow_console_login',`
+-	term_use_console(userdomain)
+-')
+-
+-allow userdomain userdomain:process signull;
++allow unpriv_userdomain self:netlink_kobject_uevent_socket create_socket_perms;
++dontaudit unpriv_userdomain self:netlink_audit_socket create_socket_perms;
+ 
+ # Nautilus causes this avc
+ dontaudit unpriv_userdomain self:dir setattr;
+ allow unpriv_userdomain self:key manage_key_perms;
+ 
++userdom_manage_home(unpriv_userdomain)
++userdom_manage_tmp(unpriv_userdomain)
++userdom_manage_tmpfs(unpriv_userdomain)
++
+ optional_policy(`
+ 	alsa_read_rw_config(unpriv_userdomain)
+ 	alsa_manage_home_files(unpriv_userdomain)
+@@ -158,6 +161,125 @@ optional_policy(`
+ 	alsa_filetrans_named_content(unpriv_userdomain)
+ ')
+ 
++tunable_policy(`allow_console_login',`
++	term_use_console(userdomain)
++')
++
++allow userdomain userdomain:process signull;
++
++allow userdomain user_devpts_t:chr_file { setattr rw_chr_file_perms };
++term_create_pty(userdomain, user_devpts_t)
++# avoid annoying messages on terminal hangup on role change
++dontaudit userdomain user_devpts_t:chr_file ioctl;
++
++allow userdomain user_tty_device_t:chr_file { setattr rw_chr_file_perms };
++# avoid annoying messages on terminal hangup on role change
++dontaudit userdomain user_tty_device_t:chr_file ioctl;
++
++corecmd_shell_entry_type(userdomain)
++corecmd_bin_entry_type(userdomain)
++
++term_user_pty(userdomain, user_devpts_t)
++
++term_user_tty(userdomain, user_tty_device_t)
++term_dontaudit_getattr_generic_ptys(userdomain)
++
++application_exec_all(userdomain)
++
++kernel_read_kernel_sysctls(userdomain)
++kernel_read_all_sysctls(userdomain)
++kernel_dontaudit_list_unlabeled(userdomain)
++kernel_dontaudit_getattr_unlabeled_files(userdomain)
++kernel_dontaudit_getattr_unlabeled_symlinks(userdomain)
++kernel_dontaudit_getattr_unlabeled_pipes(userdomain)
++kernel_dontaudit_getattr_unlabeled_sockets(userdomain)
++kernel_dontaudit_getattr_unlabeled_blk_files(userdomain)
++kernel_dontaudit_getattr_unlabeled_chr_files(userdomain)
++kernel_dontaudit_list_proc(userdomain)
++
++dev_dontaudit_getattr_all_blk_files(userdomain)
++dev_dontaudit_getattr_all_chr_files(userdomain)
++dev_getattr_mtrr_dev(userdomain)
++
++# When the user domain runs ps, there will be a number of access
++# denials when ps tries to search /proc. Do not audit these denials.
++domain_dontaudit_read_all_domains_state(userdomain)
++domain_dontaudit_getattr_all_domains(userdomain)
++domain_dontaudit_getsession_all_domains(userdomain)
++dev_dontaudit_all_access_check(userdomain)
++
++files_read_etc_files(userdomain)
++files_list_mnt(userdomain)
++files_list_var(userdomain)
++files_read_mnt_files(userdomain)
++files_dontaudit_access_check_mnt(userdomain)
++files_read_etc_runtime_files(userdomain)
++files_read_usr_files(userdomain)
++files_read_usr_src_files(userdomain)
++# Read directories and files with the readable_t type.
++# This type is a general type for "world"-readable files.
++files_list_world_readable(userdomain)
++files_read_world_readable_files(userdomain)
++files_read_world_readable_symlinks(userdomain)
++files_read_world_readable_pipes(userdomain)
++files_read_world_readable_sockets(userdomain)
++# old broswer_domain():
++files_dontaudit_getattr_all_dirs(userdomain)
++files_dontaudit_list_non_security(userdomain)
++files_dontaudit_getattr_all_files(userdomain)
++files_dontaudit_getattr_non_security_symlinks(userdomain)
++files_dontaudit_getattr_non_security_pipes(userdomain)
++files_dontaudit_getattr_non_security_sockets(userdomain)
++files_dontaudit_setattr_etc_runtime_files(userdomain)
++
++files_exec_usr_files(userdomain)
++
++fs_list_cgroup_dirs(userdomain)
++fs_dontaudit_rw_cgroup_files(userdomain)
++
++storage_rw_fuse(userdomain)
++
++init_stream_connect(userdomain)
++# The library functions always try to open read-write first,
++# then fall back to read-only if it fails. 
++init_dontaudit_rw_utmp(userdomain)
++libs_exec_ld_so(userdomain)
++logging_send_audit_msgs(userdomain)
++
++miscfiles_read_localization(userdomain)
++miscfiles_read_generic_certs(userdomain)
++
++miscfiles_read_all_certs(userdomain)
++miscfiles_read_localization(userdomain)
++miscfiles_read_man_pages(userdomain)
++miscfiles_read_public_files(userdomain)
++
++systemd_dbus_chat_logind(userdomain)
++
++tunable_policy(`allow_execmem',`
++	# Allow loading DSOs that require executable stack.
++	allow userdomain self:process execmem;
++')
++
++tunable_policy(`allow_execmem && allow_execstack',`
++	# Allow making the stack executable via mprotect.
++	allow userdomain self:process execstack;
++')
++
++optional_policy(`
++	abrt_stream_connect(userdomain)
++')
++
++optional_policy(`
++	fs_list_cgroup_dirs(userdomain)
++')
++	
++optional_policy(`
++	ssh_rw_stream_sockets(userdomain)
++	ssh_delete_tmp(userdomain)
++	ssh_signal(userdomain)
++')
++
+ optional_policy(`
+ 	gnome_filetrans_home_content(userdomain)
+ ')
+@@ -173,3 +295,240 @@ optional_policy(`
+ optional_policy(`
+ 	xserver_filetrans_home_content(userdomain)
+ ')
++
++##############################
++#
++# Common User domain Local policy
++#
++
++# evolution and gnome-session try to create a netlink socket
++dontaudit common_userdomain self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
++dontaudit common_userdomain self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
++allow common_userdomain self:netlink_kobject_uevent_socket create_socket_perms;
++allow common_userdomain self:socket create_socket_perms;
++
++allow common_userdomain unpriv_userdomain:fd use;
++
++kernel_read_system_state(common_userdomain)
++kernel_read_network_state(common_userdomain)
++kernel_read_software_raid_state(common_userdomain)
++kernel_read_net_sysctls(common_userdomain)
++# Very permissive allowing every domain to see every type:
++kernel_get_sysvipc_info(common_userdomain)
++# Find CDROM devices:
++kernel_read_device_sysctls(common_userdomain)
++kernel_request_load_module(common_userdomain)
++
++corenet_udp_bind_generic_node(common_userdomain)
++corenet_udp_bind_generic_port(common_userdomain)
++
++dev_read_rand(common_userdomain)
++dev_write_sound(common_userdomain)
++dev_read_sound(common_userdomain)
++dev_read_sound_mixer(common_userdomain)
++dev_write_sound_mixer(common_userdomain)
++
++files_exec_etc_files(common_userdomain)
++files_search_locks(common_userdomain)
++# Check to see if cdrom is mounted
++files_search_mnt(common_userdomain)
++# cjp: perhaps should cut back on file reads:
++files_read_var_files(common_userdomain)
++files_read_var_symlinks(common_userdomain)
++files_read_generic_spool(common_userdomain)
++files_read_var_lib_files(common_userdomain)
++# Stat lost+found.
++files_getattr_lost_found_dirs(common_userdomain)
++files_read_config_files(common_userdomain)
++fs_read_noxattr_fs_files(common_userdomain)
++fs_read_noxattr_fs_symlinks(common_userdomain)
++fs_rw_cgroup_files(common_userdomain)
++
++application_getattr_socket(common_userdomain)
++
++logging_send_syslog_msg(common_userdomain)
++logging_send_audit_msgs(common_userdomain)
++selinux_get_enforce_mode(common_userdomain)
++
++# cjp: some of this probably can be removed
++selinux_get_fs_mount(common_userdomain)
++selinux_validate_context(common_userdomain)
++selinux_compute_access_vector(common_userdomain)
++selinux_compute_create_context(common_userdomain)
++selinux_compute_relabel_context(common_userdomain)
++selinux_compute_user_contexts(common_userdomain)
++
++# for eject
++storage_getattr_fixed_disk_dev(common_userdomain)
++
++auth_read_login_records(common_userdomain)
++
++init_read_utmp(common_userdomain)
++
++seutil_read_file_contexts(common_userdomain)
++seutil_read_default_contexts(common_userdomain)
++seutil_exec_checkpolicy(common_userdomain)
++seutil_exec_setfiles(common_userdomain)
++# for when the network connection is killed
++# this is needed when a login role can change
++# to this one.
++seutil_dontaudit_signal_newrole(common_userdomain)
++
++tunable_policy(`user_direct_mouse',`
++	dev_read_mouse(common_userdomain)
++')
++
++tunable_policy(`user_ttyfile_stat',`
++	term_getattr_all_ttys(common_userdomain)
++')
++
++optional_policy(`
++	# Allow graphical boot to check battery lifespan
++	apm_stream_connect(common_userdomain)
++')
++
++optional_policy(`
++	canna_stream_connect(common_userdomain)
++')
++
++optional_policy(`
++	colord_read_lib_files(common_userdomain)
++')
++
++optional_policy(`
++	dbus_system_bus_client(common_userdomain)
++
++	allow common_userdomain common_userdomain:dbus  send_msg;
++
++	optional_policy(`
++		avahi_dbus_chat(common_userdomain)
++	')
++
++	optional_policy(`
++		policykit_dbus_chat(common_userdomain)
++	')
++
++	optional_policy(`
++		bluetooth_dbus_chat(common_userdomain)
++	')
++
++	optional_policy(`
++		consolekit_dbus_chat(common_userdomain)
++		consolekit_read_log(common_userdomain)
++	')
++
++	optional_policy(`
++		devicekit_dbus_chat(common_userdomain)
++		devicekit_dbus_chat_power(common_userdomain)
++		devicekit_dbus_chat_disk(common_userdomain)
++	')
++
++	optional_policy(`
++		evolution_dbus_chat(common_userdomain)
++		evolution_alarm_dbus_chat(common_userdomain)
++	')
++
++	optional_policy(`
++		gnome_dbus_chat_gconfdefault(common_userdomain)
++	')
++
++	optional_policy(`
++		hal_dbus_chat(common_userdomain)
++	')
++
++	optional_policy(`
++		kde_dbus_chat_backlighthelper(common_userdomain)
++	')
++
++	optional_policy(`
++		modemmanager_dbus_chat(common_userdomain)
++	')
++
++	optional_policy(`
++		networkmanager_dbus_chat(common_userdomain)
++		networkmanager_read_lib_files(common_userdomain)
++	')
++
++	optional_policy(`
++		vpn_dbus_chat(common_userdomain)
++	')
++')
++
++optional_policy(`
++	inetd_use_fds(common_userdomain)
++	inetd_rw_tcp_sockets(common_userdomain)
++')
++
++optional_policy(`
++	inn_read_config(common_userdomain)
++	inn_read_news_lib(common_userdomain)
++	inn_read_news_spool(common_userdomain)
++')
++
++optional_policy(`
++	lircd_stream_connect(common_userdomain)
++')
++
++optional_policy(`
++	locate_read_lib_files(common_userdomain)
++')
++
++# for running depmod as part of the kernel packaging process
++optional_policy(`
++	modutils_read_module_config(common_userdomain)
++')
++
++optional_policy(`
++	mta_rw_spool(common_userdomain)
++	mta_manage_queue(common_userdomain)
++	mta_filetrans_home_content(common_userdomain)
++')
++
++optional_policy(`
++	tunable_policy(`allow_user_mysql_connect',`
++		mysql_stream_connect(common_userdomain)
++	')
++')
++
++optional_policy(`
++	oident_manage_user_content(common_userdomain)
++	oident_relabel_user_content(common_userdomain)
++')
++
++optional_policy(`
++	# to allow monitoring of pcmcia status
++	pcmcia_read_pid(common_userdomain)
++')
++
++optional_policy(`
++	pcscd_read_pub_files(common_userdomain)
++	pcscd_stream_connect(common_userdomain)
++')
++
++optional_policy(`
++	tunable_policy(`allow_user_postgresql_connect',`
++		postgresql_stream_connect(common_userdomain)
++		postgresql_tcp_connect(common_userdomain)
++	')
++')
++
++optional_policy(`
++	resmgr_stream_connect(common_userdomain)
++')
++
++optional_policy(`
++	rpc_dontaudit_getattr_exports(common_userdomain)
++	rpc_manage_nfs_rw_content(common_userdomain)
++')
++
++optional_policy(`
++	rpcbind_stream_connect(common_userdomain)
++')
++
++optional_policy(`
++	samba_stream_connect_winbind(common_userdomain)
++')
++
++optional_policy(`
++	slrnpull_search_spool(common_userdomain)
++')