Remove allow_ptrace and replace it with deny_ptrace, which will remove all

ptrace from the system Remove 2000 dontaudit rules between confined domains on transition and replace with single dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-12 10:13:18 -04:00 · 2011-10-12 10:13:18 -04:00 · 2f4dfeb425
parent 80347b11c4
commit 2f4dfeb425
2 changed files with 0 additions and 25 deletions
--- a/dontaudit.patch
+++ b/dontaudit.patch
@ -1,23 +0,0 @@
-diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index db2a183..02cf550 100644
--- a/policy/modules/kernel/domain.te
-+++ b/policy/modules/kernel/domain.te
-@@ -312,3 +312,5 @@ optional_policy(`
- optional_policy(`
- 	seutil_dontaudit_read_config(domain)
- ')
-+
-+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
-diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
-index 823794e..18e1b2f 100644
--- a/policy/support/misc_patterns.spt
-+++ b/policy/support/misc_patterns.spt
-@@ -4,7 +4,7 @@
- define(`domain_transition_pattern',`
- 	allow $1 $2:file { getattr open read execute };
- 	allow $1 $3:process transition;
-	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
-+#	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
- ')
- 
- # compatibility:
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -29,7 +29,6 @@ patch4: execmem.patch
 patch5: userdomain.patch
 patch6: apache.patch
 patch7: ptrace.patch
-patch8: dontaudit.patch
 Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@ -250,7 +249,6 @@ Based off of reference policy: Checked out revision  2.20091117
 %patch5 -p1 -b .userdomain
 %patch6 -p1 -b .apache
 %patch7 -p1 -b .ptrace
-%patch8 -p1 -b .dontaudit

 %install
 mkdir selinux_config