Remove allow_ptrace and replace it with deny_ptrace, which will remove all

ptrace from the system Remove 2000 dontaudit rules between confined domains on transition and replace with single dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
2011-10-11 16:48:46 -04:00 · 2011-10-11 16:48:46 -04:00 · 80347b11c4
commit 80347b11c4
parent 3af504b2d1
1 changed files with 23 additions and 0 deletions
--- a/dontaudit.patch
+++ b/dontaudit.patch
@ -0,0 +1,23 @@
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index db2a183..02cf550 100644
+--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
+@@ -312,3 +312,5 @@ optional_policy(`
+ optional_policy(`
+ 	seutil_dontaudit_read_config(domain)
+ ')
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
+diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
+index 823794e..18e1b2f 100644
+--- a/policy/support/misc_patterns.spt
+++ b/policy/support/misc_patterns.spt
+@@ -4,7 +4,7 @@
+ define(`domain_transition_pattern',`
+ 	allow $1 $2:file { getattr open read execute };
+ 	allow $1 $3:process transition;
+-	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
+#	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
+ ')
+ 
+ # compatibility: