From 80347b11c4fa8c53def8da43ad4966d4eb5ecf0f Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Tue, 11 Oct 2011 16:48:46 -0400
Subject: [PATCH] Remove allow_ptrace and replace it with deny_ptrace, which
 will remove all ptrace from the system Remove 2000 dontaudit rules between
 confined domains on transition and replace with single dontaudit domain
 domain:process { noatsecure siginh rlimitinh } ;

---
 dontaudit.patch | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 dontaudit.patch

diff --git a/dontaudit.patch b/dontaudit.patch
new file mode 100644
index 00000000..73d1ac95
--- /dev/null
+++ b/dontaudit.patch
@@ -0,0 +1,23 @@
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index db2a183..02cf550 100644
+--- a/policy/modules/kernel/domain.te
++++ b/policy/modules/kernel/domain.te
+@@ -312,3 +312,5 @@ optional_policy(`
+ optional_policy(`
+ 	seutil_dontaudit_read_config(domain)
+ ')
++
++dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
+diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
+index 823794e..18e1b2f 100644
+--- a/policy/support/misc_patterns.spt
++++ b/policy/support/misc_patterns.spt
+@@ -4,7 +4,7 @@
+ define(`domain_transition_pattern',`
+ 	allow $1 $2:file { getattr open read execute };
+ 	allow $1 $3:process transition;
+-	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
++#	dontaudit $1 $3:process { noatsecure siginh rlimitinh };
+ ')
+ 
+ # compatibility: