From dd0d453cdf767396b8c61d1795546cb4fcf78954 Mon Sep 17 00:00:00 2001
From: Dominick Grift <domg472@gmail.com>
Date: Fri, 17 Sep 2010 10:16:23 +0200
Subject: [PATCH] Allow users to ptrace and send any signal to their bluetooth
 helper agent.

Allow users to prtrace and send any signal to their cron job.

Allow users to prtrace and send any signal to their cron job.

Allow users to prtrace and send any signal to their cron job.

Allow users to ps, ptrace and send any signal to their session bus.
---
 policy/modules/services/bluetooth.if | 2 +-
 policy/modules/services/cron.if      | 5 +++--
 policy/modules/services/dbus.if      | 5 +++--
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 328302d3..303ba6c5 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -27,7 +27,7 @@ interface(`bluetooth_role',`
 
 	# allow ps to show cdrecord and allow the user to kill it
 	ps_process_pattern($2, bluetooth_helper_t)
-	allow $2 bluetooth_helper_t:process signal;
+	allow $2 bluetooth_helper_t:process { ptrace signal_perms };
 
 	manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
 	manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 72a174a3..f17a4c29 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -138,7 +138,7 @@ interface(`cron_role',`
 
 	# crontab shows up in user ps
 	ps_process_pattern($2, crontab_t)
-	allow $2 crontab_t:process signal;
+	allow $2 crontab_t:process { ptrace signal_perms };
 
 	# Run helper programs as the user domain
 	#corecmd_bin_domtrans(crontab_t, $2)
@@ -180,6 +180,7 @@ interface(`cron_unconfined_role',`
 
 	# cronjob shows up in user ps
 	ps_process_pattern($2, unconfined_cronjob_t)
+	allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
 
 	optional_policy(`
 		gen_require(`
@@ -225,7 +226,7 @@ interface(`cron_admin_role',`
 
 	# crontab shows up in user ps
 	ps_process_pattern($2, admin_crontab_t)
-	allow $2 admin_crontab_t:process signal;
+	allow $2 admin_crontab_t:process { ptrace signal_perms };
 
 	# Run helper programs as the user domain
 	#corecmd_bin_domtrans(admin_crontab_t, $2)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 78524415..dc7ff5aa 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -90,14 +90,15 @@ template(`dbus_role_template',`
 	files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
 
 	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
-	allow $3 $1_dbusd_t:process { signull sigkill signal };
+
+	ps_process_pattern($3, $1_dbusd_t)
+	allow $3 $1_dbusd_t:process { ptrace signal_perms };
 
 	# cjp: this seems very broken
 	corecmd_bin_domtrans($1_dbusd_t, $1_t)
 	allow $1_dbusd_t $3:process sigkill;
 	allow $3 $1_dbusd_t:fd use;
 	allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-	allow $3 $1_dbusd_t:process sigchld;
 
 	kernel_read_system_state($1_dbusd_t)
 	kernel_read_kernel_sysctls($1_dbusd_t)