+##
## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
##
##
diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kdump.if
--- serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace 2011-10-11 16:42:15.581761733 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/kdump.if 2011-10-11 16:42:16.083761591 -0400
@@ -140,8 +140,11 @@ interface(`kdump_admin',`
type kdump_initrc_exec_t;
')
- allow $1 kdump_t:process { ptrace signal_perms };
+ allow $1 kdump_t:process signal_perms;
ps_process_pattern($1, kdump_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kdump_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kismet.if
--- serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace 2011-06-27 14:18:04.000000000 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/kismet.if 2011-10-11 16:42:16.083761591 -0400
@@ -239,7 +239,10 @@ interface(`kismet_admin',`
')
ps_process_pattern($1, kismet_t)
- allow $1 kismet_t:process { ptrace signal_perms };
+ allow $1 kismet_t:process signal_perms;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 kismet_t:process ptrace;
+ ')
kismet_manage_pid_files($1)
kismet_manage_lib($1)
diff -up serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace serefpolicy-3.10.0/policy/modules/admin/kudzu.te
--- serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace 2011-10-11 16:42:15.582761733 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/kudzu.te 2011-10-11 16:42:16.084761591 -0400
@@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t)
# Local policy
#
-allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace serefpolicy-3.10.0/policy/modules/admin/logrotate.te
--- serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace 2011-10-11 16:42:15.583761733 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/logrotate.te 2011-10-11 16:42:16.084761591 -0400
@@ -30,8 +30,6 @@ files_type(logrotate_var_lib_t)
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
-# for mailx
-dontaudit logrotate_t self:capability { sys_ptrace };
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
diff -up serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace serefpolicy-3.10.0/policy/modules/admin/ncftool.te
--- serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace 2011-10-11 16:42:15.586761731 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/ncftool.te 2011-10-11 16:42:16.085761591 -0400
@@ -17,8 +17,7 @@ role system_r types ncftool_t;
# ncftool local policy
#
-allow ncftool_t self:capability { net_admin sys_ptrace };
-
+allow ncftool_t self:capability net_admin;
allow ncftool_t self:process signal;
allow ncftool_t self:fifo_file manage_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/permissivedomains.te.ptrace serefpolicy-3.10.0/policy/modules/admin/permissivedomains.te
--- serefpolicy-3.10.0/policy/modules/admin/permissivedomains.te.ptrace 2011-10-11 16:42:15.590761731 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/permissivedomains.te 2011-10-11 16:43:18.809744020 -0400
@@ -266,3 +266,10 @@ optional_policy(`
permissive virt_qmf_t;
')
+optional_policy(`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit domain self:capability sys_ptrace;
+')
diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/rpm.te
--- serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace 2011-10-11 16:42:16.020761610 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-10-11 16:42:16.085761591 -0400
@@ -248,7 +248,8 @@ optional_policy(`
# rpm-script Local policy
#
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
+
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sectoolm.te
--- serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace 2011-10-11 16:42:15.598761729 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/sectoolm.te 2011-10-11 16:42:16.086761591 -0400
@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t)
# sectool local policy
#
-allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
+allow sectoolm_t self:capability { dac_override net_admin sys_nice };
allow sectoolm_t self:process { getcap getsched signull setsched };
dontaudit sectoolm_t self:process { execstack execmem };
allow sectoolm_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.if
--- serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace 2011-10-11 16:42:15.598761729 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.if 2011-10-11 16:42:16.087761591 -0400
@@ -139,8 +139,11 @@ interface(`shorewall_admin',`
type shorewall_tmp_t, shorewall_etc_t;
')
- allow $1 shorewall_t:process { ptrace signal_perms };
+ allow $1 shorewall_t:process signal_perms;
ps_process_pattern($1, shorewall_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 shorewall_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.te
--- serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace 2011-10-11 16:42:15.599761728 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.te 2011-10-11 16:42:16.087761591 -0400
@@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t)
# shorewall local policy
#
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice };
dontaudit shorewall_t self:capability sys_tty_config;
allow shorewall_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sosreport.te
--- serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace 2011-10-11 16:42:15.602761727 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/sosreport.te 2011-10-11 16:42:16.088761590 -0400
@@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t)
# sosreport local policy
#
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
allow sosreport_t self:process { setsched signull };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket create_stream_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace serefpolicy-3.10.0/policy/modules/admin/usermanage.te
--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace 2011-10-11 16:42:16.044761602 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-10-11 16:42:16.088761590 -0400
@@ -435,7 +435,8 @@ optional_policy(`
# Useradd local policy
#
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
+
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
diff -up serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/chrome.te
--- serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace 2011-10-11 16:42:15.612761725 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/chrome.te 2011-10-11 16:42:16.089761589 -0400
@@ -21,7 +21,7 @@ ubac_constrained(chrome_sandbox_tmpfs_t)
#
# chrome_sandbox local policy
#
-allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
allow chrome_sandbox_t self:process setsched;
allow chrome_sandbox_t self:fifo_file manage_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace serefpolicy-3.10.0/policy/modules/apps/execmem.if
--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace 2011-10-11 16:42:16.044761602 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-10-11 16:42:16.089761589 -0400
@@ -59,7 +59,7 @@ template(`execmem_role_template',`
userdom_unpriv_usertype($1, $1_execmem_t)
allow $1_execmem_t self:process { execmem execstack };
- allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
+ allow $3 $1_execmem_t:process { getattr noatsecure signal_perms };
domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
files_execmod_tmp($1_execmem_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.if
--- serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace 2011-10-11 16:42:15.617761723 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/gnome.if 2011-10-11 16:42:16.090761589 -0400
@@ -91,8 +91,7 @@ interface(`gnome_role_gkeyringd',`
auth_use_nsswitch($1_gkeyringd_t)
ps_process_pattern($3, $1_gkeyringd_t)
- allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
-
+ allow $3 $1_gkeyringd_t:process signal_perms;
dontaudit $3 gkeyringd_exec_t:file entrypoint;
stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace serefpolicy-3.10.0/policy/modules/apps/irc.if
--- serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace 2011-10-11 16:42:15.620761723 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/irc.if 2011-10-11 16:42:16.091761589 -0400
@@ -33,7 +33,7 @@ interface(`irc_role',`
domtrans_pattern($2, irssi_exec_t, irssi_t)
- allow $2 irssi_t:process { ptrace signal_perms };
+ allow $2 irssi_t:process signal_perms;
ps_process_pattern($2, irssi_t)
manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace serefpolicy-3.10.0/policy/modules/apps/java.if
--- serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace 2011-10-11 16:42:16.045761602 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-10-11 16:42:16.091761589 -0400
@@ -76,11 +76,11 @@ template(`java_role_template',`
userdom_manage_tmpfs_role($2)
userdom_manage_tmpfs($1_java_t)
- allow $1_java_t self:process { ptrace signal getsched execmem execstack };
+ allow $1_java_t self:process { signal getsched execmem execstack };
dontaudit $1_java_t $3:tcp_socket { read write };
- allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms };
+ allow $3 $1_java_t:process { getattr noatsecure signal_perms };
domtrans_pattern($3, java_exec_t, $1_java_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace serefpolicy-3.10.0/policy/modules/apps/kde.te
--- serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace 2011-10-11 16:42:15.624761721 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/kde.te 2011-10-11 16:42:16.092761589 -0400
@@ -13,9 +13,6 @@ dbus_system_domain(kdebacklighthelper_t,
#
# backlighthelper local policy
#
-
-dontaudit kdebacklighthelper_t self:capability sys_ptrace;
-
allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms;
kernel_read_system_state(kdebacklighthelper_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace serefpolicy-3.10.0/policy/modules/apps/livecd.te
--- serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace 2011-10-11 16:42:15.626761720 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/livecd.te 2011-10-11 16:42:16.092761589 -0400
@@ -20,7 +20,10 @@ files_tmp_file(livecd_tmp_t)
dontaudit livecd_t self:capability2 mac_admin;
-domain_ptrace_all_domains(livecd_t)
+tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(livecd_t)
+')
+
domain_interactive_fd(livecd_t)
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.if
--- serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace 2011-10-11 16:42:16.045761602 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-10-11 16:42:16.093761589 -0400
@@ -40,8 +40,8 @@ template(`mono_role_template',`
domain_interactive_fd($1_mono_t)
application_type($1_mono_t)
- allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
- allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+ allow $1_mono_t self:process { signal getsched execheap execmem execstack };
+ allow $3 $1_mono_t:process { getattr noatsecure signal_perms };
domtrans_pattern($3, mono_exec_t, $1_mono_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.te
--- serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace 2011-06-27 14:18:04.000000000 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/mono.te 2011-10-11 16:42:16.093761589 -0400
@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
# Local policy
#
-allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
+allow mono_t self:process { signal getsched execheap execmem execstack };
init_dbus_chat_script(mono_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.if
--- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace 2011-10-11 16:42:16.046761602 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-10-11 16:42:16.094761589 -0400
@@ -221,7 +221,7 @@ interface(`mozilla_domtrans_plugin',`
allow mozilla_plugin_t $1:sem create_sem_perms;
ps_process_pattern($1, mozilla_plugin_t)
- allow $1 mozilla_plugin_t:process { ptrace signal_perms };
+ allow $1 mozilla_plugin_t:process signal_perms;
')
########################################
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.te
--- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace 2011-10-11 16:42:16.023761608 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te 2011-10-11 16:42:16.094761589 -0400
@@ -300,9 +300,6 @@ optional_policy(`
#
# mozilla_plugin local policy
#
-
-dontaudit mozilla_plugin_t self:capability { sys_ptrace };
-
allow mozilla_plugin_t self:process { setsched signal_perms execmem };
allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.if
--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace 2011-10-11 16:42:16.047761602 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-10-11 16:42:16.095761589 -0400
@@ -93,7 +93,7 @@ ifdef(`hide_broken_symptoms', `
dontaudit nsplugin_t $2:shm destroy;
allow $2 nsplugin_t:sem rw_sem_perms;
- allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+ allow $2 nsplugin_t:process { getattr signal_perms };
allow $2 nsplugin_t:unix_stream_socket connectto;
# Connect to pulseaudit server
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.te
--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace 2011-10-11 16:42:16.047761602 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-10-11 16:42:16.096761589 -0400
@@ -54,7 +54,7 @@ application_executable_file(nsplugin_con
#
dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
allow nsplugin_t self:fifo_file rw_file_perms;
-allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms };
+allow nsplugin_t self:process { setpgid getsched setsched signal_perms };
allow nsplugin_t self:sem create_sem_perms;
allow nsplugin_t self:shm create_shm_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace serefpolicy-3.10.0/policy/modules/apps/openoffice.if
--- serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace 2011-10-11 16:42:15.634761718 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/openoffice.if 2011-10-11 16:42:16.096761589 -0400
@@ -69,7 +69,7 @@ interface(`openoffice_role_template',`
allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
- allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
+ allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh };
allow $1_openoffice_t $3:tcp_socket { read write };
domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace serefpolicy-3.10.0/policy/modules/apps/podsleuth.te
--- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace 2011-10-11 16:42:16.023761608 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te 2011-10-11 16:42:16.097761589 -0400
@@ -27,7 +27,8 @@ ubac_constrained(podsleuth_tmpfs_t)
# podsleuth local policy
#
allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
+allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
+
allow podsleuth_t self:fifo_file rw_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.if
--- serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace 2011-06-27 14:18:04.000000000 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/uml.if 2011-10-11 16:42:16.098761588 -0400
@@ -31,9 +31,9 @@ interface(`uml_role',`
allow $2 uml_t:unix_dgram_socket sendto;
allow uml_t $2:unix_dgram_socket sendto;
- # allow ps, ptrace, signal
+ # allow ps, signal
ps_process_pattern($2, uml_t)
- allow $2 uml_t:process { ptrace signal_perms };
+ allow $2 uml_t:process signal_perms;
allow $2 uml_ro_t:dir list_dir_perms;
read_files_pattern($2, uml_ro_t, uml_ro_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.te
--- serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace 2011-10-11 16:42:15.645761715 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/uml.te 2011-10-11 16:42:16.098761588 -0400
@@ -53,7 +53,7 @@ files_pid_file(uml_switch_var_run_t)
#
allow uml_t self:fifo_file rw_fifo_file_perms;
-allow uml_t self:process { signal_perms ptrace };
+allow uml_t self:process signal_perms;
allow uml_t self:unix_stream_socket create_stream_socket_perms;
allow uml_t self:unix_dgram_socket create_socket_perms;
# Use the network.
diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace serefpolicy-3.10.0/policy/modules/apps/wine.if
--- serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace 2011-10-11 16:42:16.050761600 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-10-11 16:42:16.099761587 -0400
@@ -100,7 +100,7 @@ template(`wine_role_template',`
role $2 types $1_wine_t;
allow $1_wine_t self:process { execmem execstack };
- allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
+ allow $3 $1_wine_t:process { getattr noatsecure signal_perms };
domtrans_pattern($3, wine_exec_t, $1_wine_t)
corecmd_bin_domtrans($1_wine_t, $1_t)
diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/domain.te
--- serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace 2011-10-11 16:42:15.662761711 -0400
+++ serefpolicy-3.10.0/policy/modules/kernel/domain.te 2011-10-11 16:42:16.225761551 -0400
@@ -181,7 +181,10 @@ allow unconfined_domain_type domain:fifo
allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
# Act upon any other process.
-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
+allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
+tunable_policy(`deny_ptrace',`',`
+ allow unconfined_domain_type domain:process ptrace;
+')
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
@@ -312,3 +315,5 @@ optional_policy(`
optional_policy(`
seutil_dontaudit_read_config(domain)
')
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
diff -up serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/kernel.te
--- serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace 2011-10-11 16:42:15.670761708 -0400
+++ serefpolicy-3.10.0/policy/modules/kernel/kernel.te 2011-10-11 16:42:16.101761586 -0400
@@ -191,7 +191,11 @@ sid tcp_socket gen_context(system_u:obj
# kernel local policy
#
-allow kernel_t self:capability *;
+allow kernel_t self:capability ~{ sys_ptrace };
+tunable_policy(`deny_ptrace',`',`
+ allow kernel_t self:capability sys_ptrace;
+')
+
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
allow kernel_t self:sem create_sem_perms;
@@ -442,7 +446,7 @@ allow kern_unconfined unlabeled_t:dir_fi
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
-allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
+allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap };
gen_require(`
bool secure_mode_insmod;
diff -up serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/dbadm.te
--- serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace 2011-10-11 16:42:15.678761705 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/dbadm.te 2011-10-11 16:42:16.102761586 -0400
@@ -28,7 +28,7 @@ userdom_base_user_template(dbadm)
# database admin local policy
#
-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+allow dbadm_t self:capability { dac_override dac_read_search };
files_dontaudit_search_all_dirs(dbadm_t)
files_delete_generic_locks(dbadm_t)
diff -up serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/logadm.te
--- serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace 2011-06-27 14:18:04.000000000 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/logadm.te 2011-10-11 16:42:16.103761586 -0400
@@ -14,6 +14,5 @@ userdom_base_user_template(logadm)
# logadmin local policy
#
-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
-
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
logging_admin(logadm_t, logadm_r)
diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/sysadm.te
--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace 2011-10-11 16:42:16.051761600 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-10-11 16:42:16.104761586 -0400
@@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1)
# Declarations
#
-##