+##
## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
##
##
diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kdump.if
--- serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace 2011-10-05 14:34:03.265103305 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/kdump.if 2011-10-05 14:34:03.752103823 -0400
@@ -140,8 +140,11 @@ interface(`kdump_admin',`
type kdump_initrc_exec_t;
')
- allow $1 kdump_t:process { ptrace signal_perms };
+ allow $1 kdump_t:process signal_perms;
ps_process_pattern($1, kdump_t)
+ tunable_policy(`allow_ptrace',`
+ allow $1 kdump_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kismet.if
--- serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace 2011-06-27 14:18:04.000000000 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/kismet.if 2011-10-05 14:34:03.753103824 -0400
@@ -239,7 +239,10 @@ interface(`kismet_admin',`
')
ps_process_pattern($1, kismet_t)
- allow $1 kismet_t:process { ptrace signal_perms };
+ allow $1 kismet_t:process signal_perms;
+ tunable_policy(`allow_ptrace',`
+ allow $1 kismet_t:process ptrace;
+ ')
kismet_manage_pid_files($1)
kismet_manage_lib($1)
diff -up serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace serefpolicy-3.10.0/policy/modules/admin/kudzu.te
--- serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace 2011-10-05 14:34:03.267103307 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/kudzu.te 2011-10-05 14:34:03.753103824 -0400
@@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t)
# Local policy
#
-allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace serefpolicy-3.10.0/policy/modules/admin/logrotate.te
--- serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace 2011-10-05 14:34:03.268103309 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/logrotate.te 2011-10-05 14:34:03.754103825 -0400
@@ -31,7 +31,7 @@ files_type(logrotate_var_lib_t)
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
# for mailx
-dontaudit logrotate_t self:capability { sys_ptrace };
+dontaudit logrotate_t self:capability sys_ptrace;
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
diff -up serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace serefpolicy-3.10.0/policy/modules/admin/ncftool.te
--- serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace 2011-10-05 14:34:03.273103314 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/ncftool.te 2011-10-05 14:34:03.754103825 -0400
@@ -17,7 +17,11 @@ role system_r types ncftool_t;
# ncftool local policy
#
-allow ncftool_t self:capability { net_admin sys_ptrace };
+allow ncftool_t self:capability net_admin;
+tunable_policy(`allow_ptrace',`
+ allow ncftool_t self:capability sys_ptrace;
+')
+
allow ncftool_t self:process signal;
diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/rpm.te
--- serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace 2011-10-05 14:34:03.700103767 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-10-05 14:34:03.755103826 -0400
@@ -248,7 +248,11 @@ optional_policy(`
# rpm-script Local policy
#
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
+tunable_policy(`allow_ptrace',`
+ allow rpm_script_t self:capability sys_ptrace;
+')
+
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sectoolm.te
--- serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace 2011-10-05 14:34:03.288103330 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/sectoolm.te 2011-10-05 14:34:03.755103826 -0400
@@ -23,7 +23,11 @@ files_tmp_file(sectool_tmp_t)
# sectool local policy
#
-allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
+allow sectoolm_t self:capability { dac_override net_admin sys_nice };
+tunable_policy(`allow_ptrace',`
+ allow sectoolm_t self:capability sys_ptrace;
+')
+
allow sectoolm_t self:process { getcap getsched signull setsched };
dontaudit sectoolm_t self:process { execstack execmem };
allow sectoolm_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.if
--- serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace 2011-10-05 14:34:03.288103330 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.if 2011-10-05 14:34:03.756103827 -0400
@@ -139,8 +139,11 @@ interface(`shorewall_admin',`
type shorewall_tmp_t, shorewall_etc_t;
')
- allow $1 shorewall_t:process { ptrace signal_perms };
+ allow $1 shorewall_t:process signal_perms;
ps_process_pattern($1, shorewall_t)
+ tunable_policy(`allow_ptrace',`
+ allow $1 shorewall_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.te
--- serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace 2011-10-05 14:34:03.289103331 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.te 2011-10-05 14:34:03.757103828 -0400
@@ -37,8 +37,8 @@ logging_log_file(shorewall_log_t)
# shorewall local policy
#
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
-dontaudit shorewall_t self:capability sys_tty_config;
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice };
+dontaudit shorewall_t self:capability { sys_tty_config sys_ptrace };
allow shorewall_t self:fifo_file rw_fifo_file_perms;
read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
diff -up serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sosreport.te
--- serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace 2011-10-05 14:34:03.291103333 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/sosreport.te 2011-10-05 14:34:03.757103828 -0400
@@ -21,7 +21,11 @@ files_tmpfs_file(sosreport_tmpfs_t)
# sosreport local policy
#
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
+tunable_policy(`allow_ptrace',`
+ allow sosreport_t self:capability sys_ptrace;
+')
+
allow sosreport_t self:process { setsched signull };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket create_stream_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace serefpolicy-3.10.0/policy/modules/admin/usermanage.te
--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace 2011-10-05 14:34:03.722103791 -0400
+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-10-05 14:34:03.758103829 -0400
@@ -433,7 +433,11 @@ optional_policy(`
# Useradd local policy
#
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
+tunable_policy(`allow_ptrace',`
+ allow useradd_t self:capability sys_ptrace;
+')
+
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
diff -up serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/chrome.te
--- serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace 2011-10-05 14:34:03.302103345 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/chrome.te 2011-10-05 14:34:03.758103829 -0400
@@ -21,7 +21,9 @@ ubac_constrained(chrome_sandbox_tmpfs_t)
#
# chrome_sandbox local policy
#
-allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
+dontaudit chrome_sandbox_t self:capability sys_ptrace;
+
allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
allow chrome_sandbox_t self:process setsched;
allow chrome_sandbox_t self:fifo_file manage_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te.ptrace serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te
--- serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te.ptrace 2011-10-05 14:34:03.302103345 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te 2011-10-05 14:34:03.759103830 -0400
@@ -14,7 +14,11 @@ application_domain(cpufreqselector_t, cp
# cpufreq-selector local policy
#
-allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
+allow cpufreqselector_t self:capability sys_nice;
+tunable_policy(`allow_ptrace',`
+ allow cpufreqselector_t self:capability sys_ptrace;
+')
+
allow cpufreqselector_t self:process getsched;
allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
allow cpufreqselector_t self:process getsched;
diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace serefpolicy-3.10.0/policy/modules/apps/execmem.if
--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace 2011-10-05 14:34:03.000000000 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-10-05 14:35:10.651174871 -0400
@@ -59,7 +59,7 @@ template(`execmem_role_template',`
userdom_unpriv_usertype($1, $1_execmem_t)
allow $1_execmem_t self:process { execmem execstack };
- allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
+ allow $3 $1_execmem_t:process { getattr noatsecure signal_perms };
domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
files_execmod_tmp($1_execmem_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.if
--- serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace 2011-10-05 14:34:03.307103350 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/gnome.if 2011-10-05 14:34:03.760103831 -0400
@@ -91,8 +91,7 @@ interface(`gnome_role_gkeyringd',`
auth_use_nsswitch($1_gkeyringd_t)
ps_process_pattern($3, $1_gkeyringd_t)
- allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
-
+ allow $3 $1_gkeyringd_t:process signal_perms;
dontaudit $3 gkeyringd_exec_t:file entrypoint;
stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.te
--- serefpolicy-3.10.0/policy/modules/apps/gnome.te.ptrace 2011-10-05 14:34:03.308103351 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/gnome.te 2011-10-05 14:34:03.761103832 -0400
@@ -119,7 +119,11 @@ optional_policy(`
# gconf-defaults-mechanisms local policy
#
-allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace };
+allow gconfdefaultsm_t self:capability { dac_override sys_nice };
+tunable_policy(`allow_ptrace',`
+ allow gconfdefaultsm_t self:capability sys_ptrace;
+')
+
allow gconfdefaultsm_t self:process getsched;
allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
@@ -168,7 +172,10 @@ tunable_policy(`use_samba_home_dirs',`
# gnome-system-monitor-mechanisms local policy
#
-allow gnomesystemmm_t self:capability { sys_nice sys_ptrace };
+allow gnomesystemmm_t self:capability sys_nice;
+tunable_policy(`allow_ptrace',`
+ allow gnomesystemmm_t self:capability sys_ptrace;
+')
allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
kernel_read_system_state(gnomesystemmm_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace serefpolicy-3.10.0/policy/modules/apps/irc.if
--- serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace 2011-10-05 14:34:03.311103354 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/irc.if 2011-10-05 14:34:03.761103832 -0400
@@ -33,7 +33,7 @@ interface(`irc_role',`
domtrans_pattern($2, irssi_exec_t, irssi_t)
- allow $2 irssi_t:process { ptrace signal_perms };
+ allow $2 irssi_t:process signal_perms;
ps_process_pattern($2, irssi_t)
manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace serefpolicy-3.10.0/policy/modules/apps/java.if
--- serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace 2011-10-05 14:34:03.000000000 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-10-05 14:35:00.396163979 -0400
@@ -76,11 +76,11 @@ template(`java_role_template',`
userdom_manage_tmpfs_role($2)
userdom_manage_tmpfs($1_java_t)
- allow $1_java_t self:process { ptrace signal getsched execmem execstack };
+ allow $1_java_t self:process { signal getsched execmem execstack };
dontaudit $1_java_t $3:tcp_socket { read write };
- allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms };
+ allow $3 $1_java_t:process { getattr noatsecure signal_perms };
domtrans_pattern($3, java_exec_t, $1_java_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace serefpolicy-3.10.0/policy/modules/apps/livecd.te
--- serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace 2011-10-05 14:34:03.315103358 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/livecd.te 2011-10-05 14:34:03.763103834 -0400
@@ -20,7 +20,10 @@ files_tmp_file(livecd_tmp_t)
dontaudit livecd_t self:capability2 mac_admin;
-domain_ptrace_all_domains(livecd_t)
+tunable_policy(`allow_ptrace',`
+ domain_ptrace_all_domains(livecd_t)
+')
+
domain_interactive_fd(livecd_t)
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.if
--- serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace 2011-10-05 14:34:03.724103793 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-10-05 14:34:03.764103835 -0400
@@ -40,8 +40,8 @@ template(`mono_role_template',`
domain_interactive_fd($1_mono_t)
application_type($1_mono_t)
- allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
- allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
+ allow $1_mono_t self:process { signal getsched execheap execmem execstack };
+ allow $3 $1_mono_t:process { getattr noatsecure signal_perms };
domtrans_pattern($3, mono_exec_t, $1_mono_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.te
--- serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace 2011-06-27 14:18:04.000000000 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/mono.te 2011-10-05 14:34:03.765103836 -0400
@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
# Local policy
#
-allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
+allow mono_t self:process { signal getsched execheap execmem execstack };
init_dbus_chat_script(mono_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.if
--- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace 2011-10-05 14:34:03.724103793 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-10-05 14:34:03.765103836 -0400
@@ -221,7 +221,7 @@ interface(`mozilla_domtrans_plugin',`
allow mozilla_plugin_t $1:sem create_sem_perms;
ps_process_pattern($1, mozilla_plugin_t)
- allow $1 mozilla_plugin_t:process { ptrace signal_perms };
+ allow $1 mozilla_plugin_t:process signal_perms;
')
########################################
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.if
--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace 2011-10-05 14:34:03.726103795 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-10-05 14:34:03.766103837 -0400
@@ -93,7 +93,7 @@ ifdef(`hide_broken_symptoms', `
dontaudit nsplugin_t $2:shm destroy;
allow $2 nsplugin_t:sem rw_sem_perms;
- allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+ allow $2 nsplugin_t:process { getattr signal_perms };
allow $2 nsplugin_t:unix_stream_socket connectto;
# Connect to pulseaudit server
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.te
--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace 2011-10-05 14:34:03.726103795 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-10-05 14:34:03.766103837 -0400
@@ -54,7 +54,7 @@ application_executable_file(nsplugin_con
#
dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
allow nsplugin_t self:fifo_file rw_file_perms;
-allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms };
+allow nsplugin_t self:process { setpgid getsched setsched signal_perms };
allow nsplugin_t self:sem create_sem_perms;
allow nsplugin_t self:shm create_shm_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace serefpolicy-3.10.0/policy/modules/apps/openoffice.if
--- serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace 2011-10-05 14:34:03.323103367 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/openoffice.if 2011-10-05 14:34:03.767103838 -0400
@@ -69,7 +69,7 @@ interface(`openoffice_role_template',`
allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
- allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
+ allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh };
allow $1_openoffice_t $3:tcp_socket { read write };
domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace serefpolicy-3.10.0/policy/modules/apps/podsleuth.te
--- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace 2011-10-05 14:34:03.705103773 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te 2011-10-05 14:34:03.768103840 -0400
@@ -27,7 +27,8 @@ ubac_constrained(podsleuth_tmpfs_t)
# podsleuth local policy
#
allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
+allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
+
allow podsleuth_t self:fifo_file rw_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.if
--- serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace 2011-06-27 14:18:04.000000000 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/uml.if 2011-10-05 14:34:03.768103840 -0400
@@ -31,9 +31,9 @@ interface(`uml_role',`
allow $2 uml_t:unix_dgram_socket sendto;
allow uml_t $2:unix_dgram_socket sendto;
- # allow ps, ptrace, signal
+ # allow ps, signal
ps_process_pattern($2, uml_t)
- allow $2 uml_t:process { ptrace signal_perms };
+ allow $2 uml_t:process signal_perms;
allow $2 uml_ro_t:dir list_dir_perms;
read_files_pattern($2, uml_ro_t, uml_ro_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.te
--- serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace 2011-10-05 14:34:03.335103380 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/uml.te 2011-10-05 14:34:03.769103841 -0400
@@ -53,7 +53,7 @@ files_pid_file(uml_switch_var_run_t)
#
allow uml_t self:fifo_file rw_fifo_file_perms;
-allow uml_t self:process { signal_perms ptrace };
+allow uml_t self:process signal_perms;
allow uml_t self:unix_stream_socket create_stream_socket_perms;
allow uml_t self:unix_dgram_socket create_socket_perms;
# Use the network.
diff -up serefpolicy-3.10.0/policy/modules/apps/vmware.te.ptrace serefpolicy-3.10.0/policy/modules/apps/vmware.te
--- serefpolicy-3.10.0/policy/modules/apps/vmware.te.ptrace 2011-10-05 14:34:03.338103383 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/vmware.te 2011-10-05 14:34:03.770103842 -0400
@@ -72,7 +72,11 @@ ifdef(`enable_mcs',`
# VMWare host local policy
#
-allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override };
+tunable_policy(`allow_ptrace',`
+ allow vmware_host_t self:capability sys_ptrace;
+')
+
dontaudit vmware_host_t self:capability sys_tty_config;
allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace serefpolicy-3.10.0/policy/modules/apps/wine.if
--- serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace 2011-10-05 14:34:03.729103798 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-10-05 14:34:03.771103843 -0400
@@ -100,7 +100,7 @@ template(`wine_role_template',`
role $2 types $1_wine_t;
allow $1_wine_t self:process { execmem execstack };
- allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
+ allow $3 $1_wine_t:process { getattr noatsecure signal_perms };
domtrans_pattern($3, wine_exec_t, $1_wine_t)
corecmd_bin_domtrans($1_wine_t, $1_t)
diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/domain.te
--- serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace 2011-10-05 14:34:03.352103398 -0400
+++ serefpolicy-3.10.0/policy/modules/kernel/domain.te 2011-10-05 14:34:03.771103843 -0400
@@ -181,7 +181,10 @@ allow unconfined_domain_type domain:fifo
allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
# Act upon any other process.
-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
+allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
+tunable_policy(`allow_ptrace',`
+ allow unconfined_domain_type domain:process ptrace;
+')
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
diff -up serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/kernel.te
--- serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace 2011-10-05 14:34:03.360103406 -0400
+++ serefpolicy-3.10.0/policy/modules/kernel/kernel.te 2011-10-05 14:34:03.772103844 -0400
@@ -191,7 +191,11 @@ sid tcp_socket gen_context(system_u:obj
# kernel local policy
#
-allow kernel_t self:capability *;
+allow kernel_t self:capability ~{ sys_ptrace };
+tunable_policy(`allow_ptrace',`
+ allow kernel_t self:capability sys_ptrace;
+')
+
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
allow kernel_t self:sem create_sem_perms;
@@ -442,7 +446,7 @@ allow kern_unconfined unlabeled_t:dir_fi
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
-allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
+allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap };
gen_require(`
bool secure_mode_insmod;
diff -up serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/dbadm.te
--- serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace 2011-10-05 14:34:03.367103414 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/dbadm.te 2011-10-05 14:34:03.772103844 -0400
@@ -28,7 +28,7 @@ userdom_base_user_template(dbadm)
# database admin local policy
#
-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+allow dbadm_t self:capability { dac_override dac_read_search };
files_dontaudit_search_all_dirs(dbadm_t)
files_delete_generic_locks(dbadm_t)
diff -up serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/logadm.te
--- serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace 2011-06-27 14:18:04.000000000 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/logadm.te 2011-10-05 14:34:03.773103845 -0400
@@ -14,6 +14,5 @@ userdom_base_user_template(logadm)
# logadmin local policy
#
-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
-
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
logging_admin(logadm_t, logadm_r)
diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/sysadm.te
--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace 2011-10-05 14:34:03.706103774 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-10-05 14:34:03.774103846 -0400
@@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1)
# Declarations
#
-##