diff -up serefpolicy-3.10.0/policy/global_tunables.ptrace serefpolicy-3.10.0/policy/global_tunables --- serefpolicy-3.10.0/policy/global_tunables.ptrace 2011-10-05 14:34:03.252103292 -0400 +++ serefpolicy-3.10.0/policy/global_tunables 2011-10-05 14:34:03.751103821 -0400 @@ -6,6 +6,13 @@ ## ##

+## Allow sysadm to debug or ptrace all processes. +##

+##
+gen_tunable(allow_ptrace, false) + +## +##

## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla ##

##
diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kdump.if --- serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace 2011-10-05 14:34:03.265103305 -0400 +++ serefpolicy-3.10.0/policy/modules/admin/kdump.if 2011-10-05 14:34:03.752103823 -0400 @@ -140,8 +140,11 @@ interface(`kdump_admin',` type kdump_initrc_exec_t; ') - allow $1 kdump_t:process { ptrace signal_perms }; + allow $1 kdump_t:process signal_perms; ps_process_pattern($1, kdump_t) + tunable_policy(`allow_ptrace',` + allow $1 kdump_t:process ptrace; + ') init_labeled_script_domtrans($1, kdump_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kismet.if --- serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/admin/kismet.if 2011-10-05 14:34:03.753103824 -0400 @@ -239,7 +239,10 @@ interface(`kismet_admin',` ') ps_process_pattern($1, kismet_t) - allow $1 kismet_t:process { ptrace signal_perms }; + allow $1 kismet_t:process signal_perms; + tunable_policy(`allow_ptrace',` + allow $1 kismet_t:process ptrace; + ') kismet_manage_pid_files($1) kismet_manage_lib($1) diff -up serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace serefpolicy-3.10.0/policy/modules/admin/kudzu.te --- serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace 2011-10-05 14:34:03.267103307 -0400 +++ serefpolicy-3.10.0/policy/modules/admin/kudzu.te 2011-10-05 14:34:03.753103824 -0400 @@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t) # Local policy # -allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod }; +allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; dontaudit kudzu_t self:capability sys_tty_config; allow kudzu_t self:process { signal_perms execmem }; allow kudzu_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace serefpolicy-3.10.0/policy/modules/admin/logrotate.te --- serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace 2011-10-05 14:34:03.268103309 -0400 +++ serefpolicy-3.10.0/policy/modules/admin/logrotate.te 2011-10-05 14:34:03.754103825 -0400 @@ -31,7 +31,7 @@ files_type(logrotate_var_lib_t) # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice }; # for mailx -dontaudit logrotate_t self:capability { sys_ptrace }; +dontaudit logrotate_t self:capability sys_ptrace; allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; diff -up serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace serefpolicy-3.10.0/policy/modules/admin/ncftool.te --- serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace 2011-10-05 14:34:03.273103314 -0400 +++ serefpolicy-3.10.0/policy/modules/admin/ncftool.te 2011-10-05 14:34:03.754103825 -0400 @@ -17,7 +17,11 @@ role system_r types ncftool_t; # ncftool local policy # -allow ncftool_t self:capability { net_admin sys_ptrace }; +allow ncftool_t self:capability net_admin; +tunable_policy(`allow_ptrace',` + allow ncftool_t self:capability sys_ptrace; +') + allow ncftool_t self:process signal; diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/rpm.te --- serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace 2011-10-05 14:34:03.700103767 -0400 +++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-10-05 14:34:03.755103826 -0400 @@ -248,7 +248,11 @@ optional_policy(` # rpm-script Local policy # -allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin }; +allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; +tunable_policy(`allow_ptrace',` + allow rpm_script_t self:capability sys_ptrace; +') + allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sectoolm.te --- serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace 2011-10-05 14:34:03.288103330 -0400 +++ serefpolicy-3.10.0/policy/modules/admin/sectoolm.te 2011-10-05 14:34:03.755103826 -0400 @@ -23,7 +23,11 @@ files_tmp_file(sectool_tmp_t) # sectool local policy # -allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; +allow sectoolm_t self:capability { dac_override net_admin sys_nice }; +tunable_policy(`allow_ptrace',` + allow sectoolm_t self:capability sys_ptrace; +') + allow sectoolm_t self:process { getcap getsched signull setsched }; dontaudit sectoolm_t self:process { execstack execmem }; allow sectoolm_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.if --- serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace 2011-10-05 14:34:03.288103330 -0400 +++ serefpolicy-3.10.0/policy/modules/admin/shorewall.if 2011-10-05 14:34:03.756103827 -0400 @@ -139,8 +139,11 @@ interface(`shorewall_admin',` type shorewall_tmp_t, shorewall_etc_t; ') - allow $1 shorewall_t:process { ptrace signal_perms }; + allow $1 shorewall_t:process signal_perms; ps_process_pattern($1, shorewall_t) + tunable_policy(`allow_ptrace',` + allow $1 shorewall_t:process ptrace; + ') init_labeled_script_domtrans($1, shorewall_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.te --- serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace 2011-10-05 14:34:03.289103331 -0400 +++ serefpolicy-3.10.0/policy/modules/admin/shorewall.te 2011-10-05 14:34:03.757103828 -0400 @@ -37,8 +37,8 @@ logging_log_file(shorewall_log_t) # shorewall local policy # -allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace }; -dontaudit shorewall_t self:capability sys_tty_config; +allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice }; +dontaudit shorewall_t self:capability { sys_tty_config sys_ptrace }; allow shorewall_t self:fifo_file rw_fifo_file_perms; read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) diff -up serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sosreport.te --- serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace 2011-10-05 14:34:03.291103333 -0400 +++ serefpolicy-3.10.0/policy/modules/admin/sosreport.te 2011-10-05 14:34:03.757103828 -0400 @@ -21,7 +21,11 @@ files_tmpfs_file(sosreport_tmpfs_t) # sosreport local policy # -allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override }; +allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; +tunable_policy(`allow_ptrace',` + allow sosreport_t self:capability sys_ptrace; +') + allow sosreport_t self:process { setsched signull }; allow sosreport_t self:fifo_file rw_fifo_file_perms; allow sosreport_t self:tcp_socket create_stream_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace serefpolicy-3.10.0/policy/modules/admin/usermanage.te --- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace 2011-10-05 14:34:03.722103791 -0400 +++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-10-05 14:34:03.758103829 -0400 @@ -433,7 +433,11 @@ optional_policy(` # Useradd local policy # -allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace }; +allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; +tunable_policy(`allow_ptrace',` + allow useradd_t self:capability sys_ptrace; +') + dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; diff -up serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/chrome.te --- serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace 2011-10-05 14:34:03.302103345 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/chrome.te 2011-10-05 14:34:03.758103829 -0400 @@ -21,7 +21,9 @@ ubac_constrained(chrome_sandbox_tmpfs_t) # # chrome_sandbox local policy # -allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; +allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot }; +dontaudit chrome_sandbox_t self:capability sys_ptrace; + allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; allow chrome_sandbox_t self:process setsched; allow chrome_sandbox_t self:fifo_file manage_file_perms; diff -up serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te.ptrace serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te --- serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te.ptrace 2011-10-05 14:34:03.302103345 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te 2011-10-05 14:34:03.759103830 -0400 @@ -14,7 +14,11 @@ application_domain(cpufreqselector_t, cp # cpufreq-selector local policy # -allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; +allow cpufreqselector_t self:capability sys_nice; +tunable_policy(`allow_ptrace',` + allow cpufreqselector_t self:capability sys_ptrace; +') + allow cpufreqselector_t self:process getsched; allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; allow cpufreqselector_t self:process getsched; diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace serefpolicy-3.10.0/policy/modules/apps/execmem.if --- serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace 2011-10-05 14:34:03.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-10-05 14:35:10.651174871 -0400 @@ -59,7 +59,7 @@ template(`execmem_role_template',` userdom_unpriv_usertype($1, $1_execmem_t) allow $1_execmem_t self:process { execmem execstack }; - allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms }; + allow $3 $1_execmem_t:process { getattr noatsecure signal_perms }; domtrans_pattern($3, execmem_exec_t, $1_execmem_t) files_execmod_tmp($1_execmem_t) diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.if --- serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace 2011-10-05 14:34:03.307103350 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/gnome.if 2011-10-05 14:34:03.760103831 -0400 @@ -91,8 +91,7 @@ interface(`gnome_role_gkeyringd',` auth_use_nsswitch($1_gkeyringd_t) ps_process_pattern($3, $1_gkeyringd_t) - allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; - + allow $3 $1_gkeyringd_t:process signal_perms; dontaudit $3 gkeyringd_exec_t:file entrypoint; stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.te --- serefpolicy-3.10.0/policy/modules/apps/gnome.te.ptrace 2011-10-05 14:34:03.308103351 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/gnome.te 2011-10-05 14:34:03.761103832 -0400 @@ -119,7 +119,11 @@ optional_policy(` # gconf-defaults-mechanisms local policy # -allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace }; +allow gconfdefaultsm_t self:capability { dac_override sys_nice }; +tunable_policy(`allow_ptrace',` + allow gconfdefaultsm_t self:capability sys_ptrace; +') + allow gconfdefaultsm_t self:process getsched; allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms; @@ -168,7 +172,10 @@ tunable_policy(`use_samba_home_dirs',` # gnome-system-monitor-mechanisms local policy # -allow gnomesystemmm_t self:capability { sys_nice sys_ptrace }; +allow gnomesystemmm_t self:capability sys_nice; +tunable_policy(`allow_ptrace',` + allow gnomesystemmm_t self:capability sys_ptrace; +') allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms; kernel_read_system_state(gnomesystemmm_t) diff -up serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace serefpolicy-3.10.0/policy/modules/apps/irc.if --- serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace 2011-10-05 14:34:03.311103354 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/irc.if 2011-10-05 14:34:03.761103832 -0400 @@ -33,7 +33,7 @@ interface(`irc_role',` domtrans_pattern($2, irssi_exec_t, irssi_t) - allow $2 irssi_t:process { ptrace signal_perms }; + allow $2 irssi_t:process signal_perms; ps_process_pattern($2, irssi_t) manage_dirs_pattern($2, irssi_home_t, irssi_home_t) diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace serefpolicy-3.10.0/policy/modules/apps/java.if --- serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace 2011-10-05 14:34:03.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-10-05 14:35:00.396163979 -0400 @@ -76,11 +76,11 @@ template(`java_role_template',` userdom_manage_tmpfs_role($2) userdom_manage_tmpfs($1_java_t) - allow $1_java_t self:process { ptrace signal getsched execmem execstack }; + allow $1_java_t self:process { signal getsched execmem execstack }; dontaudit $1_java_t $3:tcp_socket { read write }; - allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms }; + allow $3 $1_java_t:process { getattr noatsecure signal_perms }; domtrans_pattern($3, java_exec_t, $1_java_t) diff -up serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace serefpolicy-3.10.0/policy/modules/apps/livecd.te --- serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace 2011-10-05 14:34:03.315103358 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/livecd.te 2011-10-05 14:34:03.763103834 -0400 @@ -20,7 +20,10 @@ files_tmp_file(livecd_tmp_t) dontaudit livecd_t self:capability2 mac_admin; -domain_ptrace_all_domains(livecd_t) +tunable_policy(`allow_ptrace',` + domain_ptrace_all_domains(livecd_t) +') + domain_interactive_fd(livecd_t) manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.if --- serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace 2011-10-05 14:34:03.724103793 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-10-05 14:34:03.764103835 -0400 @@ -40,8 +40,8 @@ template(`mono_role_template',` domain_interactive_fd($1_mono_t) application_type($1_mono_t) - allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; - allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; + allow $1_mono_t self:process { signal getsched execheap execmem execstack }; + allow $3 $1_mono_t:process { getattr noatsecure signal_perms }; domtrans_pattern($3, mono_exec_t, $1_mono_t) diff -up serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.te --- serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/mono.te 2011-10-05 14:34:03.765103836 -0400 @@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t) # Local policy # -allow mono_t self:process { ptrace signal getsched execheap execmem execstack }; +allow mono_t self:process { signal getsched execheap execmem execstack }; init_dbus_chat_script(mono_t) diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.if --- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace 2011-10-05 14:34:03.724103793 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-10-05 14:34:03.765103836 -0400 @@ -221,7 +221,7 @@ interface(`mozilla_domtrans_plugin',` allow mozilla_plugin_t $1:sem create_sem_perms; ps_process_pattern($1, mozilla_plugin_t) - allow $1 mozilla_plugin_t:process { ptrace signal_perms }; + allow $1 mozilla_plugin_t:process signal_perms; ') ######################################## diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.if --- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace 2011-10-05 14:34:03.726103795 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-10-05 14:34:03.766103837 -0400 @@ -93,7 +93,7 @@ ifdef(`hide_broken_symptoms', ` dontaudit nsplugin_t $2:shm destroy; allow $2 nsplugin_t:sem rw_sem_perms; - allow $2 nsplugin_t:process { getattr ptrace signal_perms }; + allow $2 nsplugin_t:process { getattr signal_perms }; allow $2 nsplugin_t:unix_stream_socket connectto; # Connect to pulseaudit server diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.te --- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace 2011-10-05 14:34:03.726103795 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-10-05 14:34:03.766103837 -0400 @@ -54,7 +54,7 @@ application_executable_file(nsplugin_con # dontaudit nsplugin_t self:capability { sys_nice sys_tty_config }; allow nsplugin_t self:fifo_file rw_file_perms; -allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms }; +allow nsplugin_t self:process { setpgid getsched setsched signal_perms }; allow nsplugin_t self:sem create_sem_perms; allow nsplugin_t self:shm create_shm_perms; diff -up serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace serefpolicy-3.10.0/policy/modules/apps/openoffice.if --- serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace 2011-10-05 14:34:03.323103367 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/openoffice.if 2011-10-05 14:34:03.767103838 -0400 @@ -69,7 +69,7 @@ interface(`openoffice_role_template',` allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack }; - allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh }; + allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh }; allow $1_openoffice_t $3:tcp_socket { read write }; domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t) diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace serefpolicy-3.10.0/policy/modules/apps/podsleuth.te --- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace 2011-10-05 14:34:03.705103773 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te 2011-10-05 14:34:03.768103840 -0400 @@ -27,7 +27,8 @@ ubac_constrained(podsleuth_tmpfs_t) # podsleuth local policy # allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; -allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; +allow podsleuth_t self:process { signal signull getsched execheap execmem execstack }; + allow podsleuth_t self:fifo_file rw_file_perms; allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; allow podsleuth_t self:sem create_sem_perms; diff -up serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.if --- serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/uml.if 2011-10-05 14:34:03.768103840 -0400 @@ -31,9 +31,9 @@ interface(`uml_role',` allow $2 uml_t:unix_dgram_socket sendto; allow uml_t $2:unix_dgram_socket sendto; - # allow ps, ptrace, signal + # allow ps, signal ps_process_pattern($2, uml_t) - allow $2 uml_t:process { ptrace signal_perms }; + allow $2 uml_t:process signal_perms; allow $2 uml_ro_t:dir list_dir_perms; read_files_pattern($2, uml_ro_t, uml_ro_t) diff -up serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.te --- serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace 2011-10-05 14:34:03.335103380 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/uml.te 2011-10-05 14:34:03.769103841 -0400 @@ -53,7 +53,7 @@ files_pid_file(uml_switch_var_run_t) # allow uml_t self:fifo_file rw_fifo_file_perms; -allow uml_t self:process { signal_perms ptrace }; +allow uml_t self:process signal_perms; allow uml_t self:unix_stream_socket create_stream_socket_perms; allow uml_t self:unix_dgram_socket create_socket_perms; # Use the network. diff -up serefpolicy-3.10.0/policy/modules/apps/vmware.te.ptrace serefpolicy-3.10.0/policy/modules/apps/vmware.te --- serefpolicy-3.10.0/policy/modules/apps/vmware.te.ptrace 2011-10-05 14:34:03.338103383 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/vmware.te 2011-10-05 14:34:03.770103842 -0400 @@ -72,7 +72,11 @@ ifdef(`enable_mcs',` # VMWare host local policy # -allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; +allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override }; +tunable_policy(`allow_ptrace',` + allow vmware_host_t self:capability sys_ptrace; +') + dontaudit vmware_host_t self:capability sys_tty_config; allow vmware_host_t self:process { execstack execmem signal_perms }; allow vmware_host_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace serefpolicy-3.10.0/policy/modules/apps/wine.if --- serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace 2011-10-05 14:34:03.729103798 -0400 +++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-10-05 14:34:03.771103843 -0400 @@ -100,7 +100,7 @@ template(`wine_role_template',` role $2 types $1_wine_t; allow $1_wine_t self:process { execmem execstack }; - allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms }; + allow $3 $1_wine_t:process { getattr noatsecure signal_perms }; domtrans_pattern($3, wine_exec_t, $1_wine_t) corecmd_bin_domtrans($1_wine_t, $1_t) diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/domain.te --- serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace 2011-10-05 14:34:03.352103398 -0400 +++ serefpolicy-3.10.0/policy/modules/kernel/domain.te 2011-10-05 14:34:03.771103843 -0400 @@ -181,7 +181,10 @@ allow unconfined_domain_type domain:fifo allow unconfined_domain_type unconfined_domain_type:dbus send_msg; # Act upon any other process. -allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; +allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap }; +tunable_policy(`allow_ptrace',` + allow unconfined_domain_type domain:process ptrace; +') # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; diff -up serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/kernel.te --- serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace 2011-10-05 14:34:03.360103406 -0400 +++ serefpolicy-3.10.0/policy/modules/kernel/kernel.te 2011-10-05 14:34:03.772103844 -0400 @@ -191,7 +191,11 @@ sid tcp_socket gen_context(system_u:obj # kernel local policy # -allow kernel_t self:capability *; +allow kernel_t self:capability ~{ sys_ptrace }; +tunable_policy(`allow_ptrace',` + allow kernel_t self:capability sys_ptrace; +') + allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; allow kernel_t self:sem create_sem_perms; @@ -442,7 +446,7 @@ allow kern_unconfined unlabeled_t:dir_fi allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; -allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; +allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap }; gen_require(` bool secure_mode_insmod; diff -up serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/dbadm.te --- serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace 2011-10-05 14:34:03.367103414 -0400 +++ serefpolicy-3.10.0/policy/modules/roles/dbadm.te 2011-10-05 14:34:03.772103844 -0400 @@ -28,7 +28,7 @@ userdom_base_user_template(dbadm) # database admin local policy # -allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; +allow dbadm_t self:capability { dac_override dac_read_search }; files_dontaudit_search_all_dirs(dbadm_t) files_delete_generic_locks(dbadm_t) diff -up serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/logadm.te --- serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/roles/logadm.te 2011-10-05 14:34:03.773103845 -0400 @@ -14,6 +14,5 @@ userdom_base_user_template(logadm) # logadmin local policy # -allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; - +allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; logging_admin(logadm_t, logadm_r) diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/sysadm.te --- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace 2011-10-05 14:34:03.706103774 -0400 +++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-10-05 14:34:03.774103846 -0400 @@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1) # Declarations # -## -##

-## Allow sysadm to debug or ptrace all processes. -##

-##
-gen_tunable(allow_ptrace, false) - role sysadm_r; userdom_admin_user_template(sysadm) diff -up serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/webadm.te --- serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace 2011-10-05 14:34:03.372103419 -0400 +++ serefpolicy-3.10.0/policy/modules/roles/webadm.te 2011-10-05 14:34:03.774103846 -0400 @@ -28,7 +28,7 @@ userdom_base_user_template(webadm) # webadmin local policy # -allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; +allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; files_dontaudit_search_all_dirs(webadm_t) files_manage_generic_locks(webadm_t) diff -up serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace serefpolicy-3.10.0/policy/modules/services/abrt.if --- serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace 2011-10-05 14:34:03.374103421 -0400 +++ serefpolicy-3.10.0/policy/modules/services/abrt.if 2011-10-05 14:34:03.775103847 -0400 @@ -333,9 +333,13 @@ interface(`abrt_admin',` type abrt_initrc_exec_t; ') - allow $1 abrt_t:process { ptrace signal_perms }; + allow $1 abrt_t:process { signal_perms }; ps_process_pattern($1, abrt_t) + tunable_policy(`allow_ptrace',` + allow $1 abrt_t:process ptrace; + ') + init_labeled_script_domtrans($1, abrt_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 abrt_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.if --- serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace 2011-10-05 14:34:03.375103422 -0400 +++ serefpolicy-3.10.0/policy/modules/services/accountsd.if 2011-10-05 14:34:03.775103847 -0400 @@ -138,8 +138,12 @@ interface(`accountsd_admin',` type accountsd_t; ') - allow $1 accountsd_t:process { ptrace signal_perms }; + allow $1 accountsd_t:process signal_perms; ps_process_pattern($1, accountsd_t) + tunable_policy(`allow_ptrace',` + allow $1 acountsd_t:process ptrace; + ') + accountsd_manage_lib_files($1) ') diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.te --- serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace 2011-10-05 14:34:03.376103423 -0400 +++ serefpolicy-3.10.0/policy/modules/services/accountsd.te 2011-10-05 14:34:03.776103848 -0400 @@ -19,10 +19,14 @@ files_type(accountsd_var_lib_t) # accountsd local policy # -allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace }; +allow accountsd_t self:capability { dac_override setuid setgid }; allow accountsd_t self:process signal; allow accountsd_t self:fifo_file rw_fifo_file_perms; +tunable_policy(`allow_ptrace',` + allow accountsd_t self:capability sys_ptrace; +') + manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir }) diff -up serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace serefpolicy-3.10.0/policy/modules/services/afs.if --- serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace 2011-10-05 14:34:03.376103423 -0400 +++ serefpolicy-3.10.0/policy/modules/services/afs.if 2011-10-05 14:34:03.776103848 -0400 @@ -97,9 +97,13 @@ interface(`afs_admin',` type afs_t, afs_initrc_exec_t; ') - allow $1 afs_t:process { ptrace signal_perms }; + allow $1 afs_t:process signal_perms; ps_process_pattern($1, afs_t) + tunable_policy(`allow_ptrace',` + allow $1 afs_t:process ptrace; + ') + # Allow afs_admin to restart the afs service afs_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace serefpolicy-3.10.0/policy/modules/services/aiccu.if --- serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/aiccu.if 2011-10-05 14:34:03.777103849 -0400 @@ -79,9 +79,13 @@ interface(`aiccu_admin',` type aiccu_var_run_t; ') - allow $1 aiccu_t:process { ptrace signal_perms }; + allow $1 aiccu_t:process signal_perms; ps_process_pattern($1, aiccu_t) + tunable_policy(`allow_ptrace',` + allow $1 aiccu_t:process ptrace; + ') + aiccu_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 aiccu_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace serefpolicy-3.10.0/policy/modules/services/aide.if --- serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace 2011-10-05 14:34:03.378103425 -0400 +++ serefpolicy-3.10.0/policy/modules/services/aide.if 2011-10-05 14:34:03.778103850 -0400 @@ -61,9 +61,13 @@ interface(`aide_admin',` type aide_t, aide_db_t, aide_log_t; ') - allow $1 aide_t:process { ptrace signal_perms }; + allow $1 aide_t:process signal_perms; ps_process_pattern($1, aide_t) + tunable_policy(`allow_ptrace',` + allow $1 aide_t:process ptrace; + ') + files_list_etc($1) admin_pattern($1, aide_db_t) diff -up serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace serefpolicy-3.10.0/policy/modules/services/aisexec.if --- serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace 2011-10-05 14:34:03.379103426 -0400 +++ serefpolicy-3.10.0/policy/modules/services/aisexec.if 2011-10-05 14:34:03.778103850 -0400 @@ -82,9 +82,13 @@ interface(`aisexecd_admin',` type aisexec_initrc_exec_t; ') - allow $1 aisexec_t:process { ptrace signal_perms }; + allow $1 aisexec_t:process signal_perms; ps_process_pattern($1, aisexec_t) + tunable_policy(`allow_ptrace',` + allow $1 aisexec_t:process ptrace; + ') + init_labeled_script_domtrans($1, aisexec_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 aisexec_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace serefpolicy-3.10.0/policy/modules/services/ajaxterm.if --- serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace 2011-10-05 14:34:03.381103429 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ajaxterm.if 2011-10-05 14:34:03.779103851 -0400 @@ -76,9 +76,13 @@ interface(`ajaxterm_admin',` type ajaxterm_t, ajaxterm_initrc_exec_t; ') - allow $1 ajaxterm_t:process { ptrace signal_perms }; + allow $1 ajaxterm_t:process signal_perms; ps_process_pattern($1, ajaxterm_t) + tunable_policy(`allow_ptrace',` + allow $1 ajaxterm_t:process ptrace; + ') + ajaxterm_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 ajaxterm_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace serefpolicy-3.10.0/policy/modules/services/amavis.if --- serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/amavis.if 2011-10-05 14:34:03.779103851 -0400 @@ -231,9 +231,13 @@ interface(`amavis_admin',` type amavis_initrc_exec_t; ') - allow $1 amavis_t:process { ptrace signal_perms }; + allow $1 amavis_t:process signal_perms; ps_process_pattern($1, amavis_t) + tunable_policy(`allow_ptrace',` + allow $1 amavis_t:process ptrace; + ') + amavis_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace serefpolicy-3.10.0/policy/modules/services/apache.if --- serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace 2011-10-05 14:34:03.744103814 -0400 +++ serefpolicy-3.10.0/policy/modules/services/apache.if 2011-10-05 14:34:03.780103852 -0400 @@ -1301,9 +1301,13 @@ interface(`apache_admin',` type httpd_unit_file_t; ') - allow $1 httpd_t:process { ptrace signal_perms }; + allow $1 httpd_t:process signal_perms; ps_process_pattern($1, httpd_t) + tunable_policy(`allow_ptrace',` + allow $1 httpd_t:process ptrace; + ') + init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 httpd_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/apcupsd.if --- serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/apcupsd.if 2011-10-05 14:34:03.781103853 -0400 @@ -146,9 +146,13 @@ interface(`apcupsd_admin',` type apcupsd_initrc_exec_t; ') - allow $1 apcupsd_t:process { ptrace signal_perms }; + allow $1 apcupsd_t:process signal_perms; ps_process_pattern($1, apcupsd_t) + tunable_policy(`allow_ptrace',` + allow $1 apcupsd_t:process ptrace; + ') + apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 apcupsd_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace serefpolicy-3.10.0/policy/modules/services/arpwatch.if --- serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace 2011-10-05 14:34:03.387103435 -0400 +++ serefpolicy-3.10.0/policy/modules/services/arpwatch.if 2011-10-05 14:34:03.781103853 -0400 @@ -137,9 +137,13 @@ interface(`arpwatch_admin',` type arpwatch_initrc_exec_t; ') - allow $1 arpwatch_t:process { ptrace signal_perms }; + allow $1 arpwatch_t:process signal_perms; ps_process_pattern($1, arpwatch_t) + tunable_policy(`allow_ptrace',` + allow $1 arpwatch_t:process ptrace; + ') + arpwatch_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 arpwatch_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace serefpolicy-3.10.0/policy/modules/services/asterisk.if --- serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace 2011-10-05 14:34:03.389103437 -0400 +++ serefpolicy-3.10.0/policy/modules/services/asterisk.if 2011-10-05 14:34:03.782103854 -0400 @@ -64,9 +64,13 @@ interface(`asterisk_admin',` type asterisk_initrc_exec_t; ') - allow $1 asterisk_t:process { ptrace signal_perms }; + allow $1 asterisk_t:process signal_perms; ps_process_pattern($1, asterisk_t) + tunable_policy(`allow_ptrace',` + allow $1 asterisk_t:process ptrace; + ') + init_labeled_script_domtrans($1, asterisk_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace serefpolicy-3.10.0/policy/modules/services/automount.if --- serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace 2011-10-05 14:34:03.390103438 -0400 +++ serefpolicy-3.10.0/policy/modules/services/automount.if 2011-10-05 14:34:03.783103855 -0400 @@ -150,9 +150,13 @@ interface(`automount_admin',` type automount_var_run_t, automount_initrc_exec_t; ') - allow $1 automount_t:process { ptrace signal_perms }; + allow $1 automount_t:process signal_perms; ps_process_pattern($1, automount_t) + tunable_policy(`allow_ptrace',` + allow $1 automount_t:process ptrace; + ') + init_labeled_script_domtrans($1, automount_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 automount_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace serefpolicy-3.10.0/policy/modules/services/avahi.if --- serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace 2011-10-05 14:34:03.391103439 -0400 +++ serefpolicy-3.10.0/policy/modules/services/avahi.if 2011-10-05 14:34:03.783103855 -0400 @@ -154,9 +154,13 @@ interface(`avahi_admin',` type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; ') - allow $1 avahi_t:process { ptrace signal_perms }; + allow $1 avahi_t:process signal_perms; ps_process_pattern($1, avahi_t) + tunable_policy(`allow_ptrace',` + allow $1 avahi_t:process ptrace; + ') + init_labeled_script_domtrans($1, avahi_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 avahi_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace serefpolicy-3.10.0/policy/modules/services/bind.if --- serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace 2011-10-05 14:34:03.393103441 -0400 +++ serefpolicy-3.10.0/policy/modules/services/bind.if 2011-10-05 14:34:03.784103857 -0400 @@ -409,12 +409,20 @@ interface(`bind_admin',` type dnssec_t, ndc_t, named_keytab_t; ') - allow $1 named_t:process { ptrace signal_perms }; + allow $1 named_t:process signal_perms; ps_process_pattern($1, named_t) - allow $1 ndc_t:process { ptrace signal_perms }; + tunable_policy(`allow_ptrace',` + allow $1 named_t:process ptrace; + ') + + allow $1 ndc_t:process signal_perms; ps_process_pattern($1, ndc_t) + tunable_policy(`allow_ptrace',` + allow $1 ndc_t:process ptrace; + ') + bind_run_ndc($1, $2) init_labeled_script_domtrans($1, named_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace serefpolicy-3.10.0/policy/modules/services/bitlbee.if --- serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/bitlbee.if 2011-10-05 14:34:03.784103857 -0400 @@ -43,9 +43,13 @@ interface(`bitlbee_admin',` type bitlbee_initrc_exec_t; ') - allow $1 bitlbee_t:process { ptrace signal_perms }; + allow $1 bitlbee_t:process signal_perms; ps_process_pattern($1, bitlbee_t) + tunable_policy(`allow_ptrace',` + allow $1 bitlbee_t:process ptrace; + ') + init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpolicy-3.10.0/policy/modules/services/bluetooth.if --- serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace 2011-10-05 14:34:03.395103443 -0400 +++ serefpolicy-3.10.0/policy/modules/services/bluetooth.if 2011-10-05 14:34:03.785103858 -0400 @@ -28,7 +28,11 @@ interface(`bluetooth_role',` # allow ps to show cdrecord and allow the user to kill it ps_process_pattern($2, bluetooth_helper_t) - allow $2 bluetooth_helper_t:process { ptrace signal_perms }; + allow $2 bluetooth_helper_t:process signal_perms; + + tunable_policy(`allow_ptrace',` + allow $2 bluetooth_helper_t:process ptrace; + ') manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) @@ -220,9 +224,13 @@ interface(`bluetooth_admin',` type bluetooth_conf_t, bluetooth_conf_rw_t; ') - allow $1 bluetooth_t:process { ptrace signal_perms }; + allow $1 bluetooth_t:process signal_perms; ps_process_pattern($1, bluetooth_t) + tunable_policy(`allow_ptrace',` + allow $1 bluetooth_t:process ptrace; + ') + init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 bluetooth_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.if --- serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace 2011-10-05 14:34:03.396103444 -0400 +++ serefpolicy-3.10.0/policy/modules/services/boinc.if 2011-10-05 14:34:03.785103858 -0400 @@ -137,9 +137,13 @@ interface(`boinc_admin',` type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t; ') - allow $1 boinc_t:process { ptrace signal_perms }; + allow $1 boinc_t:process signal_perms; ps_process_pattern($1, boinc_t) + tunable_policy(`allow_ptrace',` + allow $1 boic_t:process ptrace; + ') + boinc_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 boinc_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.te --- serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace 2011-10-05 14:34:03.709103777 -0400 +++ serefpolicy-3.10.0/policy/modules/services/boinc.te 2011-10-05 14:34:03.786103859 -0400 @@ -121,9 +121,13 @@ mta_send_mail(boinc_t) domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) allow boinc_t boinc_project_t:process sigkill; -allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop }; +allow boinc_project_t self:process { setpgid setsched signal signull sigkill sigstop }; allow boinc_project_t self:process { execmem execstack }; +tunable_policy(`allow_ptrace',` + allow boinc_project_t self:process ptrace; +') + allow boinc_project_t self:fifo_file rw_fifo_file_perms; allow boinc_project_t self:sem create_sem_perms; diff -up serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace serefpolicy-3.10.0/policy/modules/services/bugzilla.if --- serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace 2011-10-05 14:34:03.398103447 -0400 +++ serefpolicy-3.10.0/policy/modules/services/bugzilla.if 2011-10-05 14:34:03.787103860 -0400 @@ -62,9 +62,13 @@ interface(`bugzilla_admin',` type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t; ') - allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; + allow $1 httpd_bugzilla_script_t:process signal_perms; ps_process_pattern($1, httpd_bugzilla_script_t) + tunable_policy(`allow_ptrace',` + allow $1 httpd_bugzilla_script_t:process ptrace; + ') + files_list_tmp($1) admin_pattern($1, httpd_bugzilla_tmp_t) diff -up serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace serefpolicy-3.10.0/policy/modules/services/callweaver.if --- serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace 2011-10-05 14:34:03.400103449 -0400 +++ serefpolicy-3.10.0/policy/modules/services/callweaver.if 2011-10-05 14:34:03.787103860 -0400 @@ -336,9 +336,13 @@ interface(`callweaver_admin',` type callweaver_spool_t; ') - allow $1 callweaver_t:process { ptrace signal_perms }; + allow $1 callweaver_t:process signal_perms; ps_process_pattern($1, callweaver_t) + tunable_policy(`allow_ptrace',` + allow $1 callweaver_t:process ptrace; + ') + callweaver_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 callweaver_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace serefpolicy-3.10.0/policy/modules/services/canna.if --- serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/canna.if 2011-10-05 14:34:03.788103861 -0400 @@ -42,9 +42,13 @@ interface(`canna_admin',` type canna_var_run_t, canna_initrc_exec_t; ') - allow $1 canna_t:process { ptrace signal_perms }; + allow $1 canna_t:process signal_perms; ps_process_pattern($1, canna_t) + tunable_policy(`allow_ptrace',` + allow $1 canna_t:process ptrace; + ') + init_labeled_script_domtrans($1, canna_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 canna_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmaster.if --- serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace 2011-10-05 14:34:03.403103452 -0400 +++ serefpolicy-3.10.0/policy/modules/services/certmaster.if 2011-10-05 14:34:03.788103861 -0400 @@ -119,9 +119,13 @@ interface(`certmaster_admin',` type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t; ') - allow $1 certmaster_t:process { ptrace signal_perms }; + allow $1 certmaster_t:process signal_perms; ps_process_pattern($1, certmaster_t) + tunable_policy(`allow_ptrace',` + allow $1 certmaster_t:process ptrace; + ') + init_labeled_script_domtrans($1, certmaster_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 certmaster_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmonger.if --- serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace 2011-10-05 14:34:03.405103454 -0400 +++ serefpolicy-3.10.0/policy/modules/services/certmonger.if 2011-10-05 14:34:03.790103863 -0400 @@ -158,7 +158,11 @@ interface(`certmonger_admin',` ') ps_process_pattern($1, certmonger_t) - allow $1 certmonger_t:process { ptrace signal_perms }; + allow $1 certmonger_t:process signal_perms; + + tunable_policy(`allow_ptrace',` + allow $1 certmonger_t:process ptrace; + ') # Allow certmonger_t to restart the apache service certmonger_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.if --- serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace 2011-10-05 14:34:03.407103456 -0400 +++ serefpolicy-3.10.0/policy/modules/services/cgroup.if 2011-10-05 14:34:03.790103863 -0400 @@ -171,15 +171,27 @@ interface(`cgroup_admin',` type cgrules_etc_t, cgclear_t; ') - allow $1 cgclear_t:process { ptrace signal_perms }; + allow $1 cgclear_t:process signal_perms; ps_process_pattern($1, cgclear_t) - allow $1 cgconfig_t:process { ptrace signal_perms }; + tunable_policy(`allow_ptrace',` + allow $1 cglear_t:process ptrace; + ') + + allow $1 cgconfig_t:process signal_perms; ps_process_pattern($1, cgconfig_t) - allow $1 cgred_t:process { ptrace signal_perms }; + tunable_policy(`allow_ptrace',` + allow $1 cgconfig_t:process ptrace; + ') + + allow $1 cgred_t:process signal_perms; ps_process_pattern($1, cgred_t) + tunable_policy(`allow_ptrace',` + allow $1 cgred_t:process ptrace; + ') + admin_pattern($1, cgconfig_etc_t) admin_pattern($1, cgrules_etc_t) files_list_etc($1) diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.te --- serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace 2011-10-05 14:34:03.407103456 -0400 +++ serefpolicy-3.10.0/policy/modules/services/cgroup.te 2011-10-05 14:34:03.791103864 -0400 @@ -76,7 +76,11 @@ fs_unmount_cgroup(cgconfig_t) # cgred personal policy. # -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; +allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override }; +tunable_policy(`allow_ptrace',` + allow cgred_t self:capability sys_ptrace; +') + allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; diff -up serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/chronyd.if --- serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace 2011-10-05 14:34:03.408103457 -0400 +++ serefpolicy-3.10.0/policy/modules/services/chronyd.if 2011-10-05 14:34:03.791103864 -0400 @@ -218,9 +218,13 @@ interface(`chronyd_admin',` type chronyd_keys_t; ') - allow $1 chronyd_t:process { ptrace signal_perms }; + allow $1 chronyd_t:process signal_perms; ps_process_pattern($1, chronyd_t) + tunable_policy(`allow_ptrace',` + allow $1 chronyd_t:process ptrace; + ') + init_labeled_script_domtrans($1, chronyd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 chronyd_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace serefpolicy-3.10.0/policy/modules/services/clamav.if --- serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace 2011-10-05 14:34:03.410103459 -0400 +++ serefpolicy-3.10.0/policy/modules/services/clamav.if 2011-10-05 14:34:03.792103865 -0400 @@ -176,13 +176,19 @@ interface(`clamav_admin',` type freshclam_t, freshclam_var_log_t; ') - allow $1 clamd_t:process { ptrace signal_perms }; + allow $1 clamd_t:process signal_perms; ps_process_pattern($1, clamd_t) - allow $1 clamscan_t:process { ptrace signal_perms }; + tunable_policy(`allow_ptrace',` + allow $1 clamd_t:process ptrace; + allow $1 clamscan_t:process ptrace; + allow $1 freshclam_t:process ptrace; + ') + + allow $1 clamscan_t:process signal_perms; ps_process_pattern($1, clamscan_t) - allow $1 freshclam_t:process { ptrace signal_perms }; + allow $1 freshclam_t:process signal_perms; ps_process_pattern($1, freshclam_t) init_labeled_script_domtrans($1, clamd_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace serefpolicy-3.10.0/policy/modules/services/cmirrord.if --- serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace 2011-10-05 14:34:03.413103463 -0400 +++ serefpolicy-3.10.0/policy/modules/services/cmirrord.if 2011-10-05 14:34:03.792103865 -0400 @@ -101,9 +101,13 @@ interface(`cmirrord_admin',` type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; ') - allow $1 cmirrord_t:process { ptrace signal_perms }; + allow $1 cmirrord_t:process signal_perms; ps_process_pattern($1, cmirrord_t) + tunable_policy(`allow_ptrace',` + allow $1 cmorrord_t:process ptrace; + ') + cmirrord_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 cmirrord_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.if --- serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace 2011-10-05 14:34:03.414103464 -0400 +++ serefpolicy-3.10.0/policy/modules/services/cobbler.if 2011-10-05 14:34:03.793103866 -0400 @@ -189,9 +189,13 @@ interface(`cobblerd_admin',` type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t; ') - allow $1 cobblerd_t:process { ptrace signal_perms }; + allow $1 cobblerd_t:process signal_perms; ps_process_pattern($1, cobblerd_t) + tunable_policy(`allow_ptrace',` + allow $1 cobblerd_t:process ptrace; + ') + files_list_etc($1) admin_pattern($1, cobbler_etc_t) diff -up serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace serefpolicy-3.10.0/policy/modules/services/collectd.if --- serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace 2011-10-05 14:34:03.416103466 -0400 +++ serefpolicy-3.10.0/policy/modules/services/collectd.if 2011-10-05 14:34:03.794103867 -0400 @@ -142,9 +142,13 @@ interface(`collectd_admin',` type collectd_var_lib_t; ') - allow $1 collectd_t:process { ptrace signal_perms }; + allow $1 collectd_t:process signal_perms; ps_process_pattern($1, collectd_t) + tunable_policy(`allow_ptrace',` + allow $1 collectd_t:process ptrace; + ') + collectd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 collectd_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/consolekit.te --- serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace 2011-10-05 14:34:03.418103468 -0400 +++ serefpolicy-3.10.0/policy/modules/services/consolekit.te 2011-10-05 14:34:03.794103867 -0400 @@ -23,7 +23,12 @@ files_tmpfs_file(consolekit_tmpfs_t) # consolekit local policy # -allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; +allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice }; + +tunable_policy(`allow_ptrace',` + allow consolekit_t self:capability sys_ptrace; +') + allow consolekit_t self:process { getsched signal }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket create_stream_socket_perms; @@ -144,6 +149,8 @@ optional_policy(` optional_policy(` #reading .Xauthity - unconfined_ptrace(consolekit_t) + tunable_policy(`allow_ptrace',` + unconfined_ptrace(consolekit_t) + ') unconfined_stream_connect(consolekit_t) ') diff -up serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.if --- serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace 2011-10-05 14:34:03.419103469 -0400 +++ serefpolicy-3.10.0/policy/modules/services/corosync.if 2011-10-05 14:34:03.795103868 -0400 @@ -101,9 +101,13 @@ interface(`corosyncd_admin',` type corosync_initrc_exec_t; ') - allow $1 corosync_t:process { ptrace signal_perms }; + allow $1 corosync_t:process signal_perms; ps_process_pattern($1, corosync_t) + tunable_policy(`allow_ptrace',` + allow $1 corosync_t:process ptrace; + ') + init_labeled_script_domtrans($1, corosync_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 corosync_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.te --- serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace 2011-10-05 14:34:03.419103469 -0400 +++ serefpolicy-3.10.0/policy/modules/services/corosync.te 2011-10-05 14:34:03.795103868 -0400 @@ -32,9 +32,13 @@ files_pid_file(corosync_var_run_t) # corosync local policy # -allow corosync_t self:capability { dac_override setuid sys_nice sys_ptrace sys_resource ipc_lock }; +allow corosync_t self:capability { dac_override setuid sys_nice sys_resource ipc_lock }; allow corosync_t self:process { setpgid setrlimit setsched signal signull }; +tunable_policy(`allow_ptrace',` + allow corosync_t self:capability sys_ptrace; +') + allow corosync_t self:fifo_file rw_fifo_file_perms; allow corosync_t self:sem create_sem_perms; allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto }; diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3.10.0/policy/modules/services/cron.if --- serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace 2011-10-05 14:34:03.423103473 -0400 +++ serefpolicy-3.10.0/policy/modules/services/cron.if 2011-10-05 14:34:03.796103869 -0400 @@ -140,7 +140,11 @@ interface(`cron_role',` # crontab shows up in user ps ps_process_pattern($2, crontab_t) - allow $2 crontab_t:process { ptrace signal_perms }; + allow $2 crontab_t:process signal_perms; + + tunable_policy(`allow_ptrace',` + allow $2 crontab_t:process ptrace; + ') # Run helper programs as the user domain #corecmd_bin_domtrans(crontab_t, $2) @@ -183,7 +187,10 @@ interface(`cron_unconfined_role',` # cronjob shows up in user ps ps_process_pattern($2, unconfined_cronjob_t) - allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; + allow $2 unconfined_cronjob_t:process signal_perms; + tunable_policy(`allow_ptrace',` + allow $2 unconfined_cronjob_t:process ptrace; + ') optional_policy(` gen_require(` @@ -230,7 +237,10 @@ interface(`cron_admin_role',` # crontab shows up in user ps ps_process_pattern($2, admin_crontab_t) - allow $2 admin_crontab_t:process { ptrace signal_perms }; + allow $2 admin_crontab_t:process signal_perms; + tunable_policy(`allow_ptrace',` + allow $2 admin_crontab_t:process ptrace; + ') # Run helper programs as the user domain #corecmd_bin_domtrans(admin_crontab_t, $2) diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.if --- serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace 2011-10-05 14:34:03.424103474 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ctdbd.if 2011-10-05 14:34:03.797103870 -0400 @@ -236,8 +236,11 @@ interface(`ctdbd_admin',` type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; ') - allow $1 ctdbd_t:process { ptrace signal_perms }; + allow $1 ctdbd_t:process signal_perms; ps_process_pattern($1, ctdbd_t) + tunable_policy(`allow_ptrace',` + allow $1 ctdbd_t:process ptrace; + ') ctdbd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.te --- serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace 2011-10-05 14:34:03.425103475 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ctdbd.te 2011-10-05 14:34:03.797103870 -0400 @@ -33,9 +33,13 @@ files_pid_file(ctdbd_var_run_t) # ctdbd local policy # -allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice sys_ptrace }; +allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; allow ctdbd_t self:process { setpgid signal_perms setsched }; +tunable_policy(`allow_ptrace',` + allow ctdbd_t self:capability sys_ptrace; +') + allow ctdbd_t self:fifo_file rw_fifo_file_perms; allow ctdbd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace serefpolicy-3.10.0/policy/modules/services/cups.if --- serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace 2011-10-05 14:34:03.426103476 -0400 +++ serefpolicy-3.10.0/policy/modules/services/cups.if 2011-10-05 14:34:03.798103871 -0400 @@ -327,9 +327,13 @@ interface(`cups_admin',` type ptal_var_run_t; ') - allow $1 cupsd_t:process { ptrace signal_perms }; + allow $1 cupsd_t:process signal_perms; ps_process_pattern($1, cupsd_t) + tunable_policy(`allow_ptrace',` + allow $1 cupsd_t:process ptrace; + ') + init_labeled_script_domtrans($1, cupsd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 cupsd_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace serefpolicy-3.10.0/policy/modules/services/cvs.if --- serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace 2011-10-05 14:34:03.427103477 -0400 +++ serefpolicy-3.10.0/policy/modules/services/cvs.if 2011-10-05 14:34:03.798103871 -0400 @@ -80,9 +80,13 @@ interface(`cvs_admin',` type cvs_data_t, cvs_var_run_t; ') - allow $1 cvs_t:process { ptrace signal_perms }; + allow $1 cvs_t:process signal_perms; ps_process_pattern($1, cvs_t) + tunable_policy(`allow_ptrace',` + allow $1 cvs_t:process ptrace; + ') + # Allow cvs_t to restart the apache service init_labeled_script_domtrans($1, cvs_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace serefpolicy-3.10.0/policy/modules/services/cyrus.if --- serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/cyrus.if 2011-10-05 14:34:03.799103872 -0400 @@ -62,9 +62,13 @@ interface(`cyrus_admin',` type cyrus_var_run_t, cyrus_initrc_exec_t; ') - allow $1 cyrus_t:process { ptrace signal_perms }; + allow $1 cyrus_t:process signal_perms; ps_process_pattern($1, cyrus_t) + tunable_policy(`allow_ptrace',` + allow $1 cyrus_t:process ptrace; + ') + init_labeled_script_domtrans($1, cyrus_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 cyrus_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace serefpolicy-3.10.0/policy/modules/services/dbus.if --- serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace 2011-10-05 14:34:03.431103482 -0400 +++ serefpolicy-3.10.0/policy/modules/services/dbus.if 2011-10-05 14:34:03.800103874 -0400 @@ -71,7 +71,11 @@ template(`dbus_role_template',` domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) ps_process_pattern($3, $1_dbusd_t) - allow $3 $1_dbusd_t:process { ptrace signal_perms }; + allow $3 $1_dbusd_t:process signal_perms; + + tunable_policy(`allow_ptrace',` + allow $3 $1_dbusd_t:process ptrace; + ') # cjp: this seems very broken corecmd_bin_domtrans($1_dbusd_t, $1_t) diff -up serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace serefpolicy-3.10.0/policy/modules/services/ddclient.if --- serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace 2011-10-05 14:34:03.433103484 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ddclient.if 2011-10-05 14:34:03.800103874 -0400 @@ -68,9 +68,13 @@ interface(`ddclient_admin',` type ddclient_var_run_t; ') - allow $1 ddclient_t:process { ptrace signal_perms }; + allow $1 ddclient_t:process signal_perms; ps_process_pattern($1, ddclient_t) + tunable_policy(`allow_ptrace',` + allow $1 ddclient_t:process ptrace; + ') + init_labeled_script_domtrans($1, ddclient_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 ddclient_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace serefpolicy-3.10.0/policy/modules/services/denyhosts.if --- serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace 2011-10-05 14:34:03.434103485 -0400 +++ serefpolicy-3.10.0/policy/modules/services/denyhosts.if 2011-10-05 14:34:03.801103875 -0400 @@ -67,9 +67,13 @@ interface(`denyhosts_admin',` type denyhosts_var_log_t, denyhosts_initrc_exec_t; ') - allow $1 denyhosts_t:process { ptrace signal_perms }; + allow $1 denyhosts_t:process signal_perms; ps_process_pattern($1, denyhosts_t) + tunable_policy(`allow_ptrace',` + allow $1 denyhosts_t:process ptrace; + ') + denyhosts_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 denyhosts_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.if --- serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace 2011-10-05 14:34:03.436103487 -0400 +++ serefpolicy-3.10.0/policy/modules/services/devicekit.if 2011-10-05 14:34:03.802103876 -0400 @@ -308,13 +308,18 @@ interface(`devicekit_admin',` type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') - allow $1 devicekit_t:process { ptrace signal_perms }; + allow $1 devicekit_t:process signal_perms; ps_process_pattern($1, devicekit_t) + tunable_policy(`allow_ptrace',` + allow $1 devicekit_t:process ptrace; + allow $1 devicekit_disk_t:process ptrace; + allow $1 devicekit_power_t:process ptrace; + ') - allow $1 devicekit_disk_t:process { ptrace signal_perms }; + allow $1 devicekit_disk_t:process signal_perms; ps_process_pattern($1, devicekit_disk_t) - allow $1 devicekit_power_t:process { ptrace signal_perms }; + allow $1 devicekit_power_t:process signal_perms; ps_process_pattern($1, devicekit_power_t) admin_pattern($1, devicekit_tmp_t) diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.te --- serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace 2011-10-05 14:34:03.437103488 -0400 +++ serefpolicy-3.10.0/policy/modules/services/devicekit.te 2011-10-05 14:34:03.802103876 -0400 @@ -65,7 +65,10 @@ optional_policy(` # DeviceKit disk local policy # -allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio }; +tunable_policy(`allow_ptrace',` + allow devicekit_disk_t self:capability sys_ptrace; +') allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -199,7 +202,10 @@ optional_policy(` # DeviceKit-Power local policy # -allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; +allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice }; +tunable_policy(`allow_ptrace',` + allow devicekit_power_t self:capability sys_ptrace; +') allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace serefpolicy-3.10.0/policy/modules/services/dhcp.if --- serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace 2011-10-05 14:34:03.438103489 -0400 +++ serefpolicy-3.10.0/policy/modules/services/dhcp.if 2011-10-05 14:34:03.803103877 -0400 @@ -105,8 +105,11 @@ interface(`dhcpd_admin',` type dhcpd_var_run_t, dhcpd_initrc_exec_t; ') - allow $1 dhcpd_t:process { ptrace signal_perms }; + allow $1 dhcpd_t:process signal_perms; ps_process_pattern($1, dhcpd_t) + tunable_policy(`allow_ptrace',` + allow $1 dhcpd_t:process ptrace; + ') init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace serefpolicy-3.10.0/policy/modules/services/dictd.if --- serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/dictd.if 2011-10-05 14:34:03.803103877 -0400 @@ -38,8 +38,11 @@ interface(`dictd_admin',` type dictd_var_run_t, dictd_initrc_exec_t; ') - allow $1 dictd_t:process { ptrace signal_perms }; + allow $1 dictd_t:process signal_perms; ps_process_pattern($1, dictd_t) + tunable_policy(`allow_ptrace',` + allow $1 dictd_t:process ptrace; + ') init_labeled_script_domtrans($1, dictd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace serefpolicy-3.10.0/policy/modules/services/dnsmasq.if --- serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace 2011-10-05 14:34:03.443103494 -0400 +++ serefpolicy-3.10.0/policy/modules/services/dnsmasq.if 2011-10-05 14:34:03.804103878 -0400 @@ -282,8 +282,11 @@ interface(`dnsmasq_admin',` type dnsmasq_initrc_exec_t; ') - allow $1 dnsmasq_t:process { ptrace signal_perms }; + allow $1 dnsmasq_t:process signal_perms; ps_process_pattern($1, dnsmasq_t) + tunable_policy(`allow_ptrace',` + allow $1 dnsmasq_t:process ptrace; + ') init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace serefpolicy-3.10.0/policy/modules/services/dovecot.if --- serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace 2011-10-05 14:34:03.445103496 -0400 +++ serefpolicy-3.10.0/policy/modules/services/dovecot.if 2011-10-05 14:34:03.805103879 -0400 @@ -119,8 +119,11 @@ interface(`dovecot_admin',` type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t; ') - allow $1 dovecot_t:process { ptrace signal_perms }; + allow $1 dovecot_t:process signal_perms; ps_process_pattern($1, dovecot_t) + tunable_policy(`allow_ptrace',` + allow $1 dovecot_t:process ptrace; + ') init_labeled_script_domtrans($1, dovecot_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/drbd.if --- serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace 2011-10-05 14:34:03.446103498 -0400 +++ serefpolicy-3.10.0/policy/modules/services/drbd.if 2011-10-05 14:34:03.806103880 -0400 @@ -120,8 +120,11 @@ interface(`drbd_admin',` type drbd_var_lib_t; ') - allow $1 drbd_t:process { ptrace signal_perms }; + allow $1 drbd_t:process signal_perms; ps_process_pattern($1, drbd_t) + tunable_policy(`allow_ptrace',` + allow $1 drbd_t:process ptrace; + ') files_search_var_lib($1) admin_pattern($1, drbd_var_lib_t) diff -up serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace serefpolicy-3.10.0/policy/modules/services/dspam.if --- serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace 2011-10-05 14:34:03.447103499 -0400 +++ serefpolicy-3.10.0/policy/modules/services/dspam.if 2011-10-05 14:34:03.806103880 -0400 @@ -244,8 +244,11 @@ interface(`dspam_admin',` type dspam_var_run_t; ') - allow $1 dspam_t:process { ptrace signal_perms }; + allow $1 dspam_t:process signal_perms; ps_process_pattern($1, dspam_t) + tunable_policy(`allow_ptrace',` + allow $1 dspam_t:process ptrace; + ') dspam_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace serefpolicy-3.10.0/policy/modules/services/exim.if --- serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace 2011-10-05 14:34:03.449103501 -0400 +++ serefpolicy-3.10.0/policy/modules/services/exim.if 2011-10-05 14:34:03.807103881 -0400 @@ -260,8 +260,11 @@ interface(`exim_admin',` type exim_tmp_t, exim_spool_t, exim_var_run_t; ') - allow $1 exim_t:process { ptrace signal_perms }; + allow $1 exim_t:process signal_perms; ps_process_pattern($1, exim_t) + tunable_policy(`allow_ptrace',` + allow $1 exim_t:process ptrace; + ') exim_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace serefpolicy-3.10.0/policy/modules/services/fail2ban.if --- serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace 2011-10-05 14:34:03.450103502 -0400 +++ serefpolicy-3.10.0/policy/modules/services/fail2ban.if 2011-10-05 14:34:03.807103881 -0400 @@ -199,8 +199,11 @@ interface(`fail2ban_admin',` type fail2ban_client_t; ') - allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms }; + allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms; ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) + tunable_policy(`allow_ptrace',` + allow $1 { fail2ban_t fail2ban_client_t }:process ptrace; + ') init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace serefpolicy-3.10.0/policy/modules/services/fcoemon.if --- serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace 2011-10-05 14:34:03.452103504 -0400 +++ serefpolicy-3.10.0/policy/modules/services/fcoemon.if 2011-10-05 14:34:03.808103882 -0400 @@ -81,8 +81,11 @@ interface(`fcoemon_admin',` type fcoemon_var_run_t; ') - allow $1 fcoemon_t:process { ptrace signal_perms }; + allow $1 fcoemon_t:process signal_perms; ps_process_pattern($1, fcoemon_t) + tunable_policy(`allow_ptrace',` + allow $1 fcoemon_t:process ptrace; + ') files_search_pids($1) admin_pattern($1, fcoemon_var_run_t) diff -up serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/fetchmail.if --- serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace 2011-10-05 14:34:03.453103505 -0400 +++ serefpolicy-3.10.0/policy/modules/services/fetchmail.if 2011-10-05 14:34:03.809103883 -0400 @@ -18,8 +18,11 @@ interface(`fetchmail_admin',` type fetchmail_var_run_t; ') - allow $1 fetchmail_t:process { ptrace signal_perms }; + allow $1 fetchmail_t:process signal_perms; ps_process_pattern($1, fetchmail_t) + tunable_policy(`allow_ptrace',` + allow $1 fetchmail_t:process ptrace; + ') files_list_etc($1) admin_pattern($1, fetchmail_etc_t) diff -up serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace serefpolicy-3.10.0/policy/modules/services/firewalld.if --- serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace 2011-10-05 14:34:03.454103506 -0400 +++ serefpolicy-3.10.0/policy/modules/services/firewalld.if 2011-10-05 14:34:03.809103883 -0400 @@ -62,8 +62,11 @@ interface(`firewalld_admin',` type firewalld_initrc_exec_t; ') - allow $1 firewalld_t:process { ptrace signal_perms }; + allow $1 firewalld_t:process signal_perms; ps_process_pattern($1, firewalld_t) + tunable_policy(`allow_ptrace',` + allow $1 firewalld_t:process ptrace; + ') firewalld_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace serefpolicy-3.10.0/policy/modules/services/fprintd.te --- serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace 2011-10-05 14:34:03.456103508 -0400 +++ serefpolicy-3.10.0/policy/modules/services/fprintd.te 2011-10-05 14:34:03.810103884 -0400 @@ -17,7 +17,11 @@ files_type(fprintd_var_lib_t) # Local policy # -allow fprintd_t self:capability { sys_nice sys_ptrace }; +allow fprintd_t self:capability sys_nice; +tunable_policy(`allow_ptrace',` + allow fprintd_t self:capability sys_ptrace; +') + allow fprintd_t self:fifo_file rw_fifo_file_perms; allow fprintd_t self:process { getsched setsched signal }; diff -up serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ftp.if --- serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace 2011-10-05 14:34:03.457103509 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ftp.if 2011-10-05 14:34:03.810103884 -0400 @@ -238,8 +238,11 @@ interface(`ftp_admin',` type ftpd_initrc_exec_t; ') - allow $1 ftpd_t:process { ptrace signal_perms }; + allow $1 ftpd_t:process signal_perms; ps_process_pattern($1, ftpd_t) + tunable_policy(`allow_ptrace',` + allow $1 ftpd_t:process ptrace; + ') init_labeled_script_domtrans($1, ftpd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/git.if.ptrace serefpolicy-3.10.0/policy/modules/services/git.if --- serefpolicy-3.10.0/policy/modules/services/git.if.ptrace 2011-10-05 14:34:03.459103511 -0400 +++ serefpolicy-3.10.0/policy/modules/services/git.if 2011-10-05 14:34:03.811103885 -0400 @@ -42,8 +42,11 @@ interface(`git_session_role',` domtrans_pattern($2, gitd_exec_t, git_session_t) - allow $2 git_session_t:process { ptrace signal_perms }; + allow $2 git_session_t:process signal_perms; ps_process_pattern($2, git_session_t) + tunable_policy(`allow_ptrace',` + allow $2 git_session_t:process ptrace; + ') ') ######################################## diff -up serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace serefpolicy-3.10.0/policy/modules/services/glance.if --- serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace 2011-10-05 14:34:03.461103513 -0400 +++ serefpolicy-3.10.0/policy/modules/services/glance.if 2011-10-05 14:34:03.811103885 -0400 @@ -245,10 +245,14 @@ interface(`glance_admin',` type glance_api_initrc_exec_t; ') - allow $1 glance_registry_t:process { ptrace signal_perms }; + allow $1 glance_registry_t:process signal_perms; ps_process_pattern($1, glance_registry_t) + tunable_policy(`allow_ptrace',` + allow $1 glance_registry_t:process ptrace; + allow $1 glance_api_t:process ptrace; + ') - allow $1 glance_api_t:process { ptrace signal_perms }; + allow $1 glance_api_t:process signal_perms; ps_process_pattern($1, glance_api_t) init_labeled_script_domtrans($1, glance_registry_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace serefpolicy-3.10.0/policy/modules/services/gnomeclock.te --- serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace 2011-10-05 14:34:03.463103516 -0400 +++ serefpolicy-3.10.0/policy/modules/services/gnomeclock.te 2011-10-05 14:34:03.812103886 -0400 @@ -16,7 +16,10 @@ systemd_systemctl_domain(gnomeclock) # gnomeclock local policy # -allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; +allow gnomeclock_t self:capability { sys_nice sys_time }; +tunable_policy(`allow_ptrace',` + allow gnomeclock_t self:capability sys_ptrace; +') allow gnomeclock_t self:process { getattr getsched signal }; allow gnomeclock_t self:fifo_file rw_fifo_file_perms; allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy-3.10.0/policy/modules/services/hadoop.if --- serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace 2011-10-05 14:34:03.711103779 -0400 +++ serefpolicy-3.10.0/policy/modules/services/hadoop.if 2011-10-05 14:34:03.813103887 -0400 @@ -222,14 +222,21 @@ interface(`hadoop_role',` hadoop_domtrans($2) role $1 types hadoop_t; - allow $2 hadoop_t:process { ptrace signal_perms }; + allow $2 hadoop_t:process signal_perms; ps_process_pattern($2, hadoop_t) + tunable_policy(`allow_ptrace',` + allow $2 hadoop_t:process ptrace; + ') hadoop_domtrans_zookeeper_client($2) role $1 types zookeeper_t; - allow $2 zookeeper_t:process { ptrace signal_perms }; + allow $2 zookeeper_t:process signal_perms; ps_process_pattern($2, zookeeper_t) + tunable_policy(`allow_ptrace',` + allow $2 zookeeper_t:process ptrace; + ') + ') ######################################## diff -up serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace serefpolicy-3.10.0/policy/modules/services/hal.if --- serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace 2011-10-05 14:34:03.466103519 -0400 +++ serefpolicy-3.10.0/policy/modules/services/hal.if 2011-10-05 14:34:03.814103888 -0400 @@ -70,7 +70,9 @@ interface(`hal_ptrace',` type hald_t; ') - allow $1 hald_t:process ptrace; + tunable_policy(`allow_ptrace',` + allow $1 hald_t:process ptrace; + ') ') ######################################## diff -up serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace serefpolicy-3.10.0/policy/modules/services/hddtemp.if --- serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace 2011-10-05 14:34:03.467103520 -0400 +++ serefpolicy-3.10.0/policy/modules/services/hddtemp.if 2011-10-05 14:34:03.814103888 -0400 @@ -60,8 +60,11 @@ interface(`hddtemp_admin',` type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; ') - allow $1 hddtemp_t:process { ptrace signal_perms }; + allow $1 hddtemp_t:process signal_perms; ps_process_pattern($1, hddtemp_t) + tunable_policy(`allow_ptrace',` + allow $1 hddtemp_t:process ptrace; + ') init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace serefpolicy-3.10.0/policy/modules/services/icecast.if --- serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace 2011-10-05 14:34:03.469103522 -0400 +++ serefpolicy-3.10.0/policy/modules/services/icecast.if 2011-10-05 14:34:03.815103889 -0400 @@ -173,8 +173,11 @@ interface(`icecast_admin',` type icecast_t, icecast_initrc_exec_t; ') - allow $1 icecast_t:process { ptrace signal_perms }; + allow $1 icecast_t:process signal_perms; ps_process_pattern($1, icecast_t) + tunable_policy(`allow_ptrace',` + allow $1 icecast_t:process ptrace; + ') # Allow icecast_t to restart the apache service icecast_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.if --- serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace 2011-10-05 14:34:03.470103523 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ifplugd.if 2011-10-05 14:34:03.815103889 -0400 @@ -117,7 +117,7 @@ interface(`ifplugd_admin',` type ifplugd_initrc_exec_t; ') - allow $1 ifplugd_t:process { ptrace signal_perms }; + allow $1 ifplugd_t:process signal_perms; ps_process_pattern($1, ifplugd_t) init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace serefpolicy-3.10.0/policy/modules/services/inn.if --- serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace 2011-10-05 14:34:03.472103525 -0400 +++ serefpolicy-3.10.0/policy/modules/services/inn.if 2011-10-05 14:34:03.816103890 -0400 @@ -202,8 +202,11 @@ interface(`inn_admin',` type innd_initrc_exec_t; ') - allow $1 innd_t:process { ptrace signal_perms }; + allow $1 innd_t:process signal_perms; ps_process_pattern($1, innd_t) + tunable_policy(`allow_ptrace',` + allow $1 innd_t:process ptrace; + ') init_labeled_script_domtrans($1, innd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace serefpolicy-3.10.0/policy/modules/services/jabber.if --- serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace 2011-10-05 14:34:03.474103527 -0400 +++ serefpolicy-3.10.0/policy/modules/services/jabber.if 2011-10-05 14:34:03.816103890 -0400 @@ -143,10 +143,14 @@ interface(`jabber_admin',` type jabberd_initrc_exec_t, jabberd_router_t; ') - allow $1 jabberd_t:process { ptrace signal_perms }; + allow $1 jabberd_t:process signal_perms; ps_process_pattern($1, jabberd_t) + tunable_policy(`allow_ptrace',` + allow $1 jabberd_t:process ptrace; + allow $1 jabberd_router_t:process ptrace; + ') - allow $1 jabberd_router_t:process { ptrace signal_perms }; + allow $1 jabberd_router_t:process signal_perms; ps_process_pattern($1, jabberd_router_t) init_labeled_script_domtrans($1, jabberd_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerberos.if --- serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace 2011-10-05 14:34:03.476103529 -0400 +++ serefpolicy-3.10.0/policy/modules/services/kerberos.if 2011-10-05 14:34:03.817103892 -0400 @@ -340,13 +340,18 @@ interface(`kerberos_admin',` type krb5kdc_var_run_t, krb5_host_rcache_t; ') - allow $1 kadmind_t:process { ptrace signal_perms }; + allow $1 kadmind_t:process signal_perms; ps_process_pattern($1, kadmind_t) + tunable_policy(`allow_ptrace',` + allow $1 kadmind_t:process ptrace; + allow $1 krb5kdc_t:process ptrace; + allow $1 kpropd_t:process ptrace; + ') - allow $1 krb5kdc_t:process { ptrace signal_perms }; + allow $1 krb5kdc_t:process signal_perms; ps_process_pattern($1, krb5kdc_t) - allow $1 kpropd_t:process { ptrace signal_perms }; + allow $1 kpropd_t:process signal_perms; ps_process_pattern($1, kpropd_t) init_labeled_script_domtrans($1, kerberos_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerneloops.if --- serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace 2011-10-05 14:34:03.477103530 -0400 +++ serefpolicy-3.10.0/policy/modules/services/kerneloops.if 2011-10-05 14:34:03.818103893 -0400 @@ -101,8 +101,11 @@ interface(`kerneloops_admin',` type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t; ') - allow $1 kerneloops_t:process { ptrace signal_perms }; + allow $1 kerneloops_t:process signal_perms; ps_process_pattern($1, kerneloops_t) + tunable_policy(`allow_ptrace',` + allow $1 kerneloops_t:process ptrace; + ') init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.if --- serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace 2011-10-05 14:34:03.479103533 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.if 2011-10-05 14:34:03.818103893 -0400 @@ -58,8 +58,11 @@ interface(`ksmtuned_admin',` type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t; ') - allow $1 ksmtuned_t:process { ptrace signal_perms }; + allow $1 ksmtuned_t:process signal_perms; ps_process_pattern($1, ksmtuned_t) + tunable_policy(`allow_ptrace',` + allow $1 ksmtuned_t:process ptrace; + ') files_list_pids($1) admin_pattern($1, ksmtuned_var_run_t) diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.te --- serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace 2011-10-05 14:34:03.480103534 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.te 2011-10-05 14:34:03.819103894 -0400 @@ -23,7 +23,11 @@ files_pid_file(ksmtuned_var_run_t) # ksmtuned local policy # -allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; +allow ksmtuned_t self:capability sys_tty_config; +tunable_policy(`allow_ptrace',` + allow ksmtuned_t self:capability sys_ptrace; +') + allow ksmtuned_t self:fifo_file rw_file_perms; manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) diff -up serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/l2tpd.if --- serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace 2011-10-05 14:34:03.481103535 -0400 +++ serefpolicy-3.10.0/policy/modules/services/l2tpd.if 2011-10-05 14:34:03.819103894 -0400 @@ -101,8 +101,11 @@ interface(`l2tpd_admin',` type l2tpd_var_run_t; ') - allow $1 l2tpd_t:process { ptrace signal_perms }; + allow $1 l2tpd_t:process signal_perms; ps_process_pattern($1, l2tpd_t) + tunable_policy(`allow_ptrace',` + allow $1 l2tpd_t:process ptrace; + ') l2tpd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace serefpolicy-3.10.0/policy/modules/services/ldap.if --- serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace 2011-10-05 14:34:03.482103536 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ldap.if 2011-10-05 14:34:03.820103895 -0400 @@ -175,8 +175,11 @@ interface(`ldap_admin',` type slapd_initrc_exec_t; ') - allow $1 slapd_t:process { ptrace signal_perms }; + allow $1 slapd_t:process signal_perms; ps_process_pattern($1, slapd_t) + tunable_policy(`allow_ptrace',` + allow $1 slapd_t:process ptrace; + ') init_labeled_script_domtrans($1, slapd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lircd.if --- serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/lircd.if 2011-10-05 14:34:03.821103896 -0400 @@ -80,8 +80,11 @@ interface(`lircd_admin',` type lircd_initrc_exec_t, lircd_etc_t; ') - allow $1 lircd_t:process { ptrace signal_perms }; + allow $1 lircd_t:process signal_perms; ps_process_pattern($1, lircd_t) + tunable_policy(`allow_ptrace',` + allow $1 lircd_t:process ptrace; + ') init_labeled_script_domtrans($1, lircd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace serefpolicy-3.10.0/policy/modules/services/lldpad.if --- serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace 2011-10-05 14:34:03.486103540 -0400 +++ serefpolicy-3.10.0/policy/modules/services/lldpad.if 2011-10-05 14:34:03.821103896 -0400 @@ -180,8 +180,11 @@ interface(`lldpad_admin',` type lldpad_var_run_t; ') - allow $1 lldpad_t:process { ptrace signal_perms }; + allow $1 lldpad_t:process signal_perms; ps_process_pattern($1, lldpad_t) + tunable_policy(`allow_ptrace',` + allow $1 lldpad_t:process ptrace; + ') lldpad_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lpd.if --- serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace 2011-10-05 14:34:03.487103541 -0400 +++ serefpolicy-3.10.0/policy/modules/services/lpd.if 2011-10-05 14:34:03.822103897 -0400 @@ -28,7 +28,10 @@ interface(`lpd_role',` dontaudit lpr_t $2:unix_stream_socket { read write }; ps_process_pattern($2, lpr_t) - allow $2 lpr_t:process { ptrace signal_perms }; + allow $2 lpr_t:process signal_perms; + tunable_policy(`allow_ptrace',` + allow $2 lpr_t:process ptrace; + ') optional_policy(` cups_read_config($2) diff -up serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace serefpolicy-3.10.0/policy/modules/services/mailscanner.if --- serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace 2011-10-05 14:34:03.490103544 -0400 +++ serefpolicy-3.10.0/policy/modules/services/mailscanner.if 2011-10-05 14:34:03.823103898 -0400 @@ -47,8 +47,11 @@ interface(`mailscanner_admin',` role_transition $2 mscan_initrc_exec_t system_r; allow $2 system_r; - allow $1 mscan_t:process { ptrace signal_perms }; + allow $1 mscan_t:process signal_perms; ps_process_pattern($1, mscan_t) + tunable_policy(`allow_ptrace',` + allow $1 mscan_t:process ptrace; + ') admin_pattern($1, mscan_etc_t) files_list_etc($1) diff -up serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.if --- serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace 2011-10-05 14:34:03.491103545 -0400 +++ serefpolicy-3.10.0/policy/modules/services/matahari.if 2011-10-05 14:34:03.823103898 -0400 @@ -229,13 +229,18 @@ interface(`matahari_admin',` role_transition $2 matahari_initrc_exec_t system_r; allow $2 system_r; - allow $1 matahari_netd_t:process { ptrace signal_perms }; + allow $1 matahari_netd_t:process signal_perms; ps_process_pattern($1, matahari_netd_t) + tunable_policy(`allow_ptrace',` + allow $1 matahari_netd_t:process ptrace; + allow $1 matahari_hostd_t:process ptrace; + allow $1 matahari_serviced_t:process ptrace; + ') - allow $1 matahari_hostd_t:process { ptrace signal_perms }; + allow $1 matahari_hostd_t:process signal_perms; ps_process_pattern($1, matahari_hostd_t) - allow $1 matahari_serviced_t:process { ptrace signal_perms }; + allow $1 matahari_serviced_t:process signal_perms; ps_process_pattern($1, matahari_serviced_t) files_search_var_lib($1) diff -up serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.te --- serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace 2011-10-05 14:34:03.491103545 -0400 +++ serefpolicy-3.10.0/policy/modules/services/matahari.te 2011-10-05 14:34:03.824103899 -0400 @@ -24,8 +24,9 @@ files_pid_file(matahari_var_run_t) # # matahari_hostd local policy # - -allow matahari_hostd_t self:capability sys_ptrace; +tunable_policy(`allow_ptrace',` + allow matahari_hostd_t self:capability sys_ptrace; +') kernel_read_network_state(matahari_hostd_t) diff -up serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace serefpolicy-3.10.0/policy/modules/services/memcached.if --- serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace 2011-10-05 14:34:03.493103547 -0400 +++ serefpolicy-3.10.0/policy/modules/services/memcached.if 2011-10-05 14:34:03.824103899 -0400 @@ -59,8 +59,11 @@ interface(`memcached_admin',` type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; ') - allow $1 memcached_t:process { ptrace signal_perms }; + allow $1 memcached_t:process signal_perms; ps_process_pattern($1, memcached_t) + tunable_policy(`allow_ptrace',` + allow $1 memcached_t:process ptrace; + ') init_labeled_script_domtrans($1, memcached_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace serefpolicy-3.10.0/policy/modules/services/mock.if --- serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace 2011-10-05 14:34:03.495103550 -0400 +++ serefpolicy-3.10.0/policy/modules/services/mock.if 2011-10-05 14:34:03.825103900 -0400 @@ -245,7 +245,10 @@ interface(`mock_role',` mock_run($2, $1) ps_process_pattern($2, mock_t) - allow $2 mock_t:process { ptrace signal_perms }; + allow $2 mock_t:process signal_perms; + tunable_policy(`allow_ptrace',` + allow $2 mock_t:process ptrace; + ') ') ####################################### @@ -289,10 +292,14 @@ interface(`mock_admin',` type mock_build_t, mock_etc_t, mock_tmp_t; ') - allow $1 mock_t:process { ptrace signal_perms }; + allow $1 mock_t:process signal_perms; ps_process_pattern($1, mock_t) + tunable_policy(`allow_ptrace',` + allow $1 mock_t:process ptrace; + allow $1 mock_build_t:process ptrace; + ') - allow $1 mock_build_t:process { ptrace signal_perms }; + allow $1 mock_build_t:process signal_perms; ps_process_pattern($1, mock_build_t) files_list_var_lib($1) diff -up serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace serefpolicy-3.10.0/policy/modules/services/mock.te --- serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace 2011-10-05 14:34:03.496103551 -0400 +++ serefpolicy-3.10.0/policy/modules/services/mock.te 2011-10-05 14:34:03.825103900 -0400 @@ -41,7 +41,7 @@ files_config_file(mock_etc_t) # mock local policy # -allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; +allow mock_t self:capability { sys_admin setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid }; # Needed because mock can run java and mono withing build environment allow mock_t self:process { execmem execstack }; @@ -164,7 +164,7 @@ optional_policy(` # # mock_build local policy # -allow mock_build_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner }; +allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner }; dontaudit mock_build_t self:capability audit_write; allow mock_build_t self:process { fork setsched setpgid signal_perms }; allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; diff -up serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace serefpolicy-3.10.0/policy/modules/services/mojomojo.if --- serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace 2011-10-05 14:34:03.497103552 -0400 +++ serefpolicy-3.10.0/policy/modules/services/mojomojo.if 2011-10-05 14:34:03.826103901 -0400 @@ -24,8 +24,11 @@ interface(`mojomojo_admin',` type httpd_mojomojo_script_exec_t; ') - allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; + allow $1 httpd_mojomojo_script_t:process signal_perms; ps_process_pattern($1, httpd_mojomojo_script_t) + tunable_policy(`allow_ptrace',` + allow $1 httpd_mojomo_script_t:process ptrace; + ') files_list_tmp($1) admin_pattern($1, httpd_mojomojo_tmp_t) diff -up serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/mpd.if --- serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/mpd.if 2011-10-05 14:34:03.827103902 -0400 @@ -244,8 +244,11 @@ interface(`mpd_admin',` type mpd_tmpfs_t; ') - allow $1 mpd_t:process { ptrace signal_perms }; + allow $1 mpd_t:process signal_perms; ps_process_pattern($1, mpd_t) + tunable_policy(`allow_ptrace',` + allow $1 mpd_t:process ptrace; + ') mpd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace serefpolicy-3.10.0/policy/modules/services/munin.if --- serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace 2011-10-05 14:34:03.502103557 -0400 +++ serefpolicy-3.10.0/policy/modules/services/munin.if 2011-10-05 14:34:03.827103902 -0400 @@ -183,8 +183,11 @@ interface(`munin_admin',` type httpd_munin_content_t, munin_initrc_exec_t; ') - allow $1 munin_t:process { ptrace signal_perms }; + allow $1 munin_t:process signal_perms; ps_process_pattern($1, munin_t) + tunable_policy(`allow_ptrace',` + allow $1 munin_t:process ptrace; + ') init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.if --- serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace 2011-10-05 14:34:03.503103558 -0400 +++ serefpolicy-3.10.0/policy/modules/services/mysql.if 2011-10-05 14:34:03.828103903 -0400 @@ -389,8 +389,11 @@ interface(`mysql_admin',` type mysqld_etc_t; ') - allow $1 mysqld_t:process { ptrace signal_perms }; + allow $1 mysqld_t:process signal_perms; ps_process_pattern($1, mysqld_t) + tunable_policy(`allow_ptrace',` + allow $1 mysqld_t:process ptrace; + ') init_labeled_script_domtrans($1, mysqld_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace serefpolicy-3.10.0/policy/modules/services/nagios.if --- serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace 2011-10-05 14:34:03.505103560 -0400 +++ serefpolicy-3.10.0/policy/modules/services/nagios.if 2011-10-05 14:34:03.829103904 -0400 @@ -225,8 +225,11 @@ interface(`nagios_admin',` type nagios_etc_t, nrpe_etc_t, nagios_spool_t; ') - allow $1 nagios_t:process { ptrace signal_perms }; + allow $1 nagios_t:process signal_perms; ps_process_pattern($1, nagios_t) + tunable_policy(`allow_ptrace',` + allow $1 nagios_t:process ptrace; + ') init_labeled_script_domtrans($1, nagios_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/networkmanager.te --- serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace 2011-10-05 14:34:03.507103562 -0400 +++ serefpolicy-3.10.0/policy/modules/services/networkmanager.te 2011-10-05 14:34:03.830103905 -0400 @@ -44,13 +44,17 @@ init_system_domain(wpa_cli_t, wpa_cli_ex # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) -allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; +allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; ifdef(`hide_broken_symptoms',` # caused by some bogus kernel code dontaudit NetworkManager_t self:capability sys_module; ') -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; +allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms }; +tunable_policy(`allow_ptrace',` + allow NetworkManager_t self:process ptrace; +') + allow NetworkManager_t self:fifo_file rw_fifo_file_perms; allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace serefpolicy-3.10.0/policy/modules/services/nis.if --- serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace 2011-10-05 14:34:03.509103564 -0400 +++ serefpolicy-3.10.0/policy/modules/services/nis.if 2011-10-05 14:34:03.830103905 -0400 @@ -392,16 +392,22 @@ interface(`nis_admin',` type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t; ') - allow $1 ypbind_t:process { ptrace signal_perms }; + allow $1 ypbind_t:process signal_perms; ps_process_pattern($1, ypbind_t) + tunable_policy(`allow_ptrace',` + allow $1 ypbind_t:process ptrace; + allow $1 yppasswdd_t:process ptrace; + allow $1 ypserv_t:process ptrace; + allow $1 ypxfr_t:process ptrace; + ') - allow $1 yppasswdd_t:process { ptrace signal_perms }; + allow $1 yppasswdd_t:process signal_perms; ps_process_pattern($1, yppasswdd_t) - allow $1 ypserv_t:process { ptrace signal_perms }; + allow $1 ypserv_t:process signal_perms; ps_process_pattern($1, ypserv_t) - allow $1 ypxfr_t:process { ptrace signal_perms }; + allow $1 ypxfr_t:process signal_perms; ps_process_pattern($1, ypxfr_t) nis_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.if --- serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace 2011-10-05 14:34:03.510103566 -0400 +++ serefpolicy-3.10.0/policy/modules/services/nscd.if 2011-10-05 14:34:03.831103906 -0400 @@ -322,8 +322,11 @@ interface(`nscd_admin',` type nscd_initrc_exec_t; ') - allow $1 nscd_t:process { ptrace signal_perms }; + allow $1 nscd_t:process signal_perms; ps_process_pattern($1, nscd_t) + tunable_policy(`allow_ptrace',` + allow $1 nscd_t:process ptrace; + ') init_labeled_script_domtrans($1, nscd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.te --- serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace 2011-10-05 14:34:03.511103567 -0400 +++ serefpolicy-3.10.0/policy/modules/services/nscd.te 2011-10-05 14:34:03.831103906 -0400 @@ -40,7 +40,11 @@ logging_log_file(nscd_log_t) # Local policy # -allow nscd_t self:capability { kill setgid setuid sys_ptrace }; +allow nscd_t self:capability { kill setgid setuid }; +tunable_policy(`allow_ptrace',` + allow nscd_t self:capability sys_ptrace; +') + dontaudit nscd_t self:capability sys_tty_config; allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; allow nscd_t self:fifo_file read_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nslcd.if --- serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace 2011-10-05 14:34:03.511103567 -0400 +++ serefpolicy-3.10.0/policy/modules/services/nslcd.if 2011-10-05 14:34:03.832103907 -0400 @@ -98,7 +98,10 @@ interface(`nslcd_admin',` ') ps_process_pattern($1, nslcd_t) - allow $1 nslcd_t:process { ptrace signal_perms }; + allow $1 nslcd_t:process signal_perms; + tunable_policy(`allow_ptrace',` + allow $1 nslcd_t:process ptrace; + ') # Allow nslcd_t to restart the apache service nslcd_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ntp.if --- serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace 2011-10-05 14:34:03.513103569 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ntp.if 2011-10-05 14:34:03.832103907 -0400 @@ -205,8 +205,11 @@ interface(`ntp_admin',` type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t; ') - allow $1 ntpd_t:process { ptrace signal_perms }; + allow $1 ntpd_t:process signal_perms; ps_process_pattern($1, ntpd_t) + tunable_policy(`allow_ptrace',` + allow $1 ntpd_t:process ptrace; + ') init_labeled_script_domtrans($1, ntpd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace serefpolicy-3.10.0/policy/modules/services/oident.if --- serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace 2011-10-05 14:34:03.518103574 -0400 +++ serefpolicy-3.10.0/policy/modules/services/oident.if 2011-10-05 14:34:03.833103909 -0400 @@ -89,8 +89,11 @@ interface(`oident_admin',` type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t; ') - allow $1 oidentd_t:process { ptrace signal_perms }; + allow $1 oidentd_t:process signal_perms; ps_process_pattern($1, oidentd_t) + tunable_policy(`allow_ptrace',` + allow $1 oidentd_t:process ptrace; + ') init_labeled_script_domtrans($1, oidentd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace serefpolicy-3.10.0/policy/modules/services/openvpn.if --- serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/openvpn.if 2011-10-05 14:34:03.834103910 -0400 @@ -144,8 +144,11 @@ interface(`openvpn_admin',` type openvpn_var_run_t, openvpn_initrc_exec_t; ') - allow $1 openvpn_t:process { ptrace signal_perms }; + allow $1 openvpn_t:process signal_perms; ps_process_pattern($1, openvpn_t) + tunable_policy(`allow_ptrace',` + allow $1 openvpn_t:process ptrace; + ') init_labeled_script_domtrans($1, openvpn_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace serefpolicy-3.10.0/policy/modules/services/pads.if --- serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace 2011-10-05 14:34:03.521103577 -0400 +++ serefpolicy-3.10.0/policy/modules/services/pads.if 2011-10-05 14:34:03.834103910 -0400 @@ -31,8 +31,11 @@ interface(`pads_admin',` type pads_var_run_t; ') - allow $1 pads_t:process { ptrace signal_perms }; + allow $1 pads_t:process signal_perms; ps_process_pattern($1, pads_t) + tunable_policy(`allow_ptrace',` + allow $1 pads_t:process ptrace; + ') init_labeled_script_domtrans($1, pads_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace serefpolicy-3.10.0/policy/modules/services/pingd.if --- serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace 2011-10-05 14:34:03.524103580 -0400 +++ serefpolicy-3.10.0/policy/modules/services/pingd.if 2011-10-05 14:34:03.835103911 -0400 @@ -80,8 +80,11 @@ interface(`pingd_admin',` type pingd_initrc_exec_t; ') - allow $1 pingd_t:process { ptrace signal_perms }; + allow $1 pingd_t:process signal_perms; ps_process_pattern($1, pingd_t) + tunable_policy(`allow_ptrace',` + allow $1 pingd_t:process ptrace; + ') init_labeled_script_domtrans($1, pingd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace serefpolicy-3.10.0/policy/modules/services/piranha.te --- serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace 2011-10-05 14:34:03.526103583 -0400 +++ serefpolicy-3.10.0/policy/modules/services/piranha.te 2011-10-05 14:34:03.835103911 -0400 @@ -65,7 +65,11 @@ init_domtrans_script(piranha_fos_t) # allow piranha_web_t self:capability { setuid sys_nice kill setgid }; -allow piranha_web_t self:process { getsched setsched signal signull ptrace }; +allow piranha_web_t self:process { getsched setsched signal signull }; +tunable_policy(`allow_ptrace',` + allow piranha_web_t self:process ptrace; +') + allow piranha_web_t self:rawip_socket create_socket_perms; allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms; allow piranha_web_t self:sem create_sem_perms; diff -up serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace serefpolicy-3.10.0/policy/modules/services/plymouthd.if --- serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace 2011-10-05 14:34:03.527103584 -0400 +++ serefpolicy-3.10.0/policy/modules/services/plymouthd.if 2011-10-05 14:34:03.836103912 -0400 @@ -291,8 +291,11 @@ interface(`plymouthd_admin',` type plymouthd_var_run_t; ') - allow $1 plymouthd_t:process { ptrace signal_perms }; + allow $1 plymouthd_t:process signal_perms; ps_process_pattern($1, plymouthd_t) + tunable_policy(`allow_ptrace',` + allow $1 plymouthd_t:process ptrace; + ') files_list_var_lib($1) admin_pattern($1, plymouthd_spool_t) diff -up serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace serefpolicy-3.10.0/policy/modules/services/policykit.te --- serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace 2011-10-05 14:34:03.529103586 -0400 +++ serefpolicy-3.10.0/policy/modules/services/policykit.te 2011-10-05 14:34:03.837103913 -0400 @@ -38,7 +38,11 @@ files_pid_file(policykit_var_run_t) # policykit local policy # -allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace }; +allow policykit_t self:capability { dac_override dac_read_search setgid setuid }; +tunable_policy(`allow_ptrace',` + allow policykit_t self:capability sys_ptrace; +') + allow policykit_t self:process { getsched getattr signal }; allow policykit_t self:fifo_file rw_fifo_file_perms; allow policykit_t self:unix_dgram_socket create_socket_perms; @@ -233,7 +237,11 @@ optional_policy(` # polkit_resolve local policy # -allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; +allow policykit_resolve_t self:capability { setuid sys_nice }; +tunable_policy(`allow_ptrace',` + allow policykit_resolve_t self:capability sys_ptrace; +') + allow policykit_resolve_t self:process getattr; allow policykit_resolve_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy-3.10.0/policy/modules/services/polipo.if --- serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace 2011-10-05 14:34:03.530103587 -0400 +++ serefpolicy-3.10.0/policy/modules/services/polipo.if 2011-10-05 14:34:03.838103914 -0400 @@ -32,8 +32,11 @@ template(`polipo_role',` # Policy # - allow $2 polipo_session_t:process { ptrace signal_perms }; + allow $2 polipo_session_t:process signal_perms; ps_process_pattern($2, polipo_session_t) + tunable_policy(`allow_ptrace',` + allow $2 polipo_session_t:process ptrace; + ') tunable_policy(`polipo_session_users',` domtrans_pattern($2, polipo_exec_t, polipo_session_t) @@ -163,8 +166,11 @@ interface(`polipo_admin',` type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t; ') - allow $1 polipo_t:process { ptrace signal_perms }; + allow $1 polipo_t:process signal_perms; ps_process_pattern($1, polipo_t) + tunable_policy(`allow_ptrace',` + allow $1 polipo_t:process ptrace; + ') init_labeled_script_domtrans($1, polipo_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace serefpolicy-3.10.0/policy/modules/services/portreserve.if --- serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/portreserve.if 2011-10-05 14:34:03.838103914 -0400 @@ -104,8 +104,11 @@ interface(`portreserve_admin',` type portreserve_initrc_exec_t; ') - allow $1 portreserve_t:process { ptrace signal_perms }; + allow $1 portreserve_t:process signal_perms; ps_process_pattern($1, portreserve_t) + tunable_policy(`allow_ptrace',` + allow $1 portreserve_t:process ptrace; + ') portreserve_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfix.if --- serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace 2011-10-05 14:34:03.534103591 -0400 +++ serefpolicy-3.10.0/policy/modules/services/postfix.if 2011-10-05 14:34:03.839103915 -0400 @@ -729,25 +729,36 @@ interface(`postfix_admin',` type postfix_smtpd_t, postfix_var_run_t; ') - allow $1 postfix_bounce_t:process { ptrace signal_perms }; + allow $1 postfix_bounce_t:process signal_perms; ps_process_pattern($1, postfix_bounce_t) + tunable_policy(`allow_ptrace',` + allow $1 postfix_bounce_t:process ptrace; + ') - allow $1 postfix_cleanup_t:process { ptrace signal_perms }; + allow $1 postfix_cleanup_t:process signal_perms; ps_process_pattern($1, postfix_cleanup_t) + tunable_policy(`allow_ptrace',` + allow $1 postfix_cleanup_t:process ptrace; + allow $1 postfix_local_t:process ptrace; + allow $1 postfix_master_t:process ptrace; + allow $1 postfix_pickup_t:process ptrace; + allow $1 postfix_qmgr_t:process ptrace; + allow $1 postfix_smtpd_t:process ptrace; + ') - allow $1 postfix_local_t:process { ptrace signal_perms }; + allow $1 postfix_local_t:process signal_perms; ps_process_pattern($1, postfix_local_t) - allow $1 postfix_master_t:process { ptrace signal_perms }; + allow $1 postfix_master_t:process signal_perms; ps_process_pattern($1, postfix_master_t) - allow $1 postfix_pickup_t:process { ptrace signal_perms }; + allow $1 postfix_pickup_t:process signal_perms; ps_process_pattern($1, postfix_pickup_t) - allow $1 postfix_qmgr_t:process { ptrace signal_perms }; + allow $1 postfix_qmgr_t:process signal_perms; ps_process_pattern($1, postfix_qmgr_t) - allow $1 postfix_smtpd_t:process { ptrace signal_perms }; + allow $1 postfix_smtpd_t:process signal_perms; ps_process_pattern($1, postfix_smtpd_t) postfix_run_map($1, $2) diff -up serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if --- serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace 2011-10-05 14:34:03.535103592 -0400 +++ serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if 2011-10-05 14:34:03.840103916 -0400 @@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',` type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; ') - allow $1 postfix_policyd_t:process { ptrace signal_perms }; + allow $1 postfix_policyd_t:process signal_perms; ps_process_pattern($1, postfix_policyd_t) + tunable_policy(`allow_ptrace',` + allow $1 postfix_policyd_t:process ptrace; + ') init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgresql.if --- serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace 2011-10-05 14:34:03.537103594 -0400 +++ serefpolicy-3.10.0/policy/modules/services/postgresql.if 2011-10-05 14:34:03.840103916 -0400 @@ -541,8 +541,11 @@ interface(`postgresql_admin',` typeattribute $1 sepgsql_admin_type; - allow $1 postgresql_t:process { ptrace signal_perms }; + allow $1 postgresql_t:process signal_perms; ps_process_pattern($1, postgresql_t) + tunable_policy(`allow_ptrace',` + allow $1 postgresql_t:process ptrace; + ') init_labeled_script_domtrans($1, postgresql_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgrey.if --- serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace 2011-10-05 14:34:03.538103595 -0400 +++ serefpolicy-3.10.0/policy/modules/services/postgrey.if 2011-10-05 14:34:03.841103917 -0400 @@ -62,8 +62,11 @@ interface(`postgrey_admin',` type postgrey_var_lib_t, postgrey_var_run_t; ') - allow $1 postgrey_t:process { ptrace signal_perms }; + allow $1 postgrey_t:process signal_perms; ps_process_pattern($1, postgrey_t) + tunable_policy(`allow_ptrace',` + allow $1 postgrey_t:process ptrace; + ') init_labeled_script_domtrans($1, postgrey_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ppp.if --- serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace 2011-10-05 14:34:03.539103596 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ppp.if 2011-10-05 14:34:03.841103917 -0400 @@ -387,10 +387,14 @@ interface(`ppp_admin',` type pppd_initrc_exec_t, pppd_etc_rw_t; ') - allow $1 pppd_t:process { ptrace signal_perms }; + allow $1 pppd_t:process signal_perms; ps_process_pattern($1, pppd_t) + tunable_policy(`allow_ptrace',` + allow $1 pppd_t:process ptrace; + allow $1 pptp_t:process ptrace; + ') - allow $1 pptp_t:process { ptrace signal_perms }; + allow $1 pptp_t:process signal_perms; ps_process_pattern($1, pptp_t) ppp_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace serefpolicy-3.10.0/policy/modules/services/prelude.if --- serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace 2011-10-05 14:34:03.541103598 -0400 +++ serefpolicy-3.10.0/policy/modules/services/prelude.if 2011-10-05 14:34:03.842103918 -0400 @@ -118,13 +118,18 @@ interface(`prelude_admin',` type prelude_lml_t; ') - allow $1 prelude_t:process { ptrace signal_perms }; + allow $1 prelude_t:process signal_perms; ps_process_pattern($1, prelude_t) + tunable_policy(`allow_ptrace',` + allow $1 prelude_t:process ptrace; + allow $1 prelude_audisp_t:process ptrace; + allow $1 prelude_lml_t:process ptrace; + ') - allow $1 prelude_audisp_t:process { ptrace signal_perms }; + allow $1 prelude_audisp_t:process signal_perms; ps_process_pattern($1, prelude_audisp_t) - allow $1 prelude_lml_t:process { ptrace signal_perms }; + allow $1 prelude_lml_t:process signal_perms; ps_process_pattern($1, prelude_lml_t) init_labeled_script_domtrans($1, prelude_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace serefpolicy-3.10.0/policy/modules/services/privoxy.if --- serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/privoxy.if 2011-10-05 14:34:03.843103919 -0400 @@ -23,8 +23,11 @@ interface(`privoxy_admin',` type privoxy_etc_rw_t, privoxy_var_run_t; ') - allow $1 privoxy_t:process { ptrace signal_perms }; + allow $1 privoxy_t:process signal_perms; ps_process_pattern($1, privoxy_t) + tunable_policy(`allow_ptrace',` + allow $1 privoxy_t:process ptrace; + ') init_labeled_script_domtrans($1, privoxy_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace serefpolicy-3.10.0/policy/modules/services/psad.if --- serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace 2011-10-05 14:34:03.544103602 -0400 +++ serefpolicy-3.10.0/policy/modules/services/psad.if 2011-10-05 14:34:03.843103919 -0400 @@ -295,8 +295,11 @@ interface(`psad_admin',` type psad_tmp_t; ') - allow $1 psad_t:process { ptrace signal_perms }; + allow $1 psad_t:process signal_perms; ps_process_pattern($1, psad_t) + tunable_policy(`allow_ptrace',` + allow $1 psad_t:process ptrace; + ') init_labeled_script_domtrans($1, psad_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace serefpolicy-3.10.0/policy/modules/services/puppet.te --- serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace 2011-10-05 14:34:03.546103604 -0400 +++ serefpolicy-3.10.0/policy/modules/services/puppet.te 2011-10-05 14:34:03.844103920 -0400 @@ -62,7 +62,11 @@ files_tmp_file(puppetmaster_tmp_t) # Puppet personal policy # -allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config }; +allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; +tunable_policy(`allow_ptrace',` + allow puppet_t self:capability sys_ptrace; +') + allow puppet_t self:process { signal signull getsched setsched }; allow puppet_t self:fifo_file rw_fifo_file_perms; allow puppet_t self:netlink_route_socket create_netlink_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace serefpolicy-3.10.0/policy/modules/services/pyzor.if --- serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace 2011-10-05 14:34:03.548103606 -0400 +++ serefpolicy-3.10.0/policy/modules/services/pyzor.if 2011-10-05 14:34:03.845103921 -0400 @@ -29,7 +29,10 @@ interface(`pyzor_role',` # allow ps to show pyzor and allow the user to kill it ps_process_pattern($2, pyzor_t) - allow $2 pyzor_t:process { ptrace signal_perms }; + allow $2 pyzor_t:process signal_perms; + tunable_policy(`allow_ptrace',` + allow $2 pyzor_t:process ptrace; + ') ') ######################################## @@ -113,8 +116,11 @@ interface(`pyzor_admin',` type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t; ') - allow $1 pyzord_t:process { ptrace signal_perms }; + allow $1 pyzord_t:process signal_perms; ps_process_pattern($1, pyzord_t) + tunable_policy(`allow_ptrace',` + allow $1 pyzord_t:process ptrace; + ') init_labeled_script_domtrans($1, pyzord_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace serefpolicy-3.10.0/policy/modules/services/qpid.if --- serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace 2011-10-05 14:34:03.551103609 -0400 +++ serefpolicy-3.10.0/policy/modules/services/qpid.if 2011-10-05 14:34:03.845103921 -0400 @@ -177,8 +177,11 @@ interface(`qpidd_admin',` type qpidd_t, qpidd_initrc_exec_t; ') - allow $1 qpidd_t:process { ptrace signal_perms }; + allow $1 qpidd_t:process signal_perms; ps_process_pattern($1, qpidd_t) + tunable_policy(`allow_ptrace',` + allow $1 qpidd_t:process ptrace; + ') # Allow qpidd_t to restart the apache service qpidd_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace serefpolicy-3.10.0/policy/modules/services/radius.if --- serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/radius.if 2011-10-05 14:34:03.846103922 -0400 @@ -38,8 +38,11 @@ interface(`radius_admin',` type radiusd_initrc_exec_t; ') - allow $1 radiusd_t:process { ptrace signal_perms }; + allow $1 radiusd_t:process signal_perms; ps_process_pattern($1, radiusd_t) + tunable_policy(`allow_ptrace',` + allow $1 radiusd_t:process ptrace; + ') init_labeled_script_domtrans($1, radiusd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace serefpolicy-3.10.0/policy/modules/services/radvd.if --- serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace 2011-10-05 14:34:03.553103611 -0400 +++ serefpolicy-3.10.0/policy/modules/services/radvd.if 2011-10-05 14:34:03.846103922 -0400 @@ -23,8 +23,11 @@ interface(`radvd_admin',` type radvd_var_run_t; ') - allow $1 radvd_t:process { ptrace signal_perms }; + allow $1 radvd_t:process signal_perms; ps_process_pattern($1, radvd_t) + tunable_policy(`allow_ptrace',` + allow $1 radvd_t:process ptrace; + ') init_labeled_script_domtrans($1, radvd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace serefpolicy-3.10.0/policy/modules/services/razor.if --- serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace 2011-10-05 14:34:03.554103612 -0400 +++ serefpolicy-3.10.0/policy/modules/services/razor.if 2011-10-05 14:34:03.847103923 -0400 @@ -132,7 +132,10 @@ interface(`razor_role',` # allow ps to show razor and allow the user to kill it ps_process_pattern($2, razor_t) - allow $2 razor_t:process { ptrace signal_perms }; + allow $2 razor_t:process signal_perms; + tunable_policy(`allow_ptrace',` + allow $2 razor_t:process ptrace; + ') manage_dirs_pattern($2, razor_home_t, razor_home_t) manage_files_pattern($2, razor_home_t, razor_home_t) diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.if --- serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace 2011-10-05 14:34:03.557103615 -0400 +++ serefpolicy-3.10.0/policy/modules/services/rgmanager.if 2011-10-05 14:34:03.848103924 -0400 @@ -117,8 +117,11 @@ interface(`rgmanager_admin',` type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; ') - allow $1 rgmanager_t:process { ptrace signal_perms }; + allow $1 rgmanager_t:process signal_perms; ps_process_pattern($1, rgmanager_t) + tunable_policy(`allow_ptrace',` + allow $1 rgmanager_t:process ptrace; + ') init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if --- serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace 2011-10-05 14:34:03.562103621 -0400 +++ serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if 2011-10-05 14:34:03.848103924 -0400 @@ -284,8 +284,11 @@ interface(`rhsmcertd_admin',` type rhsmcertd_var_run_t; ') - allow $1 rhsmcertd_t:process { ptrace signal_perms }; + allow $1 rhsmcertd_t:process signal_perms; ps_process_pattern($1, rhsmcertd_t) + tunable_policy(`allow_ptrace',` + allow $1 rhsmcertd_t:process ptrace; + ') rhsmcertd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace serefpolicy-3.10.0/policy/modules/services/ricci.if --- serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace 2011-10-05 14:34:03.563103622 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ricci.if 2011-10-05 14:34:03.849103926 -0400 @@ -245,8 +245,11 @@ interface(`ricci_admin',` type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; ') - allow $1 ricci_t:process { ptrace signal_perms }; + allow $1 ricci_t:process signal_perms; ps_process_pattern($1, ricci_t) + tunable_policy(`allow_ptrace',` + allow $1 ricci_t:process ptrace; + ') ricci_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace serefpolicy-3.10.0/policy/modules/services/roundup.if --- serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/roundup.if 2011-10-05 14:34:03.849103926 -0400 @@ -23,8 +23,11 @@ interface(`roundup_admin',` type roundup_initrc_exec_t; ') - allow $1 roundup_t:process { ptrace signal_perms }; + allow $1 roundup_t:process signal_perms; ps_process_pattern($1, roundup_t) + tunable_policy(`allow_ptrace',` + allow $1 roundup_t:process ptrace; + ') init_labeled_script_domtrans($1, roundup_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace serefpolicy-3.10.0/policy/modules/services/rpcbind.if --- serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace 2011-10-05 14:34:03.568103627 -0400 +++ serefpolicy-3.10.0/policy/modules/services/rpcbind.if 2011-10-05 14:34:03.850103927 -0400 @@ -155,8 +155,11 @@ interface(`rpcbind_admin',` type rpcbind_initrc_exec_t; ') - allow $1 rpcbind_t:process { ptrace signal_perms }; + allow $1 rpcbind_t:process signal_perms; ps_process_pattern($1, rpcbind_t) + tunable_policy(`allow_ptrace',` + allow $1 rpcbind_t:process ptrace; + ') init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace serefpolicy-3.10.0/policy/modules/services/rtkit.te --- serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace 2011-10-05 14:34:03.571103630 -0400 +++ serefpolicy-3.10.0/policy/modules/services/rtkit.te 2011-10-05 14:34:03.851103928 -0400 @@ -15,7 +15,10 @@ init_system_domain(rtkit_daemon_t, rtkit # rtkit_daemon local policy # -allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; +allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice }; +tunable_policy(`allow_ptrace',` + allow rtkit_daemon_t self:capability sys_ptrace; +') allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; kernel_read_system_state(rtkit_daemon_t) diff -up serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace serefpolicy-3.10.0/policy/modules/services/rwho.if --- serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace 2011-10-05 14:34:03.572103631 -0400 +++ serefpolicy-3.10.0/policy/modules/services/rwho.if 2011-10-05 14:34:03.851103928 -0400 @@ -138,8 +138,11 @@ interface(`rwho_admin',` type rwho_initrc_exec_t; ') - allow $1 rwho_t:process { ptrace signal_perms }; + allow $1 rwho_t:process signal_perms; ps_process_pattern($1, rwho_t) + tunable_policy(`allow_ptrace',` + allow $1 rwho_t:process ptrace; + ') init_labeled_script_domtrans($1, rwho_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace serefpolicy-3.10.0/policy/modules/services/samba.if --- serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace 2011-10-05 14:34:03.574103633 -0400 +++ serefpolicy-3.10.0/policy/modules/services/samba.if 2011-10-05 14:34:03.852103929 -0400 @@ -785,13 +785,18 @@ interface(`samba_admin',` type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t; ') - allow $1 smbd_t:process { ptrace signal_perms }; + allow $1 smbd_t:process signal_perms; ps_process_pattern($1, smbd_t) + tunable_policy(`allow_ptrace',` + allow $1 smbd_t:process ptrace; + allow $1 nmbd_t:process ptrace; + allow $1 samba_unconfined_script_t:process ptrace; + ') - allow $1 nmbd_t:process { ptrace signal_perms }; + allow $1 nmbd_t:process signal_perms; ps_process_pattern($1, nmbd_t) - allow $1 samba_unconfined_script_t:process { ptrace signal_perms }; + allow $1 samba_unconfined_script_t:process signal_perms; ps_process_pattern($1, samba_unconfined_script_t) samba_run_smbcontrol($1, $2, $3) diff -up serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace serefpolicy-3.10.0/policy/modules/services/samhain.if --- serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/samhain.if 2011-10-05 14:34:03.853103930 -0400 @@ -271,10 +271,14 @@ interface(`samhain_admin',` type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; ') - allow $1 samhain_t:process { ptrace signal_perms }; + allow $1 samhain_t:process signal_perms; ps_process_pattern($1, samhain_t) + tunable_policy(`allow_ptrace',` + allow $1 samhain_t:process ptrace; + allow $1 samhaind_t:process ptrace; + ') - allow $1 samhaind_t:process { ptrace signal_perms }; + allow $1 samhaind_t:process signal_perms; ps_process_pattern($1, samhaind_t) files_list_var_lib($1) diff -up serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace serefpolicy-3.10.0/policy/modules/services/sanlock.if --- serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace 2011-10-05 14:34:03.576103636 -0400 +++ serefpolicy-3.10.0/policy/modules/services/sanlock.if 2011-10-05 14:34:03.854103931 -0400 @@ -99,8 +99,11 @@ interface(`sanlock_admin',` type sanlock_initrc_exec_t; ') - allow $1 sanlock_t:process { ptrace signal_perms }; + allow $1 sanlock_t:process signal_perms; ps_process_pattern($1, sanlock_t) + tunable_policy(`allow_ptrace',` + allow $1 sanlock_t:process ptrace; + ') sanlock_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace serefpolicy-3.10.0/policy/modules/services/sasl.if --- serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace 2011-10-05 14:34:03.577103637 -0400 +++ serefpolicy-3.10.0/policy/modules/services/sasl.if 2011-10-05 14:34:03.854103931 -0400 @@ -42,8 +42,11 @@ interface(`sasl_admin',` type saslauthd_initrc_exec_t; ') - allow $1 saslauthd_t:process { ptrace signal_perms }; + allow $1 saslauthd_t:process signal_perms; ps_process_pattern($1, saslauthd_t) + tunable_policy(`allow_ptrace',` + allow $1 saslauthd_t:process ptrace; + ') init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.if --- serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace 2011-10-05 14:34:03.578103638 -0400 +++ serefpolicy-3.10.0/policy/modules/services/sblim.if 2011-10-05 14:34:03.855103932 -0400 @@ -65,11 +65,15 @@ interface(`sblim_admin',` type sblim_var_run_t; ') - allow $1 sblim_gatherd_t:process { ptrace signal_perms }; + allow $1 sblim_gatherd_t:process signal_perms; ps_process_pattern($1, sblim_gatherd_t) + tunable_policy(`allow_ptrace',` + allow $1 sblim_gatherd_t:process ptrace; + allow $1 sblim_reposd_t:process ptrace; + ') - allow $1 sblim_reposd_t:process { ptrace signal_perms }; - ps_process_pattern($1, sblim_reposd_t) + allow $1 sblim_reposd_t:process signal_perms; + ps_process_pattern($1, sblim_reposd_t) files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff -up serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.te --- serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace 2011-10-05 14:34:03.578103638 -0400 +++ serefpolicy-3.10.0/policy/modules/services/sblim.te 2011-10-05 14:34:03.855103932 -0400 @@ -24,7 +24,8 @@ files_pid_file(sblim_var_run_t) # #needed by ps -allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override }; +allow sblim_gatherd_t self:capability { kill dac_override }; +dontaudit sblim_gatherd_t self:capability sys_ptrace; allow sblim_gatherd_t self:process signal; allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/sendmail.if --- serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace 2011-10-05 14:34:03.579103639 -0400 +++ serefpolicy-3.10.0/policy/modules/services/sendmail.if 2011-10-05 14:34:03.856103933 -0400 @@ -334,10 +334,14 @@ interface(`sendmail_admin',` type mail_spool_t; ') - allow $1 sendmail_t:process { ptrace signal_perms }; + allow $1 sendmail_t:process signal_perms; ps_process_pattern($1, sendmail_t) + tunable_policy(`allow_ptrace',` + allow $1 sendmail_t:process ptrace; + allow $1 unconfined_sendmail_t:process ptrace; + ') - allow $1 unconfined_sendmail_t:process { ptrace signal_perms }; + allow $1 unconfined_sendmail_t:process signal_perms; ps_process_pattern($1, unconfined_sendmail_t) sendmail_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if --- serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace 2011-10-05 14:34:03.581103641 -0400 +++ serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if 2011-10-05 14:34:03.856103933 -0400 @@ -140,8 +140,11 @@ interface(`setroubleshoot_admin',` type setroubleshoot_var_lib_t; ') - allow $1 setroubleshootd_t:process { ptrace signal_perms }; + allow $1 setroubleshootd_t:process signal_perms; ps_process_pattern($1, setroubleshootd_t) + tunable_policy(`allow_ptrace',` + allow $1 setroubleshootd_t:process ptrace; + ') logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff -up serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace serefpolicy-3.10.0/policy/modules/services/smartmon.if --- serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace 2011-10-05 14:34:03.582103642 -0400 +++ serefpolicy-3.10.0/policy/modules/services/smartmon.if 2011-10-05 14:34:03.857103934 -0400 @@ -42,8 +42,11 @@ interface(`smartmon_admin',` type fsdaemon_initrc_exec_t; ') - allow $1 fsdaemon_t:process { ptrace signal_perms }; + allow $1 fsdaemon_t:process signal_perms; ps_process_pattern($1, fsdaemon_t) + tunable_policy(`allow_ptrace',` + allow $1 smartmon_t:process ptrace; + ') init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace serefpolicy-3.10.0/policy/modules/services/smokeping.if --- serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/smokeping.if 2011-10-05 14:34:03.857103934 -0400 @@ -153,8 +153,11 @@ interface(`smokeping_admin',` type smokeping_t, smokeping_initrc_exec_t; ') - allow $1 smokeping_t:process { ptrace signal_perms }; + allow $1 smokeping_t:process signal_perms; ps_process_pattern($1, smokeping_t) + tunable_policy(`allow_ptrace',` + allow $1 smokeping_t:process ptrace; + ') smokeping_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.if --- serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace 2011-10-05 14:34:03.584103644 -0400 +++ serefpolicy-3.10.0/policy/modules/services/snmp.if 2011-10-05 14:34:03.858103935 -0400 @@ -168,8 +168,11 @@ interface(`snmp_admin',` type snmpd_var_lib_t, snmpd_var_run_t; ') - allow $1 snmpd_t:process { ptrace signal_perms }; + allow $1 snmpd_t:process signal_perms; ps_process_pattern($1, snmpd_t) + tunable_policy(`allow_ptrace',` + allow $1 snmpd_t:process ptrace; + ') init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.te --- serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace 2011-10-05 14:34:03.585103645 -0400 +++ serefpolicy-3.10.0/policy/modules/services/snmp.te 2011-10-05 14:34:03.858103935 -0400 @@ -26,7 +26,11 @@ files_type(snmpd_var_lib_t) # Local policy # -allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config }; +allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config }; +tunable_policy(`allow_ptrace',` + allow snmpd_t self:capability sys_ptrace; +') + dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace serefpolicy-3.10.0/policy/modules/services/snort.if --- serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace 2011-10-05 14:34:03.585103645 -0400 +++ serefpolicy-3.10.0/policy/modules/services/snort.if 2011-10-05 14:34:03.859103936 -0400 @@ -41,8 +41,11 @@ interface(`snort_admin',` type snort_etc_t, snort_initrc_exec_t; ') - allow $1 snort_t:process { ptrace signal_perms }; + allow $1 snort_t:process signal_perms; ps_process_pattern($1, snort_t) + tunable_policy(`allow_ptrace',` + allow $1 snort_t:process ptrace; + ') init_labeled_script_domtrans($1, snort_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace serefpolicy-3.10.0/policy/modules/services/soundserver.if --- serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace 2011-10-05 14:34:03.586103646 -0400 +++ serefpolicy-3.10.0/policy/modules/services/soundserver.if 2011-10-05 14:34:03.860103937 -0400 @@ -37,8 +37,11 @@ interface(`soundserver_admin',` type soundd_tmp_t, soundd_var_run_t; ') - allow $1 soundd_t:process { ptrace signal_perms }; + allow $1 soundd_t:process signal_perms; ps_process_pattern($1, soundd_t) + tunable_policy(`allow_ptrace',` + allow $1 soundd_t:process ptrace; + ') init_labeled_script_domtrans($1, soundd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace serefpolicy-3.10.0/policy/modules/services/spamassassin.if --- serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace 2011-10-05 14:34:03.587103647 -0400 +++ serefpolicy-3.10.0/policy/modules/services/spamassassin.if 2011-10-05 14:34:03.861103938 -0400 @@ -27,12 +27,12 @@ interface(`spamassassin_role',` domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) - allow $2 spamassassin_t:process { ptrace signal_perms }; + allow $2 spamassassin_t:process signal_perms; ps_process_pattern($2, spamassassin_t) domtrans_pattern($2, spamc_exec_t, spamc_t) - allow $2 spamc_t:process { ptrace signal_perms }; + allow $2 spamc_t:process signal_perms; ps_process_pattern($2, spamc_t) manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) @@ -337,8 +337,11 @@ interface(`spamassassin_spamd_admin',` type spamd_initrc_exec_t; ') - allow $1 spamd_t:process { ptrace signal_perms }; + allow $1 spamd_t:process signal_perms; ps_process_pattern($1, spamd_t) + tunable_policy(`allow_ptrace',` + allow $1 spamd_t:process ptrace; + ') init_labeled_script_domtrans($1, spamd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace serefpolicy-3.10.0/policy/modules/services/squid.if --- serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace 2011-10-05 14:34:03.590103650 -0400 +++ serefpolicy-3.10.0/policy/modules/services/squid.if 2011-10-05 14:34:03.861103938 -0400 @@ -209,8 +209,11 @@ interface(`squid_admin',` type squid_log_t, squid_var_run_t, squid_initrc_exec_t; ') - allow $1 squid_t:process { ptrace signal_perms }; + allow $1 squid_t:process signal_perms; ps_process_pattern($1, squid_t) + tunable_policy(`allow_ptrace',` + allow $1 squid_t:process ptrace; + ') init_labeled_script_domtrans($1, squid_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace serefpolicy-3.10.0/policy/modules/services/ssh.if --- serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace 2011-10-05 14:34:03.732103801 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-10-05 14:34:03.862103939 -0400 @@ -367,7 +367,7 @@ template(`ssh_role_template',` # allow ps to show ssh ps_process_pattern($3, ssh_t) - allow $3 ssh_t:process { ptrace signal_perms }; + allow $3 ssh_t:process signal_perms; # for rsync allow ssh_t $3:unix_stream_socket rw_socket_perms; @@ -402,7 +402,7 @@ template(`ssh_role_template',` stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) # Allow the user shell to signal the ssh program. - allow $3 $1_ssh_agent_t:process { ptrace signal_perms }; + allow $3 $1_ssh_agent_t:process signal_perms; # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t) diff -up serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace serefpolicy-3.10.0/policy/modules/services/sssd.if --- serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace 2011-10-05 14:34:03.593103654 -0400 +++ serefpolicy-3.10.0/policy/modules/services/sssd.if 2011-10-05 14:34:03.863103940 -0400 @@ -232,8 +232,11 @@ interface(`sssd_admin',` type sssd_t, sssd_public_t, sssd_initrc_exec_t; ') - allow $1 sssd_t:process { ptrace signal_perms }; + allow $1 sssd_t:process signal_perms; ps_process_pattern($1, sssd_t) + tunable_policy(`allow_ptrace',` + allow $1 sssd_t:process ptrace; + ') # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/tcsd.if --- serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace 2011-10-05 14:34:03.597103658 -0400 +++ serefpolicy-3.10.0/policy/modules/services/tcsd.if 2011-10-05 14:34:03.863103940 -0400 @@ -137,8 +137,11 @@ interface(`tcsd_admin',` type tcsd_var_lib_t; ') - allow $1 tcsd_t:process { ptrace signal_perms }; + allow $1 tcsd_t:process signal_perms; ps_process_pattern($1, tcsd_t) + tunable_policy(`allow_ptrace',` + allow $1 tcsd_t:process ptrace; + ') tcsd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/tftp.if --- serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace 2011-10-05 14:34:03.598103659 -0400 +++ serefpolicy-3.10.0/policy/modules/services/tftp.if 2011-10-05 14:34:03.864103941 -0400 @@ -109,8 +109,11 @@ interface(`tftp_admin',` type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; ') - allow $1 tftpd_t:process { ptrace signal_perms }; + allow $1 tftpd_t:process signal_perms; ps_process_pattern($1, tftpd_t) + tunable_policy(`allow_ptrace',` + allow $1 tftp_t:process ptrace; + ') files_list_var_lib($1) admin_pattern($1, tftpdir_rw_t) diff -up serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace serefpolicy-3.10.0/policy/modules/services/tor.if --- serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace 2011-10-05 14:34:03.600103661 -0400 +++ serefpolicy-3.10.0/policy/modules/services/tor.if 2011-10-05 14:34:03.864103941 -0400 @@ -42,8 +42,11 @@ interface(`tor_admin',` type tor_initrc_exec_t; ') - allow $1 tor_t:process { ptrace signal_perms }; + allow $1 tor_t:process signal_perms; ps_process_pattern($1, tor_t) + tunable_policy(`allow_ptrace',` + allow $1 tor_t:process ptrace; + ') init_labeled_script_domtrans($1, tor_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/tuned.if --- serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace 2011-10-05 14:34:03.601103662 -0400 +++ serefpolicy-3.10.0/policy/modules/services/tuned.if 2011-10-05 14:34:03.865103943 -0400 @@ -115,8 +115,11 @@ interface(`tuned_admin',` type tuned_t, tuned_var_run_t, tuned_initrc_exec_t; ') - allow $1 tuned_t:process { ptrace signal_perms }; + allow $1 tuned_t:process signal_perms; ps_process_pattern($1, tuned_t) + tunable_policy(`allow_ptrace',` + allow $1 tuned_t:process ptrace; + ') tuned_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ulogd.if --- serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/ulogd.if 2011-10-05 14:34:03.865103943 -0400 @@ -123,8 +123,11 @@ interface(`ulogd_admin',` type ulogd_var_log_t, ulogd_initrc_exec_t; ') - allow $1 ulogd_t:process { ptrace signal_perms }; + allow $1 ulogd_t:process signal_perms; ps_process_pattern($1, ulogd_t) + tunable_policy(`allow_ptrace',` + allow $1 ulogd_t:process ptrace; + ') init_labeled_script_domtrans($1, ulogd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace serefpolicy-3.10.0/policy/modules/services/uucp.if --- serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/uucp.if 2011-10-05 14:34:03.866103944 -0400 @@ -99,8 +99,11 @@ interface(`uucp_admin',` type uucpd_var_run_t; ') - allow $1 uucpd_t:process { ptrace signal_perms }; + allow $1 uucpd_t:process signal_perms; ps_process_pattern($1, uucpd_t) + tunable_policy(`allow_ptrace',` + allow $1 uucpd_t:process ptrace; + ') logging_list_logs($1) admin_pattern($1, uucpd_log_t) diff -up serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace serefpolicy-3.10.0/policy/modules/services/uuidd.if --- serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace 2011-10-05 14:34:03.606103667 -0400 +++ serefpolicy-3.10.0/policy/modules/services/uuidd.if 2011-10-05 14:34:03.866103944 -0400 @@ -177,8 +177,11 @@ interface(`uuidd_admin',` type uuidd_var_run_t; ') - allow $1 uuidd_t:process { ptrace signal_perms }; + allow $1 uuidd_t:process signal_perms; ps_process_pattern($1, uuidd_t) + tunable_policy(`allow_ptrace',` + allow $1 uuidd_t:process ptrace; + ') uuidd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace serefpolicy-3.10.0/policy/modules/services/varnishd.if --- serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 +++ serefpolicy-3.10.0/policy/modules/services/varnishd.if 2011-10-05 14:34:03.867103945 -0400 @@ -155,8 +155,11 @@ interface(`varnishd_admin_varnishlog',` type varnishlog_var_run_t; ') - allow $1 varnishlog_t:process { ptrace signal_perms }; + allow $1 varnishlog_t:process signal_perms; ps_process_pattern($1, varnishlog_t) + tunable_policy(`allow_ptrace',` + allow $1 varnishd_t:process ptrace; + ') init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) domain_system_change_exemption($1) @@ -194,8 +197,11 @@ interface(`varnishd_admin',` type varnishd_initrc_exec_t; ') - allow $1 varnishd_t:process { ptrace signal_perms }; + allow $1 varnishd_t:process signal_perms; ps_process_pattern($1, varnishd_t) + tunable_policy(`allow_ptrace',` + allow $1 varnishd_t:process ptrace; + ') init_labeled_script_domtrans($1, varnishd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace serefpolicy-3.10.0/policy/modules/services/vdagent.if --- serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace 2011-10-05 14:34:03.608103670 -0400 +++ serefpolicy-3.10.0/policy/modules/services/vdagent.if 2011-10-05 14:34:03.868103946 -0400 @@ -118,8 +118,11 @@ interface(`vdagent_admin',` type vdagent_var_run_t; ') - allow $1 vdagent_t:process { ptrace signal_perms }; + allow $1 vdagent_t:process signal_perms; ps_process_pattern($1, vdagent_t) + tunable_policy(`allow_ptrace',` + allow $1 vdagent_t:process ptrace; + ') files_search_pids($1) admin_pattern($1, vdagent_var_run_t) diff -up serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vhostmd.if --- serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace 2011-10-05 14:34:03.609103671 -0400 +++ serefpolicy-3.10.0/policy/modules/services/vhostmd.if 2011-10-05 14:34:03.869103947 -0400 @@ -210,8 +210,11 @@ interface(`vhostmd_admin',` type vhostmd_t, vhostmd_initrc_exec_t; ') - allow $1 vhostmd_t:process { ptrace signal_perms }; + allow $1 vhostmd_t:process signal_perms; ps_process_pattern($1, vhostmd_t) + tunable_policy(`allow_ptrace',` + allow $1 vhostmd_t:process ptrace; + ') vhostmd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace serefpolicy-3.10.0/policy/modules/services/virt.if --- serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace 2011-10-05 14:34:03.611103673 -0400 +++ serefpolicy-3.10.0/policy/modules/services/virt.if 2011-10-05 14:34:03.870103948 -0400 @@ -618,10 +618,14 @@ interface(`virt_admin',` type virt_lxc_t; ') - allow $1 virtd_t:process { ptrace signal_perms }; + allow $1 virtd_t:process signal_perms; ps_process_pattern($1, virtd_t) + tunable_policy(`allow_ptrace',` + allow $1 virtd_t:process ptrace; + allow $1 virt_lxc_t:process ptrace; + ') - allow $1 virt_lxc_t:process { ptrace signal_perms }; + allow $1 virt_lxc_t:process signal_perms; ps_process_pattern($1, virt_lxc_t) init_labeled_script_domtrans($1, virtd_initrc_exec_t) @@ -637,7 +641,7 @@ interface(`virt_admin',` virt_manage_images($1) - allow $1 virt_domain:process { ptrace signal_perms }; + allow $1 virt_domain:process signal_perms; ') ######################################## diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace serefpolicy-3.10.0/policy/modules/services/virt.te --- serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace 2011-10-05 14:34:03.685103751 -0400 +++ serefpolicy-3.10.0/policy/modules/services/virt.te 2011-10-05 14:34:03.870103948 -0400 @@ -247,7 +247,11 @@ optional_policy(` # virtd local policy # -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; +allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; +tunable_policy(`allow_ptrace',` + allow virtd_t self:capability sys_ptrace; +') + allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; ifdef(`hide_broken_symptoms',` # caused by some bogus kernel code diff -up serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vnstatd.if --- serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace 2011-10-05 14:34:03.613103675 -0400 +++ serefpolicy-3.10.0/policy/modules/services/vnstatd.if 2011-10-05 14:34:03.871103949 -0400 @@ -136,8 +136,11 @@ interface(`vnstatd_admin',` type vnstatd_t, vnstatd_var_lib_t; ') - allow $1 vnstatd_t:process { ptrace signal_perms }; + allow $1 vnstatd_t:process signal_perms; ps_process_pattern($1, vnstatd_t) + tunable_policy(`allow_ptrace',` + allow $1 vnstatd_t:process ptrace; + ') files_list_var_lib($1) admin_pattern($1, vnstatd_var_lib_t) diff -up serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/wdmd.if --- serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace 2011-10-05 14:34:03.615103677 -0400 +++ serefpolicy-3.10.0/policy/modules/services/wdmd.if 2011-10-05 14:34:03.872103950 -0400 @@ -62,8 +62,11 @@ interface(`wdmd_admin',` type wdmd_initrc_exec_t; ') - allow $1 wdmd_t:process { ptrace signal_perms }; + allow $1 wdmd_t:process signal_perms; ps_process_pattern($1, wdmd_t) + tunable_policy(`allow_ptrace',` + allow $1 wdmd_t:process ptrace; + ') wdmd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace serefpolicy-3.10.0/policy/modules/services/xserver.te --- serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace 2011-10-05 14:34:03.734103803 -0400 +++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-10-05 14:34:03.873103951 -0400 @@ -417,8 +417,14 @@ optional_policy(` # XDM Local policy # -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace }; -allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate ptrace }; +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; +dontaudit xdm_t self:capability sys_ptrace; + +allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate }; +tunable_policy(`allow_ptrace',` + allow xdm_t self:process ptrace; +') + allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; @@ -929,7 +935,11 @@ allow xserver_t input_xevent_t:x_event s # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack -allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; +allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; +tunable_policy(`allow_ptrace',` + allow xserver_t self:capability sys_ptrace; +') + dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; diff -up serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace serefpolicy-3.10.0/policy/modules/services/zabbix.if --- serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace 2011-10-05 14:34:03.621103683 -0400 +++ serefpolicy-3.10.0/policy/modules/services/zabbix.if 2011-10-05 14:34:03.873103951 -0400 @@ -142,8 +142,11 @@ interface(`zabbix_admin',` type zabbix_initrc_exec_t; ') - allow $1 zabbix_t:process { ptrace signal_perms }; + allow $1 zabbix_t:process signal_perms; ps_process_pattern($1, zabbix_t) + tunable_policy(`allow_ptrace',` + allow $1 zabbix_t:process ptrace; + ') init_labeled_script_domtrans($1, zabbix_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace serefpolicy-3.10.0/policy/modules/services/zebra.if --- serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace 2011-10-05 14:34:03.623103686 -0400 +++ serefpolicy-3.10.0/policy/modules/services/zebra.if 2011-10-05 14:34:03.874103952 -0400 @@ -64,8 +64,11 @@ interface(`zebra_admin',` type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t; ') - allow $1 zebra_t:process { ptrace signal_perms }; + allow $1 zebra_t:process signal_perms; ps_process_pattern($1, zebra_t) + tunable_policy(`allow_ptrace',` + allow $1 zebra_t:process ptrace; + ') init_labeled_script_domtrans($1, zebra_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/system/init.if.ptrace serefpolicy-3.10.0/policy/modules/system/init.if --- serefpolicy-3.10.0/policy/modules/system/init.if.ptrace 2011-10-05 14:34:03.634103697 -0400 +++ serefpolicy-3.10.0/policy/modules/system/init.if 2011-10-05 14:34:03.875103953 -0400 @@ -1123,7 +1123,9 @@ interface(`init_ptrace',` type init_t; ') - allow $1 init_t:process ptrace; + tunable_policy(`allow_ptrace',` + allow $1 init_t:process ptrace; + ') ') ######################################## diff -up serefpolicy-3.10.0/policy/modules/system/init.te.ptrace serefpolicy-3.10.0/policy/modules/system/init.te --- serefpolicy-3.10.0/policy/modules/system/init.te.ptrace 2011-10-05 14:34:03.713103781 -0400 +++ serefpolicy-3.10.0/policy/modules/system/init.te 2011-10-05 14:34:03.875103953 -0400 @@ -121,7 +121,7 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: -allow init_t self:capability ~{ audit_control audit_write sys_module }; +allow init_t self:capability ~{ sys_ptrace audit_control audit_write sys_module }; # is ~sys_module really needed? observed: # sys_boot # sys_tty_config @@ -406,7 +406,8 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; -allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module }; +allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module }; + dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; diff -up serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace serefpolicy-3.10.0/policy/modules/system/ipsec.te --- serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace 2011-10-05 14:34:03.637103700 -0400 +++ serefpolicy-3.10.0/policy/modules/system/ipsec.te 2011-10-05 14:34:03.876103954 -0400 @@ -194,7 +194,7 @@ optional_policy(` allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; -allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; +allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal }; allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace serefpolicy-3.10.0/policy/modules/system/locallogin.te --- serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace 2011-10-05 14:34:03.642103706 -0400 +++ serefpolicy-3.10.0/policy/modules/system/locallogin.te 2011-10-05 14:34:03.877103955 -0400 @@ -32,7 +32,7 @@ role system_r types sulogin_t; # Local login local policy # -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_ptrace sys_resource sys_tty_config }; +allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap }; allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy-3.10.0/policy/modules/system/logging.if --- serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace 2011-10-05 14:34:03.643103707 -0400 +++ serefpolicy-3.10.0/policy/modules/system/logging.if 2011-10-05 14:34:03.878103956 -0400 @@ -1095,9 +1095,13 @@ interface(`logging_admin_audit',` type auditd_initrc_exec_t; ') - allow $1 auditd_t:process { ptrace signal_perms }; + allow $1 auditd_t:process signal_perms; ps_process_pattern($1, auditd_t) + tunable_policy(`allow_ptrace',` + allow $1 auditd_t:process ptrace; + ') + manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) @@ -1142,10 +1146,14 @@ interface(`logging_admin_syslog',` ') allow $1 self:capability2 syslog; - allow $1 syslogd_t:process { ptrace signal_perms }; - allow $1 klogd_t:process { ptrace signal_perms }; + allow $1 syslogd_t:process signal_perms; + allow $1 klogd_t:process signal_perms; ps_process_pattern($1, syslogd_t) ps_process_pattern($1, klogd_t) + tunable_policy(`allow_ptrace',` + allow $1 syslogd_t:process ptrace; + allow $1 klogd_t:process ptrace; + ') manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) diff -up serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace serefpolicy-3.10.0/policy/modules/system/mount.te --- serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace 2011-10-05 14:34:03.650103714 -0400 +++ serefpolicy-3.10.0/policy/modules/system/mount.te 2011-10-05 14:34:03.878103956 -0400 @@ -48,7 +48,11 @@ role system_r types showmount_t; # setuid/setgid needed to mount cifs allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid }; -allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal }; +allow mount_t self:process { getcap getsched setcap setrlimit signal }; +tunable_policy(`allow_ptrace',` + allow mount_t self:process ptrace; +') + allow mount_t self:fifo_file rw_fifo_file_perms; allow mount_t self:unix_stream_socket create_stream_socket_perms; allow mount_t self:unix_dgram_socket create_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace serefpolicy-3.10.0/policy/modules/system/sysnetwork.te --- serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace 2011-10-05 14:34:03.658103723 -0400 +++ serefpolicy-3.10.0/policy/modules/system/sysnetwork.te 2011-10-05 14:34:03.879103957 -0400 @@ -54,7 +54,10 @@ allow dhcpc_t self:capability { dac_over dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; +allow dhcpc_t self:process { getsched getcap setcap setfscreate signal_perms }; +tunable_policy(`allow_ptrace',` + allow dhcpc_t self:process ptrace; +') allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace serefpolicy-3.10.0/policy/modules/system/udev.te --- serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace 2011-10-05 14:34:03.661103726 -0400 +++ serefpolicy-3.10.0/policy/modules/system/udev.te 2011-10-05 14:34:03.879103957 -0400 @@ -34,7 +34,11 @@ ifdef(`enable_mcs',` # Local policy # -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; +tunable_policy(`allow_ptrace',` + allow udev_t self:capability sys_ptrace; +') + dontaudit udev_t self:capability sys_tty_config; ifdef(`hide_broken_symptoms',` @@ -42,7 +46,11 @@ ifdef(`hide_broken_symptoms',` dontaudit udev_t self:capability sys_module; ') -allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +tunable_policy(`allow_ptrace',` + allow udev_t self:process ptrace; +') + allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace serefpolicy-3.10.0/policy/modules/system/unconfined.if --- serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace 2011-10-05 14:34:03.676103742 -0400 +++ serefpolicy-3.10.0/policy/modules/system/unconfined.if 2011-10-05 14:34:03.880103958 -0400 @@ -18,7 +18,12 @@ interface(`unconfined_domain_noaudit',` ') # Use any Linux capability. - allow $1 self:capability ~sys_module; + + allow $1 self:capability ~{ sys_module sys_ptrace }; + tunable_policy(`allow_ptrace',` + allow $1 self:capability sys_ptrace; + ') + allow $1 self:capability2 syslog; allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpolicy-3.10.0/policy/modules/system/userdomain.if --- serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace 2011-10-05 14:34:03.736103806 -0400 +++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-10-05 14:34:03.881103960 -0400 @@ -40,7 +40,10 @@ template(`userdom_base_user_template',` role $1_r types $1_t; allow system_r $1_r; - allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; + allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; + tunable_policy(`allow_ptrace',` + allow $1_usertype $1_usertype:process ptrace; + ') allow $1_usertype $1_usertype:fd use; allow $1_usertype $1_usertype:key { create view read write search link setattr }; @@ -594,7 +597,7 @@ template(`userdom_login_user_template', allow $1_t self:capability { setgid chown fowner }; dontaudit $1_t self:capability { sys_nice fsetid }; - allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; + allow $1_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; dontaudit $1_t self:process setrlimit; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -1052,7 +1055,7 @@ template(`userdom_admin_user_template',` # $1_t local policy # - allow $1_t self:capability ~{ sys_module audit_control audit_write }; + allow $1_t self:capability ~{ sys_ptrace sys_module audit_control audit_write }; allow $1_t self:capability2 syslog; allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; @@ -3638,7 +3641,9 @@ interface(`userdom_ptrace_all_users',` attribute userdomain; ') - allow $1 userdomain:process ptrace; + tunable_policy(`allow_ptrace',` + allow $1 userdomain:process ptrace; + ') ') ########################################