d5bededc4d
Fix abrt_manage_cache() interface Make filetrans rules optional so base policy will build Dontaudit chkpwd_t access to inherited TTYS Make sure postfix content gets created with the correct label Allow gnomeclock to read cgroup Fixes for cloudform policy
3748 lines
169 KiB
Diff
3748 lines
169 KiB
Diff
diff -up serefpolicy-3.10.0/policy/global_tunables.ptrace serefpolicy-3.10.0/policy/global_tunables
|
|
--- serefpolicy-3.10.0/policy/global_tunables.ptrace 2011-11-02 16:20:55.607911000 -0400
|
|
+++ serefpolicy-3.10.0/policy/global_tunables 2011-11-02 16:21:00.878481000 -0400
|
|
@@ -6,6 +6,13 @@
|
|
|
|
## <desc>
|
|
## <p>
|
|
+## Allow sysadm to debug or ptrace all processes.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(deny_ptrace, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
|
|
## </p>
|
|
## </desc>
|
|
diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kdump.if
|
|
--- serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace 2011-11-02 16:20:55.762914000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/admin/kdump.if 2011-11-02 16:21:00.886481000 -0400
|
|
@@ -140,8 +140,11 @@ interface(`kdump_admin',`
|
|
type kdump_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 kdump_t:process { ptrace signal_perms };
|
|
+ allow $1 kdump_t:process signal_perms;
|
|
ps_process_pattern($1, kdump_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 kdump_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kismet.if
|
|
--- serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/admin/kismet.if 2011-11-02 16:21:00.892484000 -0400
|
|
@@ -239,7 +239,10 @@ interface(`kismet_admin',`
|
|
')
|
|
|
|
ps_process_pattern($1, kismet_t)
|
|
- allow $1 kismet_t:process { ptrace signal_perms };
|
|
+ allow $1 kismet_t:process signal_perms;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 kismet_t:process ptrace;
|
|
+ ')
|
|
|
|
kismet_manage_pid_files($1)
|
|
kismet_manage_lib($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace serefpolicy-3.10.0/policy/modules/admin/kudzu.te
|
|
--- serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace 2011-11-02 16:20:55.779911000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/admin/kudzu.te 2011-11-02 16:21:00.898481000 -0400
|
|
@@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
|
|
+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
|
|
dontaudit kudzu_t self:capability sys_tty_config;
|
|
allow kudzu_t self:process { signal_perms execmem };
|
|
allow kudzu_t self:fifo_file rw_fifo_file_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace serefpolicy-3.10.0/policy/modules/admin/logrotate.te
|
|
--- serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace 2011-11-02 16:20:55.785911000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/admin/logrotate.te 2011-11-02 16:21:00.913482000 -0400
|
|
@@ -30,8 +30,6 @@ files_type(logrotate_var_lib_t)
|
|
|
|
# Change ownership on log files.
|
|
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
|
|
-# for mailx
|
|
-dontaudit logrotate_t self:capability { sys_ptrace };
|
|
|
|
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace serefpolicy-3.10.0/policy/modules/admin/ncftool.te
|
|
--- serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace 2011-11-02 16:20:55.831912000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/admin/ncftool.te 2011-11-02 16:21:00.918504000 -0400
|
|
@@ -17,8 +17,7 @@ role system_r types ncftool_t;
|
|
# ncftool local policy
|
|
#
|
|
|
|
-allow ncftool_t self:capability { net_admin sys_ptrace };
|
|
-
|
|
+allow ncftool_t self:capability net_admin;
|
|
allow ncftool_t self:process signal;
|
|
|
|
allow ncftool_t self:fifo_file manage_fifo_file_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/rpm.te
|
|
--- serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace 2011-11-02 16:21:00.454481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-11-02 16:21:00.927490000 -0400
|
|
@@ -250,7 +250,8 @@ optional_policy(`
|
|
# rpm-script Local policy
|
|
#
|
|
|
|
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
|
|
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
|
|
+
|
|
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
|
|
allow rpm_script_t self:fd use;
|
|
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sectoolm.te
|
|
--- serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace 2011-11-02 16:20:55.968900000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/admin/sectoolm.te 2011-11-02 16:21:00.933494000 -0400
|
|
@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t)
|
|
# sectool local policy
|
|
#
|
|
|
|
-allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
|
|
+allow sectoolm_t self:capability { dac_override net_admin sys_nice };
|
|
allow sectoolm_t self:process { getcap getsched signull setsched };
|
|
dontaudit sectoolm_t self:process { execstack execmem };
|
|
allow sectoolm_t self:fifo_file rw_fifo_file_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.if
|
|
--- serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace 2011-11-02 16:20:55.982886000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.if 2011-11-02 16:21:00.941491000 -0400
|
|
@@ -139,8 +139,11 @@ interface(`shorewall_admin',`
|
|
type shorewall_tmp_t, shorewall_etc_t;
|
|
')
|
|
|
|
- allow $1 shorewall_t:process { ptrace signal_perms };
|
|
+ allow $1 shorewall_t:process signal_perms;
|
|
ps_process_pattern($1, shorewall_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 shorewall_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.te
|
|
--- serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace 2011-11-02 16:20:55.988880000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.te 2011-11-02 16:21:00.948484000 -0400
|
|
@@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t)
|
|
# shorewall local policy
|
|
#
|
|
|
|
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
|
|
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice };
|
|
dontaudit shorewall_t self:capability sys_tty_config;
|
|
allow shorewall_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sosreport.te
|
|
--- serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace 2011-11-02 16:20:56.021847000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/admin/sosreport.te 2011-11-02 16:21:00.954486000 -0400
|
|
@@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t)
|
|
# sosreport local policy
|
|
#
|
|
|
|
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
|
|
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
|
|
allow sosreport_t self:process { setsched signull };
|
|
allow sosreport_t self:fifo_file rw_fifo_file_perms;
|
|
allow sosreport_t self:tcp_socket create_stream_socket_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace serefpolicy-3.10.0/policy/modules/admin/usermanage.te
|
|
--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace 2011-11-02 16:21:00.638481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-11-02 16:21:00.963483000 -0400
|
|
@@ -439,7 +439,8 @@ optional_policy(`
|
|
# Useradd local policy
|
|
#
|
|
|
|
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
|
|
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
|
|
+
|
|
dontaudit useradd_t self:capability sys_tty_config;
|
|
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow useradd_t self:process setfscreate;
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/chrome.te
|
|
--- serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace 2011-11-02 16:20:56.131827000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/chrome.te 2011-11-02 16:21:00.969478000 -0400
|
|
@@ -26,7 +26,7 @@ role system_r types chrome_sandbox_nacl_
|
|
#
|
|
# chrome_sandbox local policy
|
|
#
|
|
-allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
|
|
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
|
|
allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
|
|
allow chrome_sandbox_t self:process setsched;
|
|
allow chrome_sandbox_t self:fifo_file manage_file_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace serefpolicy-3.10.0/policy/modules/apps/execmem.if
|
|
--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace 2011-11-02 16:21:00.645481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-11-02 16:21:00.977466000 -0400
|
|
@@ -59,7 +59,7 @@ template(`execmem_role_template',`
|
|
userdom_unpriv_usertype($1, $1_execmem_t)
|
|
|
|
allow $1_execmem_t self:process { execmem execstack };
|
|
- allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
|
|
+ allow $3 $1_execmem_t:process { getattr noatsecure signal_perms };
|
|
domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
|
|
|
|
files_execmod_tmp($1_execmem_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.if
|
|
--- serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace 2011-11-02 16:20:56.187825000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/gnome.if 2011-11-02 16:21:00.989459000 -0400
|
|
@@ -91,8 +91,7 @@ interface(`gnome_role_gkeyringd',`
|
|
auth_use_nsswitch($1_gkeyringd_t)
|
|
|
|
ps_process_pattern($3, $1_gkeyringd_t)
|
|
- allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
|
|
-
|
|
+ allow $3 $1_gkeyringd_t:process signal_perms;
|
|
dontaudit $3 gkeyringd_exec_t:file entrypoint;
|
|
|
|
stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace serefpolicy-3.10.0/policy/modules/apps/irc.if
|
|
--- serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace 2011-11-02 16:20:56.224825000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/irc.if 2011-11-02 16:21:00.994463000 -0400
|
|
@@ -33,7 +33,7 @@ interface(`irc_role',`
|
|
|
|
domtrans_pattern($2, irssi_exec_t, irssi_t)
|
|
|
|
- allow $2 irssi_t:process { ptrace signal_perms };
|
|
+ allow $2 irssi_t:process signal_perms;
|
|
ps_process_pattern($2, irssi_t)
|
|
|
|
manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace serefpolicy-3.10.0/policy/modules/apps/java.if
|
|
--- serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace 2011-11-02 16:21:00.650493000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-11-02 16:21:01.001444000 -0400
|
|
@@ -76,11 +76,11 @@ template(`java_role_template',`
|
|
userdom_manage_tmpfs_role($2)
|
|
userdom_manage_tmpfs($1_java_t)
|
|
|
|
- allow $1_java_t self:process { ptrace signal getsched execmem execstack };
|
|
+ allow $1_java_t self:process { signal getsched execmem execstack };
|
|
|
|
dontaudit $1_java_t $3:tcp_socket { read write };
|
|
|
|
- allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms };
|
|
+ allow $3 $1_java_t:process { getattr noatsecure signal_perms };
|
|
|
|
domtrans_pattern($3, java_exec_t, $1_java_t)
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace serefpolicy-3.10.0/policy/modules/apps/kde.te
|
|
--- serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace 2011-11-02 16:20:56.258830000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/kde.te 2011-11-02 16:21:01.006462000 -0400
|
|
@@ -13,9 +13,6 @@ dbus_system_domain(kdebacklighthelper_t,
|
|
#
|
|
# backlighthelper local policy
|
|
#
|
|
-
|
|
-dontaudit kdebacklighthelper_t self:capability sys_ptrace;
|
|
-
|
|
allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
kernel_read_system_state(kdebacklighthelper_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace serefpolicy-3.10.0/policy/modules/apps/livecd.te
|
|
--- serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace 2011-11-02 16:20:56.274828000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/livecd.te 2011-11-02 16:21:01.012454000 -0400
|
|
@@ -20,7 +20,10 @@ files_tmp_file(livecd_tmp_t)
|
|
|
|
dontaudit livecd_t self:capability2 mac_admin;
|
|
|
|
-domain_ptrace_all_domains(livecd_t)
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ domain_ptrace_all_domains(livecd_t)
|
|
+')
|
|
+
|
|
domain_interactive_fd(livecd_t)
|
|
|
|
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.if
|
|
--- serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace 2011-11-02 16:21:00.656493000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-11-02 16:21:01.021424000 -0400
|
|
@@ -40,8 +40,8 @@ template(`mono_role_template',`
|
|
domain_interactive_fd($1_mono_t)
|
|
application_type($1_mono_t)
|
|
|
|
- allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
|
|
- allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
|
|
+ allow $1_mono_t self:process { signal getsched execheap execmem execstack };
|
|
+ allow $3 $1_mono_t:process { getattr noatsecure signal_perms };
|
|
|
|
domtrans_pattern($3, mono_exec_t, $1_mono_t)
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.te
|
|
--- serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/mono.te 2011-11-02 16:21:01.027416000 -0400
|
|
@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
|
|
+allow mono_t self:process { signal getsched execheap execmem execstack };
|
|
|
|
init_dbus_chat_script(mono_t)
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.if
|
|
--- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace 2011-11-02 16:21:00.663481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-11-02 16:21:01.033416000 -0400
|
|
@@ -221,7 +221,7 @@ interface(`mozilla_domtrans_plugin',`
|
|
allow mozilla_plugin_t $1:sem create_sem_perms;
|
|
|
|
ps_process_pattern($1, mozilla_plugin_t)
|
|
- allow $1 mozilla_plugin_t:process { ptrace signal_perms };
|
|
+ allow $1 mozilla_plugin_t:process signal_perms;
|
|
')
|
|
|
|
########################################
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.te
|
|
--- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace 2011-11-02 16:21:00.480481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te 2011-11-02 16:21:01.042409000 -0400
|
|
@@ -301,7 +301,7 @@ optional_policy(`
|
|
# mozilla_plugin local policy
|
|
#
|
|
|
|
-dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_nice };
|
|
+dontaudit mozilla_plugin_t self:capability sys_nice;
|
|
|
|
allow mozilla_plugin_t self:process { setsched signal_perms execmem };
|
|
allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.if
|
|
--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace 2011-11-02 16:21:00.669481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-11-02 16:21:01.050395000 -0400
|
|
@@ -93,7 +93,7 @@ ifdef(`hide_broken_symptoms', `
|
|
dontaudit nsplugin_t $2:shm destroy;
|
|
allow $2 nsplugin_t:sem rw_sem_perms;
|
|
|
|
- allow $2 nsplugin_t:process { getattr ptrace signal_perms };
|
|
+ allow $2 nsplugin_t:process { getattr signal_perms };
|
|
allow $2 nsplugin_t:unix_stream_socket connectto;
|
|
|
|
# Connect to pulseaudit server
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.te
|
|
--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace 2011-11-02 16:21:00.677481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-11-02 16:21:01.059398000 -0400
|
|
@@ -54,7 +54,7 @@ application_executable_file(nsplugin_con
|
|
#
|
|
dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
|
|
allow nsplugin_t self:fifo_file rw_file_perms;
|
|
-allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms };
|
|
+allow nsplugin_t self:process { setpgid getsched setsched signal_perms };
|
|
|
|
allow nsplugin_t self:sem create_sem_perms;
|
|
allow nsplugin_t self:shm create_shm_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace serefpolicy-3.10.0/policy/modules/apps/openoffice.if
|
|
--- serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace 2011-11-02 16:20:56.354830000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/openoffice.if 2011-11-02 16:21:01.065395000 -0400
|
|
@@ -69,7 +69,7 @@ interface(`openoffice_role_template',`
|
|
|
|
allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
|
|
|
|
- allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
|
|
+ allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh };
|
|
allow $1_openoffice_t $3:tcp_socket { read write };
|
|
|
|
domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace serefpolicy-3.10.0/policy/modules/apps/podsleuth.te
|
|
--- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace 2011-11-02 16:21:00.488484000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te 2011-11-02 16:21:01.071398000 -0400
|
|
@@ -27,7 +27,8 @@ ubac_constrained(podsleuth_tmpfs_t)
|
|
# podsleuth local policy
|
|
#
|
|
allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
|
|
-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
|
|
+allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
|
|
+
|
|
allow podsleuth_t self:fifo_file rw_file_perms;
|
|
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow podsleuth_t self:sem create_sem_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.if
|
|
--- serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/uml.if 2011-11-02 16:21:01.077416000 -0400
|
|
@@ -31,9 +31,9 @@ interface(`uml_role',`
|
|
allow $2 uml_t:unix_dgram_socket sendto;
|
|
allow uml_t $2:unix_dgram_socket sendto;
|
|
|
|
- # allow ps, ptrace, signal
|
|
+ # allow ps, signal
|
|
ps_process_pattern($2, uml_t)
|
|
- allow $2 uml_t:process { ptrace signal_perms };
|
|
+ allow $2 uml_t:process signal_perms;
|
|
|
|
allow $2 uml_ro_t:dir list_dir_perms;
|
|
read_files_pattern($2, uml_ro_t, uml_ro_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.te
|
|
--- serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace 2011-11-02 16:20:56.483825000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/uml.te 2011-11-02 16:21:01.086395000 -0400
|
|
@@ -53,7 +53,7 @@ files_pid_file(uml_switch_var_run_t)
|
|
#
|
|
|
|
allow uml_t self:fifo_file rw_fifo_file_perms;
|
|
-allow uml_t self:process { signal_perms ptrace };
|
|
+allow uml_t self:process signal_perms;
|
|
allow uml_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow uml_t self:unix_dgram_socket create_socket_perms;
|
|
# Use the network.
|
|
diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace serefpolicy-3.10.0/policy/modules/apps/wine.if
|
|
--- serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace 2011-11-02 16:21:00.709496000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-11-02 16:21:01.092395000 -0400
|
|
@@ -100,7 +100,7 @@ template(`wine_role_template',`
|
|
role $2 types $1_wine_t;
|
|
|
|
allow $1_wine_t self:process { execmem execstack };
|
|
- allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
|
|
+ allow $3 $1_wine_t:process { getattr noatsecure signal_perms };
|
|
domtrans_pattern($3, wine_exec_t, $1_wine_t)
|
|
corecmd_bin_domtrans($1_wine_t, $1_t)
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/domain.te
|
|
--- serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace 2011-11-02 16:20:56.704825000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/kernel/domain.te 2011-11-02 16:21:01.100395000 -0400
|
|
@@ -181,7 +181,10 @@ allow unconfined_domain_type domain:fifo
|
|
allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
|
|
|
|
# Act upon any other process.
|
|
-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
|
|
+allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ allow unconfined_domain_type domain:process ptrace;
|
|
+')
|
|
|
|
# Create/access any System V IPC objects.
|
|
allow unconfined_domain_type domain:{ sem msgq shm } *;
|
|
@@ -407,3 +410,4 @@ optional_policy(`
|
|
')
|
|
|
|
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
|
|
+dontaudit domain self:capability sys_ptrace;
|
|
diff -up serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/kernel.te
|
|
--- serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace 2011-11-02 16:20:56.826825000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/kernel/kernel.te 2011-11-02 16:21:01.109395000 -0400
|
|
@@ -191,7 +191,11 @@ sid tcp_socket gen_context(system_u:obj
|
|
# kernel local policy
|
|
#
|
|
|
|
-allow kernel_t self:capability *;
|
|
+allow kernel_t self:capability ~{ sys_ptrace };
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ allow kernel_t self:capability sys_ptrace;
|
|
+')
|
|
+
|
|
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow kernel_t self:shm create_shm_perms;
|
|
allow kernel_t self:sem create_sem_perms;
|
|
@@ -442,7 +446,7 @@ allow kern_unconfined unlabeled_t:dir_fi
|
|
allow kern_unconfined unlabeled_t:filesystem *;
|
|
allow kern_unconfined unlabeled_t:association *;
|
|
allow kern_unconfined unlabeled_t:packet *;
|
|
-allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
|
|
+allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap };
|
|
|
|
gen_require(`
|
|
bool secure_mode_insmod;
|
|
diff -up serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/dbadm.te
|
|
--- serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace 2011-11-02 16:20:56.906825000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/roles/dbadm.te 2011-11-02 16:21:01.115395000 -0400
|
|
@@ -28,7 +28,7 @@ userdom_base_user_template(dbadm)
|
|
# database admin local policy
|
|
#
|
|
|
|
-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
|
|
+allow dbadm_t self:capability { dac_override dac_read_search };
|
|
|
|
files_dontaudit_search_all_dirs(dbadm_t)
|
|
files_delete_generic_locks(dbadm_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/logadm.te
|
|
--- serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/roles/logadm.te 2011-11-02 16:21:01.119398000 -0400
|
|
@@ -14,6 +14,5 @@ userdom_base_user_template(logadm)
|
|
# logadmin local policy
|
|
#
|
|
|
|
-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
|
|
-
|
|
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
|
|
logging_admin(logadm_t, logadm_r)
|
|
diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/sysadm.te
|
|
--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace 2011-11-02 16:21:00.735481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-11-02 16:21:01.127397000 -0400
|
|
@@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1)
|
|
# Declarations
|
|
#
|
|
|
|
-## <desc>
|
|
-## <p>
|
|
-## Allow sysadm to debug or ptrace all processes.
|
|
-## </p>
|
|
-## </desc>
|
|
-gen_tunable(allow_ptrace, false)
|
|
-
|
|
role sysadm_r;
|
|
|
|
userdom_admin_user_template(sysadm)
|
|
@@ -91,7 +84,7 @@ ifndef(`enable_mls',`
|
|
logging_stream_connect_syslog(sysadm_t)
|
|
')
|
|
|
|
-tunable_policy(`allow_ptrace',`
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
domain_ptrace_all_domains(sysadm_t)
|
|
')
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/webadm.te
|
|
--- serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace 2011-11-02 16:20:56.949828000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/roles/webadm.te 2011-11-02 16:21:01.133406000 -0400
|
|
@@ -28,7 +28,7 @@ userdom_base_user_template(webadm)
|
|
# webadmin local policy
|
|
#
|
|
|
|
-allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
|
|
+allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
|
|
|
|
files_dontaudit_search_all_dirs(webadm_t)
|
|
files_manage_generic_locks(webadm_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace serefpolicy-3.10.0/policy/modules/services/abrt.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace 2011-11-02 16:20:56.967816000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/abrt.if 2011-11-02 16:21:01.141395000 -0400
|
|
@@ -336,9 +336,13 @@ interface(`abrt_admin',`
|
|
type abrt_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 abrt_t:process { ptrace signal_perms };
|
|
+ allow $1 abrt_t:process { signal_perms };
|
|
ps_process_pattern($1, abrt_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 abrt_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, abrt_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 abrt_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace 2011-11-02 16:20:56.979807000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/accountsd.if 2011-11-02 16:21:01.147398000 -0400
|
|
@@ -138,8 +138,12 @@ interface(`accountsd_admin',`
|
|
type accountsd_t;
|
|
')
|
|
|
|
- allow $1 accountsd_t:process { ptrace signal_perms };
|
|
+ allow $1 accountsd_t:process signal_perms;
|
|
ps_process_pattern($1, accountsd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 acountsd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
accountsd_manage_lib_files($1)
|
|
')
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace 2011-11-02 16:20:56.985800000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/accountsd.te 2011-11-02 16:21:01.153402000 -0400
|
|
@@ -19,7 +19,7 @@ files_type(accountsd_var_lib_t)
|
|
# accountsd local policy
|
|
#
|
|
|
|
-allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
|
|
+allow accountsd_t self:capability { dac_override setuid setgid };
|
|
allow accountsd_t self:process signal;
|
|
allow accountsd_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace serefpolicy-3.10.0/policy/modules/services/afs.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace 2011-11-02 16:20:56.990797000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/afs.if 2011-11-02 16:21:01.159402000 -0400
|
|
@@ -97,9 +97,13 @@ interface(`afs_admin',`
|
|
type afs_t, afs_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 afs_t:process { ptrace signal_perms };
|
|
+ allow $1 afs_t:process signal_perms;
|
|
ps_process_pattern($1, afs_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 afs_t:process ptrace;
|
|
+ ')
|
|
+
|
|
# Allow afs_admin to restart the afs service
|
|
afs_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace serefpolicy-3.10.0/policy/modules/services/aiccu.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/aiccu.if 2011-11-02 16:21:01.165403000 -0400
|
|
@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
|
|
type aiccu_var_run_t;
|
|
')
|
|
|
|
- allow $1 aiccu_t:process { ptrace signal_perms };
|
|
+ allow $1 aiccu_t:process signal_perms;
|
|
ps_process_pattern($1, aiccu_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 aiccu_t:process ptrace;
|
|
+ ')
|
|
+
|
|
aiccu_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 aiccu_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace serefpolicy-3.10.0/policy/modules/services/aide.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace 2011-11-02 16:20:57.023767000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/aide.if 2011-11-02 16:21:01.180404000 -0400
|
|
@@ -61,9 +61,13 @@ interface(`aide_admin',`
|
|
type aide_t, aide_db_t, aide_log_t;
|
|
')
|
|
|
|
- allow $1 aide_t:process { ptrace signal_perms };
|
|
+ allow $1 aide_t:process signal_perms;
|
|
ps_process_pattern($1, aide_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 aide_t:process ptrace;
|
|
+ ')
|
|
+
|
|
files_list_etc($1)
|
|
admin_pattern($1, aide_db_t)
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace serefpolicy-3.10.0/policy/modules/services/aisexec.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace 2011-11-02 16:20:57.034752000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/aisexec.if 2011-11-02 16:21:01.186395000 -0400
|
|
@@ -82,9 +82,13 @@ interface(`aisexecd_admin',`
|
|
type aisexec_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 aisexec_t:process { ptrace signal_perms };
|
|
+ allow $1 aisexec_t:process signal_perms;
|
|
ps_process_pattern($1, aisexec_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 aisexec_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 aisexec_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace serefpolicy-3.10.0/policy/modules/services/ajaxterm.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace 2011-11-02 16:20:57.045739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/ajaxterm.if 2011-11-02 16:21:01.191397000 -0400
|
|
@@ -76,9 +76,13 @@ interface(`ajaxterm_admin',`
|
|
type ajaxterm_t, ajaxterm_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 ajaxterm_t:process { ptrace signal_perms };
|
|
+ allow $1 ajaxterm_t:process signal_perms;
|
|
ps_process_pattern($1, ajaxterm_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ajaxterm_t:process ptrace;
|
|
+ ')
|
|
+
|
|
ajaxterm_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 ajaxterm_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace serefpolicy-3.10.0/policy/modules/services/amavis.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/amavis.if 2011-11-02 16:21:01.198395000 -0400
|
|
@@ -231,9 +231,13 @@ interface(`amavis_admin',`
|
|
type amavis_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 amavis_t:process { ptrace signal_perms };
|
|
+ allow $1 amavis_t:process signal_perms;
|
|
ps_process_pattern($1, amavis_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 amavis_t:process ptrace;
|
|
+ ')
|
|
+
|
|
amavis_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 amavis_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace serefpolicy-3.10.0/policy/modules/services/apache.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace 2011-11-02 16:21:00.856481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/apache.if 2011-11-02 16:21:01.212395000 -0400
|
|
@@ -1297,9 +1297,13 @@ interface(`apache_admin',`
|
|
type httpd_unit_file_t;
|
|
')
|
|
|
|
- allow $1 httpd_t:process { ptrace signal_perms };
|
|
+ allow $1 httpd_t:process signal_perms;
|
|
ps_process_pattern($1, httpd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 httpd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 httpd_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/apcupsd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/apcupsd.if 2011-11-02 16:21:01.219395000 -0400
|
|
@@ -146,9 +146,13 @@ interface(`apcupsd_admin',`
|
|
type apcupsd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 apcupsd_t:process { ptrace signal_perms };
|
|
+ allow $1 apcupsd_t:process signal_perms;
|
|
ps_process_pattern($1, apcupsd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 apcupsd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 apcupsd_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace serefpolicy-3.10.0/policy/modules/services/apm.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace 2011-11-02 16:20:57.113739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/apm.te 2011-11-02 16:21:01.227395000 -0400
|
|
@@ -60,7 +60,7 @@ logging_send_syslog_msg(apm_t)
|
|
# mknod: controlling an orderly resume of PCMCIA requires creating device
|
|
# nodes 254,{0,1,2} for some reason.
|
|
allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
|
|
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
|
|
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
|
|
allow apmd_t self:process { signal_perms getsession };
|
|
allow apmd_t self:fifo_file rw_fifo_file_perms;
|
|
allow apmd_t self:netlink_socket create_socket_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace serefpolicy-3.10.0/policy/modules/services/arpwatch.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace 2011-11-02 16:20:57.119739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/arpwatch.if 2011-11-02 16:21:01.233395000 -0400
|
|
@@ -137,9 +137,13 @@ interface(`arpwatch_admin',`
|
|
type arpwatch_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 arpwatch_t:process { ptrace signal_perms };
|
|
+ allow $1 arpwatch_t:process signal_perms;
|
|
ps_process_pattern($1, arpwatch_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 arpwatch_t:process ptrace;
|
|
+ ')
|
|
+
|
|
arpwatch_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 arpwatch_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace serefpolicy-3.10.0/policy/modules/services/asterisk.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace 2011-11-02 16:20:57.140745000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/asterisk.if 2011-11-02 16:21:01.237398000 -0400
|
|
@@ -64,9 +64,13 @@ interface(`asterisk_admin',`
|
|
type asterisk_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 asterisk_t:process { ptrace signal_perms };
|
|
+ allow $1 asterisk_t:process signal_perms;
|
|
ps_process_pattern($1, asterisk_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 asterisk_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 asterisk_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace serefpolicy-3.10.0/policy/modules/services/automount.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace 2011-11-02 16:20:57.159744000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/automount.if 2011-11-02 16:21:01.244398000 -0400
|
|
@@ -150,9 +150,13 @@ interface(`automount_admin',`
|
|
type automount_var_run_t, automount_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 automount_t:process { ptrace signal_perms };
|
|
+ allow $1 automount_t:process signal_perms;
|
|
ps_process_pattern($1, automount_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 automount_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, automount_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 automount_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace serefpolicy-3.10.0/policy/modules/services/avahi.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace 2011-11-02 16:20:57.171739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/avahi.if 2011-11-02 16:21:01.250403000 -0400
|
|
@@ -154,9 +154,13 @@ interface(`avahi_admin',`
|
|
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 avahi_t:process { ptrace signal_perms };
|
|
+ allow $1 avahi_t:process signal_perms;
|
|
ps_process_pattern($1, avahi_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 avahi_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, avahi_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 avahi_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace serefpolicy-3.10.0/policy/modules/services/bind.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace 2011-11-02 16:20:57.189739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/bind.if 2011-11-02 16:21:01.257395000 -0400
|
|
@@ -408,12 +408,20 @@ interface(`bind_admin',`
|
|
type dnssec_t, ndc_t, named_keytab_t;
|
|
')
|
|
|
|
- allow $1 named_t:process { ptrace signal_perms };
|
|
+ allow $1 named_t:process signal_perms;
|
|
ps_process_pattern($1, named_t)
|
|
|
|
- allow $1 ndc_t:process { ptrace signal_perms };
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 named_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ allow $1 ndc_t:process signal_perms;
|
|
ps_process_pattern($1, ndc_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ndc_t:process ptrace;
|
|
+ ')
|
|
+
|
|
bind_run_ndc($1, $2)
|
|
|
|
init_labeled_script_domtrans($1, named_initrc_exec_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace serefpolicy-3.10.0/policy/modules/services/bitlbee.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/bitlbee.if 2011-11-02 16:21:01.263398000 -0400
|
|
@@ -43,9 +43,13 @@ interface(`bitlbee_admin',`
|
|
type bitlbee_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 bitlbee_t:process { ptrace signal_perms };
|
|
+ allow $1 bitlbee_t:process signal_perms;
|
|
ps_process_pattern($1, bitlbee_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 bitlbee_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 bitlbee_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpolicy-3.10.0/policy/modules/services/bluetooth.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace 2011-11-02 16:20:57.212739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/bluetooth.if 2011-11-02 16:21:01.271395000 -0400
|
|
@@ -28,7 +28,11 @@ interface(`bluetooth_role',`
|
|
|
|
# allow ps to show cdrecord and allow the user to kill it
|
|
ps_process_pattern($2, bluetooth_helper_t)
|
|
- allow $2 bluetooth_helper_t:process { ptrace signal_perms };
|
|
+ allow $2 bluetooth_helper_t:process signal_perms;
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 bluetooth_helper_t:process ptrace;
|
|
+ ')
|
|
|
|
manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
|
|
manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
|
|
@@ -220,9 +224,13 @@ interface(`bluetooth_admin',`
|
|
type bluetooth_conf_t, bluetooth_conf_rw_t;
|
|
')
|
|
|
|
- allow $1 bluetooth_t:process { ptrace signal_perms };
|
|
+ allow $1 bluetooth_t:process signal_perms;
|
|
ps_process_pattern($1, bluetooth_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 bluetooth_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 bluetooth_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace 2011-11-02 16:20:57.224744000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/boinc.if 2011-11-02 16:21:01.277395000 -0400
|
|
@@ -137,9 +137,13 @@ interface(`boinc_admin',`
|
|
type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
|
|
')
|
|
|
|
- allow $1 boinc_t:process { ptrace signal_perms };
|
|
+ allow $1 boinc_t:process signal_perms;
|
|
ps_process_pattern($1, boinc_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 boic_t:process ptrace;
|
|
+ ')
|
|
+
|
|
boinc_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 boinc_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace 2011-11-02 16:21:00.533488000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/boinc.te 2011-11-02 16:21:01.283398000 -0400
|
|
@@ -121,9 +121,13 @@ mta_send_mail(boinc_t)
|
|
domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
|
|
allow boinc_t boinc_project_t:process sigkill;
|
|
|
|
-allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop };
|
|
+allow boinc_project_t self:process { setpgid setsched signal signull sigkill sigstop };
|
|
allow boinc_project_t self:process { execmem execstack };
|
|
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ allow boinc_project_t self:process ptrace;
|
|
+')
|
|
+
|
|
allow boinc_project_t self:fifo_file rw_fifo_file_perms;
|
|
allow boinc_project_t self:sem create_sem_perms;
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace serefpolicy-3.10.0/policy/modules/services/bugzilla.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace 2011-11-02 16:20:57.237739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/bugzilla.if 2011-11-02 16:21:01.289396000 -0400
|
|
@@ -62,9 +62,13 @@ interface(`bugzilla_admin',`
|
|
type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
|
|
')
|
|
|
|
- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
|
|
+ allow $1 httpd_bugzilla_script_t:process signal_perms;
|
|
ps_process_pattern($1, httpd_bugzilla_script_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 httpd_bugzilla_script_t:process ptrace;
|
|
+ ')
|
|
+
|
|
files_list_tmp($1)
|
|
admin_pattern($1, httpd_bugzilla_tmp_t)
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace serefpolicy-3.10.0/policy/modules/services/callweaver.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace 2011-11-02 16:20:57.260739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/callweaver.if 2011-11-02 16:21:01.295395000 -0400
|
|
@@ -336,9 +336,13 @@ interface(`callweaver_admin',`
|
|
type callweaver_spool_t;
|
|
')
|
|
|
|
- allow $1 callweaver_t:process { ptrace signal_perms };
|
|
+ allow $1 callweaver_t:process signal_perms;
|
|
ps_process_pattern($1, callweaver_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 callweaver_t:process ptrace;
|
|
+ ')
|
|
+
|
|
callweaver_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 callweaver_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace serefpolicy-3.10.0/policy/modules/services/canna.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/canna.if 2011-11-02 16:21:01.301395000 -0400
|
|
@@ -42,9 +42,13 @@ interface(`canna_admin',`
|
|
type canna_var_run_t, canna_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 canna_t:process { ptrace signal_perms };
|
|
+ allow $1 canna_t:process signal_perms;
|
|
ps_process_pattern($1, canna_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 canna_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, canna_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 canna_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmaster.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace 2011-11-02 16:20:57.290739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/certmaster.if 2011-11-02 16:21:01.307395000 -0400
|
|
@@ -119,9 +119,13 @@ interface(`certmaster_admin',`
|
|
type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 certmaster_t:process { ptrace signal_perms };
|
|
+ allow $1 certmaster_t:process signal_perms;
|
|
ps_process_pattern($1, certmaster_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 certmaster_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 certmaster_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmonger.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace 2011-11-02 16:20:57.301739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/certmonger.if 2011-11-02 16:21:01.313395000 -0400
|
|
@@ -158,7 +158,11 @@ interface(`certmonger_admin',`
|
|
')
|
|
|
|
ps_process_pattern($1, certmonger_t)
|
|
- allow $1 certmonger_t:process { ptrace signal_perms };
|
|
+ allow $1 certmonger_t:process signal_perms;
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 certmonger_t:process ptrace;
|
|
+ ')
|
|
|
|
# Allow certmonger_t to restart the apache service
|
|
certmonger_initrc_domtrans($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace 2011-11-02 16:20:57.319739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/cgroup.if 2011-11-02 16:21:01.324402000 -0400
|
|
@@ -171,15 +171,27 @@ interface(`cgroup_admin',`
|
|
type cgrules_etc_t, cgclear_t;
|
|
')
|
|
|
|
- allow $1 cgclear_t:process { ptrace signal_perms };
|
|
+ allow $1 cgclear_t:process signal_perms;
|
|
ps_process_pattern($1, cgclear_t)
|
|
|
|
- allow $1 cgconfig_t:process { ptrace signal_perms };
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 cglear_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ allow $1 cgconfig_t:process signal_perms;
|
|
ps_process_pattern($1, cgconfig_t)
|
|
|
|
- allow $1 cgred_t:process { ptrace signal_perms };
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 cgconfig_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ allow $1 cgred_t:process signal_perms;
|
|
ps_process_pattern($1, cgred_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 cgred_t:process ptrace;
|
|
+ ')
|
|
+
|
|
admin_pattern($1, cgconfig_etc_t)
|
|
admin_pattern($1, cgrules_etc_t)
|
|
files_list_etc($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace 2011-11-02 16:20:57.324743000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/cgroup.te 2011-11-02 16:21:01.330408000 -0400
|
|
@@ -76,7 +76,8 @@ fs_unmount_cgroup(cgconfig_t)
|
|
# cgred personal policy.
|
|
#
|
|
|
|
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
|
|
+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override };
|
|
+
|
|
allow cgred_t self:netlink_socket { write bind create read };
|
|
allow cgred_t self:unix_dgram_socket { write create connect };
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/chronyd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace 2011-11-02 16:20:57.335739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/chronyd.if 2011-11-02 16:21:01.337395000 -0400
|
|
@@ -217,9 +217,13 @@ interface(`chronyd_admin',`
|
|
type chronyd_keys_t;
|
|
')
|
|
|
|
- allow $1 chronyd_t:process { ptrace signal_perms };
|
|
+ allow $1 chronyd_t:process signal_perms;
|
|
ps_process_pattern($1, chronyd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 chronyd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 chronyd_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace serefpolicy-3.10.0/policy/modules/services/clamav.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace 2011-11-02 16:20:57.352739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/clamav.if 2011-11-02 16:21:01.351398000 -0400
|
|
@@ -176,13 +176,19 @@ interface(`clamav_admin',`
|
|
type freshclam_t, freshclam_var_log_t;
|
|
')
|
|
|
|
- allow $1 clamd_t:process { ptrace signal_perms };
|
|
+ allow $1 clamd_t:process signal_perms;
|
|
ps_process_pattern($1, clamd_t)
|
|
|
|
- allow $1 clamscan_t:process { ptrace signal_perms };
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 clamd_t:process ptrace;
|
|
+ allow $1 clamscan_t:process ptrace;
|
|
+ allow $1 freshclam_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ allow $1 clamscan_t:process signal_perms;
|
|
ps_process_pattern($1, clamscan_t)
|
|
|
|
- allow $1 freshclam_t:process { ptrace signal_perms };
|
|
+ allow $1 freshclam_t:process signal_perms;
|
|
ps_process_pattern($1, freshclam_t)
|
|
|
|
init_labeled_script_domtrans($1, clamd_initrc_exec_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace serefpolicy-3.10.0/policy/modules/services/cmirrord.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace 2011-11-02 16:20:57.398739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/cmirrord.if 2011-11-02 16:21:01.359395000 -0400
|
|
@@ -101,9 +101,13 @@ interface(`cmirrord_admin',`
|
|
type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
|
|
')
|
|
|
|
- allow $1 cmirrord_t:process { ptrace signal_perms };
|
|
+ allow $1 cmirrord_t:process signal_perms;
|
|
ps_process_pattern($1, cmirrord_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 cmorrord_t:process ptrace;
|
|
+ ')
|
|
+
|
|
cmirrord_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 cmirrord_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace 2011-11-02 16:20:57.409739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/cobbler.if 2011-11-02 16:21:01.365395000 -0400
|
|
@@ -189,9 +189,13 @@ interface(`cobblerd_admin',`
|
|
type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
|
|
')
|
|
|
|
- allow $1 cobblerd_t:process { ptrace signal_perms };
|
|
+ allow $1 cobblerd_t:process signal_perms;
|
|
ps_process_pattern($1, cobblerd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 cobblerd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
files_list_etc($1)
|
|
admin_pattern($1, cobbler_etc_t)
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace 2011-11-02 16:20:57.415739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/cobbler.te 2011-11-02 16:21:01.371404000 -0400
|
|
@@ -60,7 +60,7 @@ files_tmp_file(cobbler_tmp_t)
|
|
#
|
|
|
|
allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
|
|
-dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config };
|
|
+dontaudit cobblerd_t self:capability sys_tty_config;
|
|
|
|
allow cobblerd_t self:process { getsched setsched signal };
|
|
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace serefpolicy-3.10.0/policy/modules/services/collectd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace 2011-11-02 16:20:57.421739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/collectd.if 2011-11-02 16:21:01.377403000 -0400
|
|
@@ -142,9 +142,13 @@ interface(`collectd_admin',`
|
|
type collectd_var_lib_t;
|
|
')
|
|
|
|
- allow $1 collectd_t:process { ptrace signal_perms };
|
|
+ allow $1 collectd_t:process signal_perms;
|
|
ps_process_pattern($1, collectd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 collectd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
collectd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 collectd_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/consolekit.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace 2011-11-02 16:20:57.439739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/consolekit.te 2011-11-02 16:21:01.383395000 -0400
|
|
@@ -23,7 +23,8 @@ files_tmpfs_file(consolekit_tmpfs_t)
|
|
# consolekit local policy
|
|
#
|
|
|
|
-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
|
|
+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice };
|
|
+
|
|
allow consolekit_t self:process { getsched signal };
|
|
allow consolekit_t self:fifo_file rw_fifo_file_perms;
|
|
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
|
|
@@ -144,6 +145,8 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
#reading .Xauthity
|
|
- unconfined_ptrace(consolekit_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ unconfined_ptrace(consolekit_t)
|
|
+ ')
|
|
unconfined_stream_connect(consolekit_t)
|
|
')
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace 2011-11-02 16:20:57.450739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/corosync.if 2011-11-02 16:21:01.389396000 -0400
|
|
@@ -101,9 +101,13 @@ interface(`corosyncd_admin',`
|
|
type corosync_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 corosync_t:process { ptrace signal_perms };
|
|
+ allow $1 corosync_t:process signal_perms;
|
|
ps_process_pattern($1, corosync_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 corosync_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, corosync_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 corosync_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace 2011-11-02 16:20:57.456739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/corosync.te 2011-11-02 16:21:01.395395000 -0400
|
|
@@ -33,7 +33,7 @@ files_pid_file(corosync_var_run_t)
|
|
# corosync local policy
|
|
#
|
|
|
|
-allow corosync_t self:capability { dac_override setuid sys_nice sys_ptrace sys_resource ipc_lock };
|
|
+allow corosync_t self:capability { dac_override setuid sys_nice sys_resource ipc_lock };
|
|
allow corosync_t self:process { setpgid setrlimit setsched signal signull };
|
|
|
|
allow corosync_t self:fifo_file rw_fifo_file_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3.10.0/policy/modules/services/cron.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace 2011-11-02 16:20:57.500739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/cron.if 2011-11-02 16:21:01.404395000 -0400
|
|
@@ -140,7 +140,11 @@ interface(`cron_role',`
|
|
|
|
# crontab shows up in user ps
|
|
ps_process_pattern($2, crontab_t)
|
|
- allow $2 crontab_t:process { ptrace signal_perms };
|
|
+ allow $2 crontab_t:process signal_perms;
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 crontab_t:process ptrace;
|
|
+ ')
|
|
|
|
# Run helper programs as the user domain
|
|
#corecmd_bin_domtrans(crontab_t, $2)
|
|
@@ -183,7 +187,10 @@ interface(`cron_unconfined_role',`
|
|
|
|
# cronjob shows up in user ps
|
|
ps_process_pattern($2, unconfined_cronjob_t)
|
|
- allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
|
|
+ allow $2 unconfined_cronjob_t:process signal_perms;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 unconfined_cronjob_t:process ptrace;
|
|
+ ')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
@@ -230,7 +237,10 @@ interface(`cron_admin_role',`
|
|
|
|
# crontab shows up in user ps
|
|
ps_process_pattern($2, admin_crontab_t)
|
|
- allow $2 admin_crontab_t:process { ptrace signal_perms };
|
|
+ allow $2 admin_crontab_t:process signal_perms;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 admin_crontab_t:process ptrace;
|
|
+ ')
|
|
|
|
# Run helper programs as the user domain
|
|
#corecmd_bin_domtrans(admin_crontab_t, $2)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace serefpolicy-3.10.0/policy/modules/services/cron.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace 2011-11-02 16:21:00.542481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/cron.te 2011-11-02 16:21:01.415395000 -0400
|
|
@@ -350,7 +350,6 @@ optional_policy(`
|
|
#
|
|
|
|
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
|
|
-dontaudit system_cronjob_t self:capability sys_ptrace;
|
|
|
|
allow system_cronjob_t self:process { signal_perms getsched setsched };
|
|
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace 2011-11-02 16:20:57.515739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/ctdbd.if 2011-11-02 16:21:01.419395000 -0400
|
|
@@ -236,8 +236,11 @@ interface(`ctdbd_admin',`
|
|
type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
|
|
')
|
|
|
|
- allow $1 ctdbd_t:process { ptrace signal_perms };
|
|
+ allow $1 ctdbd_t:process signal_perms;
|
|
ps_process_pattern($1, ctdbd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ctdbd_t:process ptrace;
|
|
+ ')
|
|
|
|
ctdbd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace 2011-11-02 16:20:57.517739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/ctdbd.te 2011-11-02 16:21:01.425395000 -0400
|
|
@@ -33,7 +33,7 @@ files_pid_file(ctdbd_var_run_t)
|
|
# ctdbd local policy
|
|
#
|
|
|
|
-allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice sys_ptrace };
|
|
+allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
|
|
allow ctdbd_t self:process { setpgid signal_perms setsched };
|
|
|
|
allow ctdbd_t self:fifo_file rw_fifo_file_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace serefpolicy-3.10.0/policy/modules/services/cups.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace 2011-11-02 16:20:57.529739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/cups.if 2011-11-02 16:21:01.432395000 -0400
|
|
@@ -327,9 +327,13 @@ interface(`cups_admin',`
|
|
type ptal_var_run_t;
|
|
')
|
|
|
|
- allow $1 cupsd_t:process { ptrace signal_perms };
|
|
+ allow $1 cupsd_t:process signal_perms;
|
|
ps_process_pattern($1, cupsd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 cupsd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 cupsd_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace serefpolicy-3.10.0/policy/modules/services/cvs.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace 2011-11-02 16:20:57.544739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/cvs.if 2011-11-02 16:21:01.438395000 -0400
|
|
@@ -80,9 +80,13 @@ interface(`cvs_admin',`
|
|
type cvs_data_t, cvs_var_run_t;
|
|
')
|
|
|
|
- allow $1 cvs_t:process { ptrace signal_perms };
|
|
+ allow $1 cvs_t:process signal_perms;
|
|
ps_process_pattern($1, cvs_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 cvs_t:process ptrace;
|
|
+ ')
|
|
+
|
|
# Allow cvs_t to restart the apache service
|
|
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace serefpolicy-3.10.0/policy/modules/services/cyrus.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/cyrus.if 2011-11-02 16:21:01.454394000 -0400
|
|
@@ -62,9 +62,13 @@ interface(`cyrus_admin',`
|
|
type cyrus_var_run_t, cyrus_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 cyrus_t:process { ptrace signal_perms };
|
|
+ allow $1 cyrus_t:process signal_perms;
|
|
ps_process_pattern($1, cyrus_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 cyrus_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 cyrus_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace serefpolicy-3.10.0/policy/modules/services/dbus.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace 2011-11-02 16:20:57.592742000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/dbus.if 2011-11-02 16:21:01.462395000 -0400
|
|
@@ -71,7 +71,11 @@ template(`dbus_role_template',`
|
|
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
|
|
|
|
ps_process_pattern($3, $1_dbusd_t)
|
|
- allow $3 $1_dbusd_t:process { ptrace signal_perms };
|
|
+ allow $3 $1_dbusd_t:process signal_perms;
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $3 $1_dbusd_t:process ptrace;
|
|
+ ')
|
|
|
|
# cjp: this seems very broken
|
|
corecmd_bin_domtrans($1_dbusd_t, $1_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace serefpolicy-3.10.0/policy/modules/services/ddclient.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace 2011-11-02 16:20:57.622740000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/ddclient.if 2011-11-02 16:21:01.468398000 -0400
|
|
@@ -68,9 +68,13 @@ interface(`ddclient_admin',`
|
|
type ddclient_var_run_t;
|
|
')
|
|
|
|
- allow $1 ddclient_t:process { ptrace signal_perms };
|
|
+ allow $1 ddclient_t:process signal_perms;
|
|
ps_process_pattern($1, ddclient_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ddclient_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 ddclient_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace serefpolicy-3.10.0/policy/modules/services/denyhosts.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace 2011-11-02 16:20:57.634739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/denyhosts.if 2011-11-02 16:21:01.474398000 -0400
|
|
@@ -67,9 +67,13 @@ interface(`denyhosts_admin',`
|
|
type denyhosts_var_log_t, denyhosts_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 denyhosts_t:process { ptrace signal_perms };
|
|
+ allow $1 denyhosts_t:process signal_perms;
|
|
ps_process_pattern($1, denyhosts_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 denyhosts_t:process ptrace;
|
|
+ ')
|
|
+
|
|
denyhosts_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 denyhosts_initrc_exec_t system_r;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace 2011-11-02 16:20:57.652740000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/devicekit.if 2011-11-02 16:21:01.480401000 -0400
|
|
@@ -308,13 +308,18 @@ interface(`devicekit_admin',`
|
|
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
|
|
')
|
|
|
|
- allow $1 devicekit_t:process { ptrace signal_perms };
|
|
+ allow $1 devicekit_t:process signal_perms;
|
|
ps_process_pattern($1, devicekit_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 devicekit_t:process ptrace;
|
|
+ allow $1 devicekit_disk_t:process ptrace;
|
|
+ allow $1 devicekit_power_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $1 devicekit_disk_t:process { ptrace signal_perms };
|
|
+ allow $1 devicekit_disk_t:process signal_perms;
|
|
ps_process_pattern($1, devicekit_disk_t)
|
|
|
|
- allow $1 devicekit_power_t:process { ptrace signal_perms };
|
|
+ allow $1 devicekit_power_t:process signal_perms;
|
|
ps_process_pattern($1, devicekit_power_t)
|
|
|
|
admin_pattern($1, devicekit_tmp_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace 2011-11-02 16:20:57.659742000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/devicekit.te 2011-11-02 16:21:01.488407000 -0400
|
|
@@ -65,7 +65,8 @@ optional_policy(`
|
|
# DeviceKit disk local policy
|
|
#
|
|
|
|
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
|
|
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio };
|
|
+
|
|
allow devicekit_disk_t self:process { getsched signal_perms };
|
|
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
|
|
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
@@ -199,7 +200,7 @@ optional_policy(`
|
|
# DeviceKit-Power local policy
|
|
#
|
|
|
|
-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
|
|
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
|
|
allow devicekit_power_t self:process { getsched signal_perms };
|
|
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
|
|
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace serefpolicy-3.10.0/policy/modules/services/dhcp.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace 2011-11-02 16:20:57.678739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/dhcp.if 2011-11-02 16:21:01.495395000 -0400
|
|
@@ -105,8 +105,11 @@ interface(`dhcpd_admin',`
|
|
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 dhcpd_t:process { ptrace signal_perms };
|
|
+ allow $1 dhcpd_t:process signal_perms;
|
|
ps_process_pattern($1, dhcpd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 dhcpd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace serefpolicy-3.10.0/policy/modules/services/dictd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/dictd.if 2011-11-02 16:21:01.501401000 -0400
|
|
@@ -38,8 +38,11 @@ interface(`dictd_admin',`
|
|
type dictd_var_run_t, dictd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 dictd_t:process { ptrace signal_perms };
|
|
+ allow $1 dictd_t:process signal_perms;
|
|
ps_process_pattern($1, dictd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 dictd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, dictd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace serefpolicy-3.10.0/policy/modules/services/dnsmasq.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace 2011-11-02 16:20:57.727739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/dnsmasq.if 2011-11-02 16:21:01.509395000 -0400
|
|
@@ -298,8 +298,11 @@ interface(`dnsmasq_admin',`
|
|
type dnsmasq_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 dnsmasq_t:process { ptrace signal_perms };
|
|
+ allow $1 dnsmasq_t:process signal_perms;
|
|
ps_process_pattern($1, dnsmasq_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 dnsmasq_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace serefpolicy-3.10.0/policy/modules/services/dovecot.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace 2011-11-02 16:20:57.746743000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/dovecot.if 2011-11-02 16:21:01.515395000 -0400
|
|
@@ -119,8 +119,11 @@ interface(`dovecot_admin',`
|
|
type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 dovecot_t:process { ptrace signal_perms };
|
|
+ allow $1 dovecot_t:process signal_perms;
|
|
ps_process_pattern($1, dovecot_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 dovecot_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/drbd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace 2011-11-02 16:20:57.757744000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/drbd.if 2011-11-02 16:21:01.519398000 -0400
|
|
@@ -120,8 +120,11 @@ interface(`drbd_admin',`
|
|
type drbd_var_lib_t;
|
|
')
|
|
|
|
- allow $1 drbd_t:process { ptrace signal_perms };
|
|
+ allow $1 drbd_t:process signal_perms;
|
|
ps_process_pattern($1, drbd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 drbd_t:process ptrace;
|
|
+ ')
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, drbd_var_lib_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace serefpolicy-3.10.0/policy/modules/services/dspam.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace 2011-11-02 16:20:57.776739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/dspam.if 2011-11-02 16:21:01.525395000 -0400
|
|
@@ -244,8 +244,11 @@ interface(`dspam_admin',`
|
|
type dspam_var_run_t;
|
|
')
|
|
|
|
- allow $1 dspam_t:process { ptrace signal_perms };
|
|
+ allow $1 dspam_t:process signal_perms;
|
|
ps_process_pattern($1, dspam_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 dspam_t:process ptrace;
|
|
+ ')
|
|
|
|
dspam_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace serefpolicy-3.10.0/policy/modules/services/exim.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace 2011-11-02 16:20:57.789739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/exim.if 2011-11-02 16:21:01.532395000 -0400
|
|
@@ -260,8 +260,11 @@ interface(`exim_admin',`
|
|
type exim_tmp_t, exim_spool_t, exim_var_run_t;
|
|
')
|
|
|
|
- allow $1 exim_t:process { ptrace signal_perms };
|
|
+ allow $1 exim_t:process signal_perms;
|
|
ps_process_pattern($1, exim_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 exim_t:process ptrace;
|
|
+ ')
|
|
|
|
exim_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace serefpolicy-3.10.0/policy/modules/services/fail2ban.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace 2011-11-02 16:20:57.806739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/fail2ban.if 2011-11-02 16:21:01.538401000 -0400
|
|
@@ -199,8 +199,11 @@ interface(`fail2ban_admin',`
|
|
type fail2ban_client_t;
|
|
')
|
|
|
|
- allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
|
|
+ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
|
|
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace serefpolicy-3.10.0/policy/modules/services/fcoemon.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace 2011-11-02 16:20:57.816744000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/fcoemon.if 2011-11-02 16:21:01.545398000 -0400
|
|
@@ -81,8 +81,11 @@ interface(`fcoemon_admin',`
|
|
type fcoemon_var_run_t;
|
|
')
|
|
|
|
- allow $1 fcoemon_t:process { ptrace signal_perms };
|
|
+ allow $1 fcoemon_t:process signal_perms;
|
|
ps_process_pattern($1, fcoemon_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 fcoemon_t:process ptrace;
|
|
+ ')
|
|
|
|
files_search_pids($1)
|
|
admin_pattern($1, fcoemon_var_run_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/fetchmail.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace 2011-11-02 16:20:57.828739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/fetchmail.if 2011-11-02 16:21:01.551398000 -0400
|
|
@@ -18,8 +18,11 @@ interface(`fetchmail_admin',`
|
|
type fetchmail_var_run_t;
|
|
')
|
|
|
|
- allow $1 fetchmail_t:process { ptrace signal_perms };
|
|
+ allow $1 fetchmail_t:process signal_perms;
|
|
ps_process_pattern($1, fetchmail_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 fetchmail_t:process ptrace;
|
|
+ ')
|
|
|
|
files_list_etc($1)
|
|
admin_pattern($1, fetchmail_etc_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace serefpolicy-3.10.0/policy/modules/services/firewalld.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace 2011-11-02 16:20:57.844739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/firewalld.if 2011-11-02 16:21:01.556407000 -0400
|
|
@@ -62,8 +62,11 @@ interface(`firewalld_admin',`
|
|
type firewalld_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 firewalld_t:process { ptrace signal_perms };
|
|
+ allow $1 firewalld_t:process signal_perms;
|
|
ps_process_pattern($1, firewalld_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 firewalld_t:process ptrace;
|
|
+ ')
|
|
|
|
firewalld_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace serefpolicy-3.10.0/policy/modules/services/fprintd.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace 2011-11-02 16:20:57.856741000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/fprintd.te 2011-11-02 16:21:01.562407000 -0400
|
|
@@ -17,7 +17,8 @@ files_type(fprintd_var_lib_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow fprintd_t self:capability { sys_nice sys_ptrace };
|
|
+allow fprintd_t self:capability sys_nice;
|
|
+
|
|
allow fprintd_t self:fifo_file rw_fifo_file_perms;
|
|
allow fprintd_t self:process { getsched setsched signal };
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ftp.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace 2011-11-02 16:20:57.879739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/ftp.if 2011-11-02 16:21:01.569395000 -0400
|
|
@@ -237,8 +237,11 @@ interface(`ftp_admin',`
|
|
type ftpd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 ftpd_t:process { ptrace signal_perms };
|
|
+ allow $1 ftpd_t:process signal_perms;
|
|
ps_process_pattern($1, ftpd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ftpd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/git.if.ptrace serefpolicy-3.10.0/policy/modules/services/git.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/git.if.ptrace 2011-11-02 16:20:57.903739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/git.if 2011-11-02 16:21:01.577395000 -0400
|
|
@@ -42,8 +42,11 @@ interface(`git_session_role',`
|
|
|
|
domtrans_pattern($2, gitd_exec_t, git_session_t)
|
|
|
|
- allow $2 git_session_t:process { ptrace signal_perms };
|
|
+ allow $2 git_session_t:process signal_perms;
|
|
ps_process_pattern($2, git_session_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 git_session_t:process ptrace;
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace serefpolicy-3.10.0/policy/modules/services/glance.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace 2011-11-02 16:20:57.914739000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/glance.if 2011-11-02 16:21:01.582398000 -0400
|
|
@@ -245,10 +245,14 @@ interface(`glance_admin',`
|
|
type glance_api_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 glance_registry_t:process { ptrace signal_perms };
|
|
+ allow $1 glance_registry_t:process signal_perms;
|
|
ps_process_pattern($1, glance_registry_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 glance_registry_t:process ptrace;
|
|
+ allow $1 glance_api_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $1 glance_api_t:process { ptrace signal_perms };
|
|
+ allow $1 glance_api_t:process signal_perms;
|
|
ps_process_pattern($1, glance_api_t)
|
|
|
|
init_labeled_script_domtrans($1, glance_registry_initrc_exec_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace serefpolicy-3.10.0/policy/modules/services/gnomeclock.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace 2011-11-02 16:20:57.931742000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/gnomeclock.te 2011-11-02 16:21:01.589396000 -0400
|
|
@@ -14,7 +14,7 @@ dbus_system_domain(gnomeclock_t, gnomecl
|
|
# gnomeclock local policy
|
|
#
|
|
|
|
-allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
|
|
+allow gnomeclock_t self:capability { sys_nice sys_time };
|
|
allow gnomeclock_t self:process { getattr getsched signal };
|
|
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
|
|
allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/gpsd.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace 2011-11-02 16:20:57.947742000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/gpsd.te 2011-11-02 16:21:01.595395000 -0400
|
|
@@ -25,7 +25,7 @@ files_pid_file(gpsd_var_run_t)
|
|
#
|
|
|
|
allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
|
|
-dontaudit gpsd_t self:capability { dac_read_search dac_override sys_ptrace };
|
|
+dontaudit gpsd_t self:capability { dac_read_search dac_override };
|
|
allow gpsd_t self:process { setsched signal_perms };
|
|
allow gpsd_t self:shm create_shm_perms;
|
|
allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy-3.10.0/policy/modules/services/hadoop.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace 2011-11-02 16:21:00.551481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/hadoop.if 2011-11-02 16:21:01.603404000 -0400
|
|
@@ -222,14 +222,21 @@ interface(`hadoop_role',`
|
|
hadoop_domtrans($2)
|
|
role $1 types hadoop_t;
|
|
|
|
- allow $2 hadoop_t:process { ptrace signal_perms };
|
|
+ allow $2 hadoop_t:process signal_perms;
|
|
ps_process_pattern($2, hadoop_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 hadoop_t:process ptrace;
|
|
+ ')
|
|
|
|
hadoop_domtrans_zookeeper_client($2)
|
|
role $1 types zookeeper_t;
|
|
|
|
- allow $2 zookeeper_t:process { ptrace signal_perms };
|
|
+ allow $2 zookeeper_t:process signal_perms;
|
|
ps_process_pattern($2, zookeeper_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 zookeeper_t:process ptrace;
|
|
+ ')
|
|
+
|
|
')
|
|
|
|
########################################
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace serefpolicy-3.10.0/policy/modules/services/hal.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace 2011-11-02 16:20:57.980718000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/hal.if 2011-11-02 16:21:01.612397000 -0400
|
|
@@ -70,7 +70,9 @@ interface(`hal_ptrace',`
|
|
type hald_t;
|
|
')
|
|
|
|
- allow $1 hald_t:process ptrace;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 hald_t:process ptrace;
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace serefpolicy-3.10.0/policy/modules/services/hal.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace 2011-11-02 16:20:57.988710000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/hal.te 2011-11-02 16:21:01.619399000 -0400
|
|
@@ -64,7 +64,7 @@ typealias hald_var_run_t alias pmtools_v
|
|
|
|
# execute openvt which needs setuid
|
|
allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
|
|
-dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
|
|
+dontaudit hald_t self:capability sys_tty_config;
|
|
allow hald_t self:process { getsched getattr signal_perms };
|
|
allow hald_t self:fifo_file rw_fifo_file_perms;
|
|
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace serefpolicy-3.10.0/policy/modules/services/hddtemp.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace 2011-11-02 16:20:57.994704000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/hddtemp.if 2011-11-02 16:21:01.626395000 -0400
|
|
@@ -60,8 +60,11 @@ interface(`hddtemp_admin',`
|
|
type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 hddtemp_t:process { ptrace signal_perms };
|
|
+ allow $1 hddtemp_t:process signal_perms;
|
|
ps_process_pattern($1, hddtemp_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 hddtemp_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace serefpolicy-3.10.0/policy/modules/services/icecast.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace 2011-11-02 16:20:58.005694000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/icecast.if 2011-11-02 16:21:01.632396000 -0400
|
|
@@ -173,8 +173,11 @@ interface(`icecast_admin',`
|
|
type icecast_t, icecast_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 icecast_t:process { ptrace signal_perms };
|
|
+ allow $1 icecast_t:process signal_perms;
|
|
ps_process_pattern($1, icecast_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 icecast_t:process ptrace;
|
|
+ ')
|
|
|
|
# Allow icecast_t to restart the apache service
|
|
icecast_initrc_domtrans($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace 2011-11-02 16:20:58.016684000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/ifplugd.if 2011-11-02 16:21:01.639397000 -0400
|
|
@@ -117,7 +117,7 @@ interface(`ifplugd_admin',`
|
|
type ifplugd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 ifplugd_t:process { ptrace signal_perms };
|
|
+ allow $1 ifplugd_t:process signal_perms;
|
|
ps_process_pattern($1, ifplugd_t)
|
|
|
|
init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace 2011-11-02 16:20:58.021679000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/ifplugd.te 2011-11-02 16:21:01.645395000 -0400
|
|
@@ -26,7 +26,7 @@ files_pid_file(ifplugd_var_run_t)
|
|
#
|
|
|
|
allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
|
|
-dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace };
|
|
+dontaudit ifplugd_t self:capability sys_tty_config;
|
|
allow ifplugd_t self:process { signal signull };
|
|
allow ifplugd_t self:fifo_file rw_fifo_file_perms;
|
|
allow ifplugd_t self:tcp_socket create_stream_socket_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace serefpolicy-3.10.0/policy/modules/services/inn.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace 2011-11-02 16:20:58.045653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/inn.if 2011-11-02 16:21:01.653395000 -0400
|
|
@@ -202,8 +202,11 @@ interface(`inn_admin',`
|
|
type innd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 innd_t:process { ptrace signal_perms };
|
|
+ allow $1 innd_t:process signal_perms;
|
|
ps_process_pattern($1, innd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 innd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, innd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace serefpolicy-3.10.0/policy/modules/services/jabber.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace 2011-11-02 16:20:58.067653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/jabber.if 2011-11-02 16:21:01.659399000 -0400
|
|
@@ -143,10 +143,14 @@ interface(`jabber_admin',`
|
|
type jabberd_initrc_exec_t, jabberd_router_t;
|
|
')
|
|
|
|
- allow $1 jabberd_t:process { ptrace signal_perms };
|
|
+ allow $1 jabberd_t:process signal_perms;
|
|
ps_process_pattern($1, jabberd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 jabberd_t:process ptrace;
|
|
+ allow $1 jabberd_router_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $1 jabberd_router_t:process { ptrace signal_perms };
|
|
+ allow $1 jabberd_router_t:process signal_perms;
|
|
ps_process_pattern($1, jabberd_router_t)
|
|
|
|
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerberos.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace 2011-11-02 16:20:58.085653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/kerberos.if 2011-11-02 16:21:01.666395000 -0400
|
|
@@ -340,13 +340,18 @@ interface(`kerberos_admin',`
|
|
type krb5kdc_var_run_t, krb5_host_rcache_t;
|
|
')
|
|
|
|
- allow $1 kadmind_t:process { ptrace signal_perms };
|
|
+ allow $1 kadmind_t:process signal_perms;
|
|
ps_process_pattern($1, kadmind_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 kadmind_t:process ptrace;
|
|
+ allow $1 krb5kdc_t:process ptrace;
|
|
+ allow $1 kpropd_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $1 krb5kdc_t:process { ptrace signal_perms };
|
|
+ allow $1 krb5kdc_t:process signal_perms;
|
|
ps_process_pattern($1, krb5kdc_t)
|
|
|
|
- allow $1 kpropd_t:process { ptrace signal_perms };
|
|
+ allow $1 kpropd_t:process signal_perms;
|
|
ps_process_pattern($1, kpropd_t)
|
|
|
|
init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerneloops.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace 2011-11-02 16:20:58.098653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/kerneloops.if 2011-11-02 16:21:01.672398000 -0400
|
|
@@ -101,8 +101,11 @@ interface(`kerneloops_admin',`
|
|
type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
|
|
')
|
|
|
|
- allow $1 kerneloops_t:process { ptrace signal_perms };
|
|
+ allow $1 kerneloops_t:process signal_perms;
|
|
ps_process_pattern($1, kerneloops_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 kerneloops_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace 2011-11-02 16:20:58.114656000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.if 2011-11-02 16:21:01.678398000 -0400
|
|
@@ -58,8 +58,11 @@ interface(`ksmtuned_admin',`
|
|
type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 ksmtuned_t:process { ptrace signal_perms };
|
|
+ allow $1 ksmtuned_t:process signal_perms;
|
|
ps_process_pattern($1, ksmtuned_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ksmtuned_t:process ptrace;
|
|
+ ')
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, ksmtuned_var_run_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace 2011-11-02 16:20:58.119656000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.te 2011-11-02 16:21:01.684398000 -0400
|
|
@@ -23,7 +23,7 @@ files_pid_file(ksmtuned_var_run_t)
|
|
# ksmtuned local policy
|
|
#
|
|
|
|
-allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
|
|
+allow ksmtuned_t self:capability sys_tty_config;
|
|
allow ksmtuned_t self:fifo_file rw_file_perms;
|
|
|
|
manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/l2tpd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace 2011-11-02 16:20:58.130653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/l2tpd.if 2011-11-02 16:21:01.690398000 -0400
|
|
@@ -101,8 +101,11 @@ interface(`l2tpd_admin',`
|
|
type l2tpd_var_run_t;
|
|
')
|
|
|
|
- allow $1 l2tpd_t:process { ptrace signal_perms };
|
|
+ allow $1 l2tpd_t:process signal_perms;
|
|
ps_process_pattern($1, l2tpd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 l2tpd_t:process ptrace;
|
|
+ ')
|
|
|
|
l2tpd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace serefpolicy-3.10.0/policy/modules/services/ldap.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace 2011-11-02 16:20:58.152655000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/ldap.if 2011-11-02 16:21:01.697394000 -0400
|
|
@@ -174,8 +174,11 @@ interface(`ldap_admin',`
|
|
type slapd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 slapd_t:process { ptrace signal_perms };
|
|
+ allow $1 slapd_t:process signal_perms;
|
|
ps_process_pattern($1, slapd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 slapd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lircd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/lircd.if 2011-11-02 16:21:01.703395000 -0400
|
|
@@ -80,8 +80,11 @@ interface(`lircd_admin',`
|
|
type lircd_initrc_exec_t, lircd_etc_t;
|
|
')
|
|
|
|
- allow $1 lircd_t:process { ptrace signal_perms };
|
|
+ allow $1 lircd_t:process signal_perms;
|
|
ps_process_pattern($1, lircd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 lircd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace serefpolicy-3.10.0/policy/modules/services/lldpad.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace 2011-11-02 16:20:58.186653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/lldpad.if 2011-11-02 16:21:01.709395000 -0400
|
|
@@ -180,8 +180,11 @@ interface(`lldpad_admin',`
|
|
type lldpad_var_run_t;
|
|
')
|
|
|
|
- allow $1 lldpad_t:process { ptrace signal_perms };
|
|
+ allow $1 lldpad_t:process signal_perms;
|
|
ps_process_pattern($1, lldpad_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 lldpad_t:process ptrace;
|
|
+ ')
|
|
|
|
lldpad_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lpd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace 2011-11-02 16:20:58.193653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/lpd.if 2011-11-02 16:21:01.715398000 -0400
|
|
@@ -28,7 +28,10 @@ interface(`lpd_role',`
|
|
dontaudit lpr_t $2:unix_stream_socket { read write };
|
|
|
|
ps_process_pattern($2, lpr_t)
|
|
- allow $2 lpr_t:process { ptrace signal_perms };
|
|
+ allow $2 lpr_t:process signal_perms;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 lpr_t:process ptrace;
|
|
+ ')
|
|
|
|
optional_policy(`
|
|
cups_read_config($2)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace serefpolicy-3.10.0/policy/modules/services/mailscanner.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace 2011-11-02 16:20:58.222653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/mailscanner.if 2011-11-02 16:21:01.721395000 -0400
|
|
@@ -47,8 +47,11 @@ interface(`mailscanner_admin',`
|
|
role_transition $2 mscan_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- allow $1 mscan_t:process { ptrace signal_perms };
|
|
+ allow $1 mscan_t:process signal_perms;
|
|
ps_process_pattern($1, mscan_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 mscan_t:process ptrace;
|
|
+ ')
|
|
|
|
admin_pattern($1, mscan_etc_t)
|
|
files_list_etc($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.if
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace 2011-11-02 16:20:58.231654000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/matahari.te 2011-11-02 16:21:01.734398000 -0400
|
|
@@ -25,9 +25,6 @@ files_pid_file(matahari_var_run_t)
|
|
#
|
|
# matahari_hostd local policy
|
|
#
|
|
-
|
|
-allow matahari_hostd_t self:capability sys_ptrace;
|
|
-
|
|
kernel_read_network_state(matahari_hostd_t)
|
|
|
|
dev_read_sysfs(matahari_hostd_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace serefpolicy-3.10.0/policy/modules/services/memcached.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace 2011-11-02 16:20:58.241656000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/memcached.if 2011-11-02 16:21:01.741404000 -0400
|
|
@@ -59,8 +59,11 @@ interface(`memcached_admin',`
|
|
type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
|
|
')
|
|
|
|
- allow $1 memcached_t:process { ptrace signal_perms };
|
|
+ allow $1 memcached_t:process signal_perms;
|
|
ps_process_pattern($1, memcached_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 memcached_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, memcached_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace serefpolicy-3.10.0/policy/modules/services/mock.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace 2011-11-02 16:20:58.277653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/mock.if 2011-11-02 16:21:01.747395000 -0400
|
|
@@ -245,7 +245,10 @@ interface(`mock_role',`
|
|
mock_run($2, $1)
|
|
|
|
ps_process_pattern($2, mock_t)
|
|
- allow $2 mock_t:process { ptrace signal_perms };
|
|
+ allow $2 mock_t:process signal_perms;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 mock_t:process ptrace;
|
|
+ ')
|
|
')
|
|
|
|
#######################################
|
|
@@ -289,10 +292,14 @@ interface(`mock_admin',`
|
|
type mock_build_t, mock_etc_t, mock_tmp_t;
|
|
')
|
|
|
|
- allow $1 mock_t:process { ptrace signal_perms };
|
|
+ allow $1 mock_t:process signal_perms;
|
|
ps_process_pattern($1, mock_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 mock_t:process ptrace;
|
|
+ allow $1 mock_build_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $1 mock_build_t:process { ptrace signal_perms };
|
|
+ allow $1 mock_build_t:process signal_perms;
|
|
ps_process_pattern($1, mock_build_t)
|
|
|
|
files_list_var_lib($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace serefpolicy-3.10.0/policy/modules/services/mock.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace 2011-11-02 16:20:58.280653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/mock.te 2011-11-02 16:21:01.753397000 -0400
|
|
@@ -41,7 +41,7 @@ files_config_file(mock_etc_t)
|
|
# mock local policy
|
|
#
|
|
|
|
-allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
|
|
+allow mock_t self:capability { sys_admin setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
|
|
allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
|
|
# Needed because mock can run java and mono withing build environment
|
|
allow mock_t self:process { execmem execstack };
|
|
@@ -164,7 +164,7 @@ optional_policy(`
|
|
#
|
|
# mock_build local policy
|
|
#
|
|
-allow mock_build_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
|
|
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
|
|
dontaudit mock_build_t self:capability audit_write;
|
|
allow mock_build_t self:process { fork setsched setpgid signal_perms };
|
|
allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace serefpolicy-3.10.0/policy/modules/services/mojomojo.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace 2011-11-02 16:20:58.295655000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/mojomojo.if 2011-11-02 16:21:01.759415000 -0400
|
|
@@ -24,8 +24,11 @@ interface(`mojomojo_admin',`
|
|
type httpd_mojomojo_script_exec_t;
|
|
')
|
|
|
|
- allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
|
|
+ allow $1 httpd_mojomojo_script_t:process signal_perms;
|
|
ps_process_pattern($1, httpd_mojomojo_script_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 httpd_mojomo_script_t:process ptrace;
|
|
+ ')
|
|
|
|
files_list_tmp($1)
|
|
admin_pattern($1, httpd_mojomojo_tmp_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/mpd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/mpd.if 2011-11-02 16:21:01.766396000 -0400
|
|
@@ -244,8 +244,11 @@ interface(`mpd_admin',`
|
|
type mpd_tmpfs_t;
|
|
')
|
|
|
|
- allow $1 mpd_t:process { ptrace signal_perms };
|
|
+ allow $1 mpd_t:process signal_perms;
|
|
ps_process_pattern($1, mpd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 mpd_t:process ptrace;
|
|
+ ')
|
|
|
|
mpd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace serefpolicy-3.10.0/policy/modules/services/munin.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace 2011-11-02 16:20:58.340653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/munin.if 2011-11-02 16:21:01.773395000 -0400
|
|
@@ -183,8 +183,11 @@ interface(`munin_admin',`
|
|
type httpd_munin_content_t, munin_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 munin_t:process { ptrace signal_perms };
|
|
+ allow $1 munin_t:process signal_perms;
|
|
ps_process_pattern($1, munin_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 munin_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, munin_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace 2011-11-02 16:20:58.353653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/mysql.if 2011-11-02 16:21:01.780396000 -0400
|
|
@@ -389,8 +389,11 @@ interface(`mysql_admin',`
|
|
type mysqld_etc_t;
|
|
')
|
|
|
|
- allow $1 mysqld_t:process { ptrace signal_perms };
|
|
+ allow $1 mysqld_t:process signal_perms;
|
|
ps_process_pattern($1, mysqld_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 mysqld_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace 2011-11-02 16:20:58.360653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/mysql.te 2011-11-02 16:21:01.787395000 -0400
|
|
@@ -158,7 +158,6 @@ optional_policy(`
|
|
#
|
|
|
|
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
|
|
-dontaudit mysqld_safe_t self:capability sys_ptrace;
|
|
allow mysqld_safe_t self:process { setsched getsched setrlimit };
|
|
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace serefpolicy-3.10.0/policy/modules/services/nagios.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace 2011-11-02 16:20:58.372653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/nagios.if 2011-11-02 16:21:01.794395000 -0400
|
|
@@ -225,8 +225,11 @@ interface(`nagios_admin',`
|
|
type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
|
|
')
|
|
|
|
- allow $1 nagios_t:process { ptrace signal_perms };
|
|
+ allow $1 nagios_t:process signal_perms;
|
|
ps_process_pattern($1, nagios_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 nagios_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/networkmanager.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace 2011-11-02 16:20:58.412654000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/networkmanager.te 2011-11-02 16:21:01.802395000 -0400
|
|
@@ -44,13 +44,17 @@ init_system_domain(wpa_cli_t, wpa_cli_ex
|
|
|
|
# networkmanager will ptrace itself if gdb is installed
|
|
# and it receives a unexpected signal (rh bug #204161)
|
|
-allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
|
|
-dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
|
|
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
|
|
+dontaudit NetworkManager_t self:capability sys_tty_config;
|
|
ifdef(`hide_broken_symptoms',`
|
|
# caused by some bogus kernel code
|
|
dontaudit NetworkManager_t self:capability sys_module;
|
|
')
|
|
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
|
|
+allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ allow NetworkManager_t self:process ptrace;
|
|
+')
|
|
+
|
|
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
|
|
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
|
|
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace serefpolicy-3.10.0/policy/modules/services/nis.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace 2011-11-02 16:20:58.424653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/nis.if 2011-11-02 16:21:01.809419000 -0400
|
|
@@ -390,16 +390,22 @@ interface(`nis_admin',`
|
|
type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
|
|
')
|
|
|
|
- allow $1 ypbind_t:process { ptrace signal_perms };
|
|
+ allow $1 ypbind_t:process signal_perms;
|
|
ps_process_pattern($1, ypbind_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ypbind_t:process ptrace;
|
|
+ allow $1 yppasswdd_t:process ptrace;
|
|
+ allow $1 ypserv_t:process ptrace;
|
|
+ allow $1 ypxfr_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $1 yppasswdd_t:process { ptrace signal_perms };
|
|
+ allow $1 yppasswdd_t:process signal_perms;
|
|
ps_process_pattern($1, yppasswdd_t)
|
|
|
|
- allow $1 ypserv_t:process { ptrace signal_perms };
|
|
+ allow $1 ypserv_t:process signal_perms;
|
|
ps_process_pattern($1, ypserv_t)
|
|
|
|
- allow $1 ypxfr_t:process { ptrace signal_perms };
|
|
+ allow $1 ypxfr_t:process signal_perms;
|
|
ps_process_pattern($1, ypxfr_t)
|
|
|
|
nis_initrc_domtrans($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace 2011-11-02 16:20:58.444653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/nscd.if 2011-11-02 16:21:01.818395000 -0400
|
|
@@ -321,8 +321,11 @@ interface(`nscd_admin',`
|
|
type nscd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 nscd_t:process { ptrace signal_perms };
|
|
+ allow $1 nscd_t:process signal_perms;
|
|
ps_process_pattern($1, nscd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 nscd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace 2011-11-02 16:20:58.450653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/nscd.te 2011-11-02 16:21:01.824397000 -0400
|
|
@@ -40,7 +40,7 @@ logging_log_file(nscd_log_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow nscd_t self:capability { kill setgid setuid sys_ptrace };
|
|
+allow nscd_t self:capability { kill setgid setuid };
|
|
dontaudit nscd_t self:capability sys_tty_config;
|
|
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
|
|
allow nscd_t self:fifo_file read_fifo_file_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nslcd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace 2011-11-02 16:20:58.456653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/nslcd.if 2011-11-02 16:21:01.830405000 -0400
|
|
@@ -98,7 +98,10 @@ interface(`nslcd_admin',`
|
|
')
|
|
|
|
ps_process_pattern($1, nslcd_t)
|
|
- allow $1 nslcd_t:process { ptrace signal_perms };
|
|
+ allow $1 nslcd_t:process signal_perms;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 nslcd_t:process ptrace;
|
|
+ ')
|
|
|
|
# Allow nslcd_t to restart the apache service
|
|
nslcd_initrc_domtrans($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ntp.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace 2011-11-02 16:20:58.478653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/ntp.if 2011-11-02 16:21:01.837400000 -0400
|
|
@@ -204,8 +204,11 @@ interface(`ntp_admin',`
|
|
type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 ntpd_t:process { ptrace signal_perms };
|
|
+ allow $1 ntpd_t:process signal_perms;
|
|
ps_process_pattern($1, ntpd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ntpd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace serefpolicy-3.10.0/policy/modules/services/oident.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace 2011-11-02 16:20:58.530653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/oident.if 2011-11-02 16:21:01.843398000 -0400
|
|
@@ -89,8 +89,11 @@ interface(`oident_admin',`
|
|
type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
|
|
')
|
|
|
|
- allow $1 oidentd_t:process { ptrace signal_perms };
|
|
+ allow $1 oidentd_t:process signal_perms;
|
|
ps_process_pattern($1, oidentd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 oidentd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace serefpolicy-3.10.0/policy/modules/services/openvpn.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/openvpn.if 2011-11-02 16:21:01.849397000 -0400
|
|
@@ -144,8 +144,11 @@ interface(`openvpn_admin',`
|
|
type openvpn_var_run_t, openvpn_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 openvpn_t:process { ptrace signal_perms };
|
|
+ allow $1 openvpn_t:process signal_perms;
|
|
ps_process_pattern($1, openvpn_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 openvpn_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace serefpolicy-3.10.0/policy/modules/services/pads.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace 2011-11-02 16:20:58.557653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/pads.if 2011-11-02 16:21:01.854402000 -0400
|
|
@@ -31,8 +31,11 @@ interface(`pads_admin',`
|
|
type pads_var_run_t;
|
|
')
|
|
|
|
- allow $1 pads_t:process { ptrace signal_perms };
|
|
+ allow $1 pads_t:process signal_perms;
|
|
ps_process_pattern($1, pads_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 pads_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, pads_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace serefpolicy-3.10.0/policy/modules/services/pingd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace 2011-11-02 16:20:58.590653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/pingd.if 2011-11-02 16:21:01.866400000 -0400
|
|
@@ -80,8 +80,11 @@ interface(`pingd_admin',`
|
|
type pingd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 pingd_t:process { ptrace signal_perms };
|
|
+ allow $1 pingd_t:process signal_perms;
|
|
ps_process_pattern($1, pingd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 pingd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, pingd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace serefpolicy-3.10.0/policy/modules/services/piranha.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace 2011-11-02 16:20:58.613653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/piranha.te 2011-11-02 16:21:01.873398000 -0400
|
|
@@ -65,7 +65,11 @@ init_domtrans_script(piranha_fos_t)
|
|
#
|
|
|
|
allow piranha_web_t self:capability { setuid sys_nice kill setgid };
|
|
-allow piranha_web_t self:process { getsched setsched signal signull ptrace };
|
|
+allow piranha_web_t self:process { getsched setsched signal signull };
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ allow piranha_web_t self:process ptrace;
|
|
+')
|
|
+
|
|
allow piranha_web_t self:rawip_socket create_socket_perms;
|
|
allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow piranha_web_t self:sem create_sem_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace serefpolicy-3.10.0/policy/modules/services/plymouthd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace 2011-11-02 16:20:58.623655000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/plymouthd.if 2011-11-02 16:21:01.880395000 -0400
|
|
@@ -291,8 +291,11 @@ interface(`plymouthd_admin',`
|
|
type plymouthd_var_run_t;
|
|
')
|
|
|
|
- allow $1 plymouthd_t:process { ptrace signal_perms };
|
|
+ allow $1 plymouthd_t:process signal_perms;
|
|
ps_process_pattern($1, plymouthd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 plymouthd_t:process ptrace;
|
|
+ ')
|
|
|
|
files_list_var_lib($1)
|
|
admin_pattern($1, plymouthd_spool_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace serefpolicy-3.10.0/policy/modules/services/policykit.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace 2011-11-02 16:20:58.650654000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/policykit.te 2011-11-02 16:21:01.887399000 -0400
|
|
@@ -38,7 +38,7 @@ files_pid_file(policykit_var_run_t)
|
|
# policykit local policy
|
|
#
|
|
|
|
-allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace };
|
|
+allow policykit_t self:capability { dac_override dac_read_search setgid setuid };
|
|
allow policykit_t self:process { getsched getattr signal };
|
|
allow policykit_t self:fifo_file rw_fifo_file_perms;
|
|
allow policykit_t self:unix_dgram_socket create_socket_perms;
|
|
@@ -235,7 +235,7 @@ optional_policy(`
|
|
# polkit_resolve local policy
|
|
#
|
|
|
|
-allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
|
|
+allow policykit_resolve_t self:capability { setuid sys_nice };
|
|
allow policykit_resolve_t self:process getattr;
|
|
allow policykit_resolve_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy-3.10.0/policy/modules/services/polipo.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace 2011-11-02 16:20:58.658653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/polipo.if 2011-11-02 16:21:01.893399000 -0400
|
|
@@ -32,8 +32,11 @@ template(`polipo_role',`
|
|
# Policy
|
|
#
|
|
|
|
- allow $2 polipo_session_t:process { ptrace signal_perms };
|
|
+ allow $2 polipo_session_t:process signal_perms;
|
|
ps_process_pattern($2, polipo_session_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 polipo_session_t:process ptrace;
|
|
+ ')
|
|
|
|
tunable_policy(`polipo_session_users',`
|
|
domtrans_pattern($2, polipo_exec_t, polipo_session_t)
|
|
@@ -163,8 +166,11 @@ interface(`polipo_admin',`
|
|
type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 polipo_t:process { ptrace signal_perms };
|
|
+ allow $1 polipo_t:process signal_perms;
|
|
ps_process_pattern($1, polipo_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 polipo_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, polipo_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace serefpolicy-3.10.0/policy/modules/services/portreserve.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/portreserve.if 2011-11-02 16:21:01.900395000 -0400
|
|
@@ -104,8 +104,11 @@ interface(`portreserve_admin',`
|
|
type portreserve_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 portreserve_t:process { ptrace signal_perms };
|
|
+ allow $1 portreserve_t:process signal_perms;
|
|
ps_process_pattern($1, portreserve_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 portreserve_t:process ptrace;
|
|
+ ')
|
|
|
|
portreserve_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfix.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace 2011-11-02 16:20:58.698653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/postfix.if 2011-11-02 16:21:01.909402000 -0400
|
|
@@ -729,25 +729,36 @@ interface(`postfix_admin',`
|
|
type postfix_smtpd_t, postfix_var_run_t;
|
|
')
|
|
|
|
- allow $1 postfix_bounce_t:process { ptrace signal_perms };
|
|
+ allow $1 postfix_bounce_t:process signal_perms;
|
|
ps_process_pattern($1, postfix_bounce_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 postfix_bounce_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $1 postfix_cleanup_t:process { ptrace signal_perms };
|
|
+ allow $1 postfix_cleanup_t:process signal_perms;
|
|
ps_process_pattern($1, postfix_cleanup_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 postfix_cleanup_t:process ptrace;
|
|
+ allow $1 postfix_local_t:process ptrace;
|
|
+ allow $1 postfix_master_t:process ptrace;
|
|
+ allow $1 postfix_pickup_t:process ptrace;
|
|
+ allow $1 postfix_qmgr_t:process ptrace;
|
|
+ allow $1 postfix_smtpd_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $1 postfix_local_t:process { ptrace signal_perms };
|
|
+ allow $1 postfix_local_t:process signal_perms;
|
|
ps_process_pattern($1, postfix_local_t)
|
|
|
|
- allow $1 postfix_master_t:process { ptrace signal_perms };
|
|
+ allow $1 postfix_master_t:process signal_perms;
|
|
ps_process_pattern($1, postfix_master_t)
|
|
|
|
- allow $1 postfix_pickup_t:process { ptrace signal_perms };
|
|
+ allow $1 postfix_pickup_t:process signal_perms;
|
|
ps_process_pattern($1, postfix_pickup_t)
|
|
|
|
- allow $1 postfix_qmgr_t:process { ptrace signal_perms };
|
|
+ allow $1 postfix_qmgr_t:process signal_perms;
|
|
ps_process_pattern($1, postfix_qmgr_t)
|
|
|
|
- allow $1 postfix_smtpd_t:process { ptrace signal_perms };
|
|
+ allow $1 postfix_smtpd_t:process signal_perms;
|
|
ps_process_pattern($1, postfix_smtpd_t)
|
|
|
|
postfix_run_map($1, $2)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace 2011-11-02 16:20:58.714657000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if 2011-11-02 16:21:01.916399000 -0400
|
|
@@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',`
|
|
type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 postfix_policyd_t:process { ptrace signal_perms };
|
|
+ allow $1 postfix_policyd_t:process signal_perms;
|
|
ps_process_pattern($1, postfix_policyd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 postfix_policyd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgresql.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace 2011-11-02 16:20:58.740653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/postgresql.if 2011-11-02 16:21:01.925395000 -0400
|
|
@@ -541,8 +541,11 @@ interface(`postgresql_admin',`
|
|
|
|
typeattribute $1 sepgsql_admin_type;
|
|
|
|
- allow $1 postgresql_t:process { ptrace signal_perms };
|
|
+ allow $1 postgresql_t:process signal_perms;
|
|
ps_process_pattern($1, postgresql_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 postgresql_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgrey.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace 2011-11-02 16:20:58.758656000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/postgrey.if 2011-11-02 16:21:01.931402000 -0400
|
|
@@ -62,8 +62,11 @@ interface(`postgrey_admin',`
|
|
type postgrey_var_lib_t, postgrey_var_run_t;
|
|
')
|
|
|
|
- allow $1 postgrey_t:process { ptrace signal_perms };
|
|
+ allow $1 postgrey_t:process signal_perms;
|
|
ps_process_pattern($1, postgrey_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 postgrey_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ppp.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace 2011-11-02 16:20:58.775653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/ppp.if 2011-11-02 16:21:01.939397000 -0400
|
|
@@ -386,10 +386,14 @@ interface(`ppp_admin',`
|
|
type pppd_initrc_exec_t, pppd_etc_rw_t;
|
|
')
|
|
|
|
- allow $1 pppd_t:process { ptrace signal_perms };
|
|
+ allow $1 pppd_t:process signal_perms;
|
|
ps_process_pattern($1, pppd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 pppd_t:process ptrace;
|
|
+ allow $1 pptp_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $1 pptp_t:process { ptrace signal_perms };
|
|
+ allow $1 pptp_t:process signal_perms;
|
|
ps_process_pattern($1, pptp_t)
|
|
|
|
ppp_initrc_domtrans($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace serefpolicy-3.10.0/policy/modules/services/prelude.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace 2011-11-02 16:20:58.787654000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/prelude.if 2011-11-02 16:21:01.945395000 -0400
|
|
@@ -118,13 +118,18 @@ interface(`prelude_admin',`
|
|
type prelude_lml_t;
|
|
')
|
|
|
|
- allow $1 prelude_t:process { ptrace signal_perms };
|
|
+ allow $1 prelude_t:process signal_perms;
|
|
ps_process_pattern($1, prelude_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 prelude_t:process ptrace;
|
|
+ allow $1 prelude_audisp_t:process ptrace;
|
|
+ allow $1 prelude_lml_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $1 prelude_audisp_t:process { ptrace signal_perms };
|
|
+ allow $1 prelude_audisp_t:process signal_perms;
|
|
ps_process_pattern($1, prelude_audisp_t)
|
|
|
|
- allow $1 prelude_lml_t:process { ptrace signal_perms };
|
|
+ allow $1 prelude_lml_t:process signal_perms;
|
|
ps_process_pattern($1, prelude_lml_t)
|
|
|
|
init_labeled_script_domtrans($1, prelude_initrc_exec_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace serefpolicy-3.10.0/policy/modules/services/privoxy.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/privoxy.if 2011-11-02 16:21:01.957399000 -0400
|
|
@@ -23,8 +23,11 @@ interface(`privoxy_admin',`
|
|
type privoxy_etc_rw_t, privoxy_var_run_t;
|
|
')
|
|
|
|
- allow $1 privoxy_t:process { ptrace signal_perms };
|
|
+ allow $1 privoxy_t:process signal_perms;
|
|
ps_process_pattern($1, privoxy_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 privoxy_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace serefpolicy-3.10.0/policy/modules/services/psad.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace 2011-11-02 16:20:58.823653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/psad.if 2011-11-02 16:21:01.964398000 -0400
|
|
@@ -295,8 +295,11 @@ interface(`psad_admin',`
|
|
type psad_tmp_t;
|
|
')
|
|
|
|
- allow $1 psad_t:process { ptrace signal_perms };
|
|
+ allow $1 psad_t:process signal_perms;
|
|
ps_process_pattern($1, psad_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 psad_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, psad_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace serefpolicy-3.10.0/policy/modules/services/puppet.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace 2011-11-02 16:20:58.848653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/puppet.te 2011-11-02 16:21:01.972388000 -0400
|
|
@@ -62,7 +62,7 @@ files_tmp_file(puppetmaster_tmp_t)
|
|
# Puppet personal policy
|
|
#
|
|
|
|
-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
|
|
+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
|
|
allow puppet_t self:process { signal signull getsched setsched };
|
|
allow puppet_t self:fifo_file rw_fifo_file_perms;
|
|
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace serefpolicy-3.10.0/policy/modules/services/pyzor.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace 2011-11-02 16:20:58.873655000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/pyzor.if 2011-11-02 16:21:01.979381000 -0400
|
|
@@ -29,7 +29,10 @@ interface(`pyzor_role',`
|
|
|
|
# allow ps to show pyzor and allow the user to kill it
|
|
ps_process_pattern($2, pyzor_t)
|
|
- allow $2 pyzor_t:process { ptrace signal_perms };
|
|
+ allow $2 pyzor_t:process signal_perms;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 pyzor_t:process ptrace;
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
@@ -113,8 +116,11 @@ interface(`pyzor_admin',`
|
|
type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 pyzord_t:process { ptrace signal_perms };
|
|
+ allow $1 pyzord_t:process signal_perms;
|
|
ps_process_pattern($1, pyzord_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 pyzord_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace serefpolicy-3.10.0/policy/modules/services/qpid.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace 2011-11-02 16:20:58.913654000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/qpid.if 2011-11-02 16:21:01.986372000 -0400
|
|
@@ -177,8 +177,11 @@ interface(`qpidd_admin',`
|
|
type qpidd_t, qpidd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 qpidd_t:process { ptrace signal_perms };
|
|
+ allow $1 qpidd_t:process signal_perms;
|
|
ps_process_pattern($1, qpidd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 qpidd_t:process ptrace;
|
|
+ ')
|
|
|
|
# Allow qpidd_t to restart the apache service
|
|
qpidd_initrc_domtrans($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace serefpolicy-3.10.0/policy/modules/services/radius.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/radius.if 2011-11-02 16:21:01.998370000 -0400
|
|
@@ -38,8 +38,11 @@ interface(`radius_admin',`
|
|
type radiusd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 radiusd_t:process { ptrace signal_perms };
|
|
+ allow $1 radiusd_t:process signal_perms;
|
|
ps_process_pattern($1, radiusd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 radiusd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace serefpolicy-3.10.0/policy/modules/services/radvd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace 2011-11-02 16:20:58.936656000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/radvd.if 2011-11-02 16:21:02.004360000 -0400
|
|
@@ -23,8 +23,11 @@ interface(`radvd_admin',`
|
|
type radvd_var_run_t;
|
|
')
|
|
|
|
- allow $1 radvd_t:process { ptrace signal_perms };
|
|
+ allow $1 radvd_t:process signal_perms;
|
|
ps_process_pattern($1, radvd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 radvd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace serefpolicy-3.10.0/policy/modules/services/razor.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace 2011-11-02 16:20:58.947653000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/razor.if 2011-11-02 16:21:02.012351000 -0400
|
|
@@ -132,7 +132,10 @@ interface(`razor_role',`
|
|
|
|
# allow ps to show razor and allow the user to kill it
|
|
ps_process_pattern($2, razor_t)
|
|
- allow $2 razor_t:process { ptrace signal_perms };
|
|
+ allow $2 razor_t:process signal_perms;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 razor_t:process ptrace;
|
|
+ ')
|
|
|
|
manage_dirs_pattern($2, razor_home_t, razor_home_t)
|
|
manage_files_pattern($2, razor_home_t, razor_home_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace 2011-11-02 16:20:58.975638000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/rgmanager.if 2011-11-02 16:21:02.020342000 -0400
|
|
@@ -117,8 +117,11 @@ interface(`rgmanager_admin',`
|
|
type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
|
|
')
|
|
|
|
- allow $1 rgmanager_t:process { ptrace signal_perms };
|
|
+ allow $1 rgmanager_t:process signal_perms;
|
|
ps_process_pattern($1, rgmanager_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 rgmanager_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace 2011-11-02 16:20:58.981633000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/rgmanager.te 2011-11-02 16:21:02.027333000 -0400
|
|
@@ -37,7 +37,6 @@ files_pid_file(rgmanager_var_run_t)
|
|
#
|
|
|
|
allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
|
|
-dontaudit rgmanager_t self:capability { sys_ptrace };
|
|
allow rgmanager_t self:process { setsched signal };
|
|
dontaudit rgmanager_t self:process ptrace;
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace 2011-11-02 16:20:59.031583000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if 2011-11-02 16:21:02.033331000 -0400
|
|
@@ -284,8 +284,11 @@ interface(`rhsmcertd_admin',`
|
|
type rhsmcertd_var_run_t;
|
|
')
|
|
|
|
- allow $1 rhsmcertd_t:process { ptrace signal_perms };
|
|
+ allow $1 rhsmcertd_t:process signal_perms;
|
|
ps_process_pattern($1, rhsmcertd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 rhsmcertd_t:process ptrace;
|
|
+ ')
|
|
|
|
rhsmcertd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace serefpolicy-3.10.0/policy/modules/services/ricci.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace 2011-11-02 16:20:59.044569000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/ricci.if 2011-11-02 16:21:02.041317000 -0400
|
|
@@ -245,8 +245,11 @@ interface(`ricci_admin',`
|
|
type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
|
|
')
|
|
|
|
- allow $1 ricci_t:process { ptrace signal_perms };
|
|
+ allow $1 ricci_t:process signal_perms;
|
|
ps_process_pattern($1, ricci_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ricci_t:process ptrace;
|
|
+ ')
|
|
|
|
ricci_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace serefpolicy-3.10.0/policy/modules/services/roundup.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/roundup.if 2011-11-02 16:21:02.048315000 -0400
|
|
@@ -23,8 +23,11 @@ interface(`roundup_admin',`
|
|
type roundup_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 roundup_t:process { ptrace signal_perms };
|
|
+ allow $1 roundup_t:process signal_perms;
|
|
ps_process_pattern($1, roundup_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 roundup_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace serefpolicy-3.10.0/policy/modules/services/rpcbind.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace 2011-11-02 16:20:59.103567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/rpcbind.if 2011-11-02 16:21:02.054316000 -0400
|
|
@@ -155,8 +155,11 @@ interface(`rpcbind_admin',`
|
|
type rpcbind_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 rpcbind_t:process { ptrace signal_perms };
|
|
+ allow $1 rpcbind_t:process signal_perms;
|
|
ps_process_pattern($1, rpcbind_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 rpcbind_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace serefpolicy-3.10.0/policy/modules/services/rtkit.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace 2011-11-02 16:20:59.136579000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/rtkit.te 2011-11-02 16:21:02.062321000 -0400
|
|
@@ -15,7 +15,7 @@ init_system_domain(rtkit_daemon_t, rtkit
|
|
# rtkit_daemon local policy
|
|
#
|
|
|
|
-allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
|
|
+allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice };
|
|
allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
|
|
|
|
kernel_read_system_state(rtkit_daemon_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace serefpolicy-3.10.0/policy/modules/services/rwho.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace 2011-11-02 16:20:59.142570000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/rwho.if 2011-11-02 16:21:02.068313000 -0400
|
|
@@ -138,8 +138,11 @@ interface(`rwho_admin',`
|
|
type rwho_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 rwho_t:process { ptrace signal_perms };
|
|
+ allow $1 rwho_t:process signal_perms;
|
|
ps_process_pattern($1, rwho_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 rwho_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, rwho_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace serefpolicy-3.10.0/policy/modules/services/samba.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace 2011-11-02 16:20:59.162567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/samba.if 2011-11-02 16:21:02.077313000 -0400
|
|
@@ -784,13 +784,18 @@ interface(`samba_admin',`
|
|
type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
|
|
')
|
|
|
|
- allow $1 smbd_t:process { ptrace signal_perms };
|
|
+ allow $1 smbd_t:process signal_perms;
|
|
ps_process_pattern($1, smbd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 smbd_t:process ptrace;
|
|
+ allow $1 nmbd_t:process ptrace;
|
|
+ allow $1 samba_unconfined_script_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $1 nmbd_t:process { ptrace signal_perms };
|
|
+ allow $1 nmbd_t:process signal_perms;
|
|
ps_process_pattern($1, nmbd_t)
|
|
|
|
- allow $1 samba_unconfined_script_t:process { ptrace signal_perms };
|
|
+ allow $1 samba_unconfined_script_t:process signal_perms;
|
|
ps_process_pattern($1, samba_unconfined_script_t)
|
|
|
|
samba_run_smbcontrol($1, $2, $3)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace serefpolicy-3.10.0/policy/modules/services/samhain.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/samhain.if 2011-11-02 16:21:02.085312000 -0400
|
|
@@ -271,10 +271,14 @@ interface(`samhain_admin',`
|
|
type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
|
|
')
|
|
|
|
- allow $1 samhain_t:process { ptrace signal_perms };
|
|
+ allow $1 samhain_t:process signal_perms;
|
|
ps_process_pattern($1, samhain_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 samhain_t:process ptrace;
|
|
+ allow $1 samhaind_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $1 samhaind_t:process { ptrace signal_perms };
|
|
+ allow $1 samhaind_t:process signal_perms;
|
|
ps_process_pattern($1, samhaind_t)
|
|
|
|
files_list_var_lib($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace serefpolicy-3.10.0/policy/modules/services/sanlock.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace 2011-11-02 16:20:59.183571000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/sanlock.if 2011-11-02 16:21:02.098317000 -0400
|
|
@@ -99,8 +99,11 @@ interface(`sanlock_admin',`
|
|
type sanlock_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 sanlock_t:process { ptrace signal_perms };
|
|
+ allow $1 sanlock_t:process signal_perms;
|
|
ps_process_pattern($1, sanlock_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 sanlock_t:process ptrace;
|
|
+ ')
|
|
|
|
sanlock_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace serefpolicy-3.10.0/policy/modules/services/sasl.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace 2011-11-02 16:20:59.191567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/sasl.if 2011-11-02 16:21:02.104317000 -0400
|
|
@@ -42,8 +42,11 @@ interface(`sasl_admin',`
|
|
type saslauthd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 saslauthd_t:process { ptrace signal_perms };
|
|
+ allow $1 saslauthd_t:process signal_perms;
|
|
ps_process_pattern($1, saslauthd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 saslauthd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace 2011-11-02 16:20:59.202567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/sblim.if 2011-11-02 16:21:02.111312000 -0400
|
|
@@ -65,11 +65,15 @@ interface(`sblim_admin',`
|
|
type sblim_var_run_t;
|
|
')
|
|
|
|
- allow $1 sblim_gatherd_t:process { ptrace signal_perms };
|
|
+ allow $1 sblim_gatherd_t:process signal_perms;
|
|
ps_process_pattern($1, sblim_gatherd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 sblim_gatherd_t:process ptrace;
|
|
+ allow $1 sblim_reposd_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $1 sblim_reposd_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, sblim_reposd_t)
|
|
+ allow $1 sblim_reposd_t:process signal_perms;
|
|
+ ps_process_pattern($1, sblim_reposd_t)
|
|
|
|
files_search_pids($1)
|
|
admin_pattern($1, sblim_var_run_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace 2011-11-02 16:20:59.214567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/sblim.te 2011-11-02 16:21:02.116312000 -0400
|
|
@@ -24,7 +24,7 @@ files_pid_file(sblim_var_run_t)
|
|
#
|
|
|
|
#needed by ps
|
|
-allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override };
|
|
+allow sblim_gatherd_t self:capability { kill dac_override };
|
|
allow sblim_gatherd_t self:process signal;
|
|
|
|
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/sendmail.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace 2011-11-02 16:20:59.230567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/sendmail.if 2011-11-02 16:21:02.126311000 -0400
|
|
@@ -334,10 +334,14 @@ interface(`sendmail_admin',`
|
|
type mail_spool_t;
|
|
')
|
|
|
|
- allow $1 sendmail_t:process { ptrace signal_perms };
|
|
+ allow $1 sendmail_t:process signal_perms;
|
|
ps_process_pattern($1, sendmail_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 sendmail_t:process ptrace;
|
|
+ allow $1 unconfined_sendmail_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $1 unconfined_sendmail_t:process { ptrace signal_perms };
|
|
+ allow $1 unconfined_sendmail_t:process signal_perms;
|
|
ps_process_pattern($1, unconfined_sendmail_t)
|
|
|
|
sendmail_initrc_domtrans($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace 2011-11-02 16:20:59.242570000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if 2011-11-02 16:21:02.134309000 -0400
|
|
@@ -140,8 +140,11 @@ interface(`setroubleshoot_admin',`
|
|
type setroubleshoot_var_lib_t;
|
|
')
|
|
|
|
- allow $1 setroubleshootd_t:process { ptrace signal_perms };
|
|
+ allow $1 setroubleshootd_t:process signal_perms;
|
|
ps_process_pattern($1, setroubleshootd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 setroubleshootd_t:process ptrace;
|
|
+ ')
|
|
|
|
logging_list_logs($1)
|
|
admin_pattern($1, setroubleshoot_var_log_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace serefpolicy-3.10.0/policy/modules/services/smartmon.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace 2011-11-02 16:20:59.259572000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/smartmon.if 2011-11-02 16:21:02.140335000 -0400
|
|
@@ -42,8 +42,11 @@ interface(`smartmon_admin',`
|
|
type fsdaemon_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 fsdaemon_t:process { ptrace signal_perms };
|
|
+ allow $1 fsdaemon_t:process signal_perms;
|
|
ps_process_pattern($1, fsdaemon_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 smartmon_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace serefpolicy-3.10.0/policy/modules/services/smokeping.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/smokeping.if 2011-11-02 16:21:02.147311000 -0400
|
|
@@ -153,8 +153,11 @@ interface(`smokeping_admin',`
|
|
type smokeping_t, smokeping_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 smokeping_t:process { ptrace signal_perms };
|
|
+ allow $1 smokeping_t:process signal_perms;
|
|
ps_process_pattern($1, smokeping_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 smokeping_t:process ptrace;
|
|
+ ')
|
|
|
|
smokeping_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace 2011-11-02 16:20:59.292575000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/snmp.if 2011-11-02 16:21:02.153312000 -0400
|
|
@@ -168,8 +168,11 @@ interface(`snmp_admin',`
|
|
type snmpd_var_lib_t, snmpd_var_run_t;
|
|
')
|
|
|
|
- allow $1 snmpd_t:process { ptrace signal_perms };
|
|
+ allow $1 snmpd_t:process signal_perms;
|
|
ps_process_pattern($1, snmpd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 snmpd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace 2011-11-02 16:20:59.299567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/snmp.te 2011-11-02 16:21:02.160309000 -0400
|
|
@@ -26,7 +26,8 @@ files_type(snmpd_var_lib_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
|
|
+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config };
|
|
+
|
|
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
|
|
allow snmpd_t self:process { signal_perms getsched setsched };
|
|
allow snmpd_t self:fifo_file rw_fifo_file_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace serefpolicy-3.10.0/policy/modules/services/snort.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace 2011-11-02 16:20:59.304570000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/snort.if 2011-11-02 16:21:02.166312000 -0400
|
|
@@ -41,8 +41,11 @@ interface(`snort_admin',`
|
|
type snort_etc_t, snort_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 snort_t:process { ptrace signal_perms };
|
|
+ allow $1 snort_t:process signal_perms;
|
|
ps_process_pattern($1, snort_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 snort_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, snort_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace serefpolicy-3.10.0/policy/modules/services/soundserver.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace 2011-11-02 16:20:59.315567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/soundserver.if 2011-11-02 16:21:02.173309000 -0400
|
|
@@ -37,8 +37,11 @@ interface(`soundserver_admin',`
|
|
type soundd_tmp_t, soundd_var_run_t;
|
|
')
|
|
|
|
- allow $1 soundd_t:process { ptrace signal_perms };
|
|
+ allow $1 soundd_t:process signal_perms;
|
|
ps_process_pattern($1, soundd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 soundd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, soundd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace serefpolicy-3.10.0/policy/modules/services/spamassassin.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace 2011-11-02 16:20:59.327571000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/spamassassin.if 2011-11-02 16:21:02.180310000 -0400
|
|
@@ -27,12 +27,12 @@ interface(`spamassassin_role',`
|
|
|
|
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
|
|
|
|
- allow $2 spamassassin_t:process { ptrace signal_perms };
|
|
+ allow $2 spamassassin_t:process signal_perms;
|
|
ps_process_pattern($2, spamassassin_t)
|
|
|
|
domtrans_pattern($2, spamc_exec_t, spamc_t)
|
|
|
|
- allow $2 spamc_t:process { ptrace signal_perms };
|
|
+ allow $2 spamc_t:process signal_perms;
|
|
ps_process_pattern($2, spamc_t)
|
|
|
|
manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
|
|
@@ -337,8 +337,11 @@ interface(`spamassassin_spamd_admin',`
|
|
type spamd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 spamd_t:process { ptrace signal_perms };
|
|
+ allow $1 spamd_t:process signal_perms;
|
|
ps_process_pattern($1, spamd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 spamd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, spamd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace serefpolicy-3.10.0/policy/modules/services/squid.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace 2011-11-02 16:20:59.347567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/squid.if 2011-11-02 16:21:02.186312000 -0400
|
|
@@ -209,8 +209,11 @@ interface(`squid_admin',`
|
|
type squid_log_t, squid_var_run_t, squid_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 squid_t:process { ptrace signal_perms };
|
|
+ allow $1 squid_t:process signal_perms;
|
|
ps_process_pattern($1, squid_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 squid_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, squid_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace serefpolicy-3.10.0/policy/modules/services/ssh.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace 2011-11-02 16:21:00.759481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-11-02 16:21:02.196309000 -0400
|
|
@@ -367,7 +367,7 @@ template(`ssh_role_template',`
|
|
|
|
# allow ps to show ssh
|
|
ps_process_pattern($3, ssh_t)
|
|
- allow $3 ssh_t:process { ptrace signal_perms };
|
|
+ allow $3 ssh_t:process signal_perms;
|
|
|
|
# for rsync
|
|
allow ssh_t $3:unix_stream_socket rw_socket_perms;
|
|
@@ -402,7 +402,7 @@ template(`ssh_role_template',`
|
|
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
|
|
|
|
# Allow the user shell to signal the ssh program.
|
|
- allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
|
|
+ allow $3 $1_ssh_agent_t:process signal_perms;
|
|
|
|
# allow ps to show ssh
|
|
ps_process_pattern($3, $1_ssh_agent_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace serefpolicy-3.10.0/policy/modules/services/sssd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace 2011-11-02 16:20:59.380578000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/sssd.if 2011-11-02 16:21:02.203309000 -0400
|
|
@@ -234,8 +234,11 @@ interface(`sssd_admin',`
|
|
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 sssd_t:process { ptrace signal_perms };
|
|
+ allow $1 sssd_t:process signal_perms;
|
|
ps_process_pattern($1, sssd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 sssd_t:process ptrace;
|
|
+ ')
|
|
|
|
# Allow sssd_t to restart the apache service
|
|
sssd_initrc_domtrans($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/tcsd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace 2011-11-02 16:20:59.433567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/tcsd.if 2011-11-02 16:21:02.211309000 -0400
|
|
@@ -137,8 +137,11 @@ interface(`tcsd_admin',`
|
|
type tcsd_var_lib_t;
|
|
')
|
|
|
|
- allow $1 tcsd_t:process { ptrace signal_perms };
|
|
+ allow $1 tcsd_t:process signal_perms;
|
|
ps_process_pattern($1, tcsd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 tcsd_t:process ptrace;
|
|
+ ')
|
|
|
|
tcsd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/tftp.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace 2011-11-02 16:20:59.454567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/tftp.if 2011-11-02 16:21:02.217312000 -0400
|
|
@@ -109,8 +109,11 @@ interface(`tftp_admin',`
|
|
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
|
|
')
|
|
|
|
- allow $1 tftpd_t:process { ptrace signal_perms };
|
|
+ allow $1 tftpd_t:process signal_perms;
|
|
ps_process_pattern($1, tftpd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 tftp_t:process ptrace;
|
|
+ ')
|
|
|
|
files_list_var_lib($1)
|
|
admin_pattern($1, tftpdir_rw_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace serefpolicy-3.10.0/policy/modules/services/tor.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace 2011-11-02 16:20:59.476567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/tor.if 2011-11-02 16:21:02.223312000 -0400
|
|
@@ -42,8 +42,11 @@ interface(`tor_admin',`
|
|
type tor_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 tor_t:process { ptrace signal_perms };
|
|
+ allow $1 tor_t:process signal_perms;
|
|
ps_process_pattern($1, tor_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 tor_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, tor_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/tuned.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace 2011-11-02 16:20:59.486583000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/tuned.if 2011-11-02 16:21:02.229312000 -0400
|
|
@@ -115,8 +115,11 @@ interface(`tuned_admin',`
|
|
type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 tuned_t:process { ptrace signal_perms };
|
|
+ allow $1 tuned_t:process signal_perms;
|
|
ps_process_pattern($1, tuned_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 tuned_t:process ptrace;
|
|
+ ')
|
|
|
|
tuned_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ulogd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/ulogd.if 2011-11-02 16:21:02.236309000 -0400
|
|
@@ -123,8 +123,11 @@ interface(`ulogd_admin',`
|
|
type ulogd_var_log_t, ulogd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 ulogd_t:process { ptrace signal_perms };
|
|
+ allow $1 ulogd_t:process signal_perms;
|
|
ps_process_pattern($1, ulogd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ulogd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace serefpolicy-3.10.0/policy/modules/services/uucp.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/uucp.if 2011-11-02 16:21:02.242309000 -0400
|
|
@@ -99,8 +99,11 @@ interface(`uucp_admin',`
|
|
type uucpd_var_run_t;
|
|
')
|
|
|
|
- allow $1 uucpd_t:process { ptrace signal_perms };
|
|
+ allow $1 uucpd_t:process signal_perms;
|
|
ps_process_pattern($1, uucpd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 uucpd_t:process ptrace;
|
|
+ ')
|
|
|
|
logging_list_logs($1)
|
|
admin_pattern($1, uucpd_log_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace serefpolicy-3.10.0/policy/modules/services/uuidd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace 2011-11-02 16:20:59.542567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/uuidd.if 2011-11-02 16:21:02.247309000 -0400
|
|
@@ -177,8 +177,11 @@ interface(`uuidd_admin',`
|
|
type uuidd_var_run_t;
|
|
')
|
|
|
|
- allow $1 uuidd_t:process { ptrace signal_perms };
|
|
+ allow $1 uuidd_t:process signal_perms;
|
|
ps_process_pattern($1, uuidd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 uuidd_t:process ptrace;
|
|
+ ')
|
|
|
|
uuidd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace serefpolicy-3.10.0/policy/modules/services/varnishd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/varnishd.if 2011-11-02 16:21:02.254309000 -0400
|
|
@@ -155,8 +155,11 @@ interface(`varnishd_admin_varnishlog',`
|
|
type varnishlog_var_run_t;
|
|
')
|
|
|
|
- allow $1 varnishlog_t:process { ptrace signal_perms };
|
|
+ allow $1 varnishlog_t:process signal_perms;
|
|
ps_process_pattern($1, varnishlog_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 varnishd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
@@ -194,8 +197,11 @@ interface(`varnishd_admin',`
|
|
type varnishd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 varnishd_t:process { ptrace signal_perms };
|
|
+ allow $1 varnishd_t:process signal_perms;
|
|
ps_process_pattern($1, varnishd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 varnishd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace serefpolicy-3.10.0/policy/modules/services/vdagent.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace 2011-11-02 16:20:59.554567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/vdagent.if 2011-11-02 16:21:02.259309000 -0400
|
|
@@ -118,8 +118,11 @@ interface(`vdagent_admin',`
|
|
type vdagent_var_run_t;
|
|
')
|
|
|
|
- allow $1 vdagent_t:process { ptrace signal_perms };
|
|
+ allow $1 vdagent_t:process signal_perms;
|
|
ps_process_pattern($1, vdagent_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 vdagent_t:process ptrace;
|
|
+ ')
|
|
|
|
files_search_pids($1)
|
|
admin_pattern($1, vdagent_var_run_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vhostmd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace 2011-11-02 16:20:59.561569000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/vhostmd.if 2011-11-02 16:21:02.266309000 -0400
|
|
@@ -210,8 +210,11 @@ interface(`vhostmd_admin',`
|
|
type vhostmd_t, vhostmd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 vhostmd_t:process { ptrace signal_perms };
|
|
+ allow $1 vhostmd_t:process signal_perms;
|
|
ps_process_pattern($1, vhostmd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 vhostmd_t:process ptrace;
|
|
+ ')
|
|
|
|
vhostmd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace serefpolicy-3.10.0/policy/modules/services/virt.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace 2011-11-02 16:20:59.580567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/virt.if 2011-11-02 16:21:02.275309000 -0400
|
|
@@ -618,10 +618,14 @@ interface(`virt_admin',`
|
|
type virt_lxc_t;
|
|
')
|
|
|
|
- allow $1 virtd_t:process { ptrace signal_perms };
|
|
+ allow $1 virtd_t:process signal_perms;
|
|
ps_process_pattern($1, virtd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 virtd_t:process ptrace;
|
|
+ allow $1 virt_lxc_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $1 virt_lxc_t:process { ptrace signal_perms };
|
|
+ allow $1 virt_lxc_t:process signal_perms;
|
|
ps_process_pattern($1, virt_lxc_t)
|
|
|
|
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
|
|
@@ -637,7 +641,7 @@ interface(`virt_admin',`
|
|
|
|
virt_manage_images($1)
|
|
|
|
- allow $1 virt_domain:process { ptrace signal_perms };
|
|
+ allow $1 virt_domain:process signal_perms;
|
|
')
|
|
|
|
########################################
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace serefpolicy-3.10.0/policy/modules/services/virt.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace 2011-11-02 16:21:00.404481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/virt.te 2011-11-02 16:21:02.286309000 -0400
|
|
@@ -250,7 +250,7 @@ optional_policy(`
|
|
# virtd local policy
|
|
#
|
|
|
|
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
|
|
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
|
|
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
|
|
ifdef(`hide_broken_symptoms',`
|
|
# caused by some bogus kernel code
|
|
@@ -846,7 +846,6 @@ optional_policy(`
|
|
# virt_lxc_domain local policy
|
|
#
|
|
allow svirt_lxc_domain self:capability { kill setuid setgid dac_override };
|
|
-dontaudit svirt_lxc_domain self:capability sys_ptrace;
|
|
|
|
allow virtd_t svirt_lxc_domain:process { signal_perms };
|
|
allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vnstatd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace 2011-11-02 16:20:59.600570000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/vnstatd.if 2011-11-02 16:21:02.295309000 -0400
|
|
@@ -136,8 +136,11 @@ interface(`vnstatd_admin',`
|
|
type vnstatd_t, vnstatd_var_lib_t;
|
|
')
|
|
|
|
- allow $1 vnstatd_t:process { ptrace signal_perms };
|
|
+ allow $1 vnstatd_t:process signal_perms;
|
|
ps_process_pattern($1, vnstatd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 vnstatd_t:process ptrace;
|
|
+ ')
|
|
|
|
files_list_var_lib($1)
|
|
admin_pattern($1, vnstatd_var_lib_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/wdmd.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace 2011-11-02 16:20:59.616567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/wdmd.if 2011-11-02 16:21:02.311309000 -0400
|
|
@@ -62,8 +62,11 @@ interface(`wdmd_admin',`
|
|
type wdmd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 wdmd_t:process { ptrace signal_perms };
|
|
+ allow $1 wdmd_t:process signal_perms;
|
|
ps_process_pattern($1, wdmd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 wdmd_t:process ptrace;
|
|
+ ')
|
|
|
|
wdmd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace serefpolicy-3.10.0/policy/modules/services/xserver.te
|
|
--- serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace 2011-11-02 16:21:00.803481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-11-02 16:21:02.326309000 -0400
|
|
@@ -417,8 +417,13 @@ optional_policy(`
|
|
# XDM Local policy
|
|
#
|
|
|
|
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
|
|
-allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate ptrace };
|
|
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
|
|
+
|
|
+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ allow xdm_t self:process ptrace;
|
|
+')
|
|
+
|
|
allow xdm_t self:fifo_file rw_fifo_file_perms;
|
|
allow xdm_t self:shm create_shm_perms;
|
|
allow xdm_t self:sem create_sem_perms;
|
|
@@ -930,7 +935,8 @@ allow xserver_t input_xevent_t:x_event s
|
|
# execheap needed until the X module loader is fixed.
|
|
# NVIDIA Needs execstack
|
|
|
|
-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
|
|
+allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
|
|
+
|
|
dontaudit xserver_t self:capability chown;
|
|
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow xserver_t self:fd use;
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace serefpolicy-3.10.0/policy/modules/services/zabbix.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace 2011-11-02 16:20:59.669567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/zabbix.if 2011-11-02 16:21:02.334309000 -0400
|
|
@@ -142,8 +142,11 @@ interface(`zabbix_admin',`
|
|
type zabbix_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 zabbix_t:process { ptrace signal_perms };
|
|
+ allow $1 zabbix_t:process signal_perms;
|
|
ps_process_pattern($1, zabbix_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 zabbix_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace serefpolicy-3.10.0/policy/modules/services/zebra.if
|
|
--- serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace 2011-11-02 16:20:59.697569000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/services/zebra.if 2011-11-02 16:21:02.340309000 -0400
|
|
@@ -64,8 +64,11 @@ interface(`zebra_admin',`
|
|
type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 zebra_t:process { ptrace signal_perms };
|
|
+ allow $1 zebra_t:process signal_perms;
|
|
ps_process_pattern($1, zebra_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 zebra_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff -up serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace serefpolicy-3.10.0/policy/modules/system/hotplug.te
|
|
--- serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace 2011-11-02 16:20:59.839580000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/system/hotplug.te 2011-11-02 16:21:02.354311000 -0400
|
|
@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t)
|
|
#
|
|
|
|
allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
|
|
-dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
|
|
+dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
|
|
# for access("/etc/bashrc", X_OK) on Red Hat
|
|
dontaudit hotplug_t self:capability { dac_override dac_read_search };
|
|
allow hotplug_t self:process { setpgid getsession getattr signal_perms };
|
|
diff -up serefpolicy-3.10.0/policy/modules/system/init.if.ptrace serefpolicy-3.10.0/policy/modules/system/init.if
|
|
--- serefpolicy-3.10.0/policy/modules/system/init.if.ptrace 2011-11-02 16:20:59.863567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/system/init.if 2011-11-02 16:21:02.369309000 -0400
|
|
@@ -1123,7 +1123,9 @@ interface(`init_ptrace',`
|
|
type init_t;
|
|
')
|
|
|
|
- allow $1 init_t:process ptrace;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 init_t:process ptrace;
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
diff -up serefpolicy-3.10.0/policy/modules/system/init.te.ptrace serefpolicy-3.10.0/policy/modules/system/init.te
|
|
--- serefpolicy-3.10.0/policy/modules/system/init.te.ptrace 2011-11-02 16:21:00.588481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/system/init.te 2011-11-02 16:21:02.388309000 -0400
|
|
@@ -121,7 +121,7 @@ ifdef(`enable_mls',`
|
|
#
|
|
|
|
# Use capabilities. old rule:
|
|
-allow init_t self:capability ~{ audit_control audit_write sys_module };
|
|
+allow init_t self:capability ~{ sys_ptrace audit_control audit_write sys_module };
|
|
# is ~sys_module really needed? observed:
|
|
# sys_boot
|
|
# sys_tty_config
|
|
@@ -408,7 +408,8 @@ optional_policy(`
|
|
#
|
|
|
|
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
|
-allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
|
|
+allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
|
|
+
|
|
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
|
allow initrc_t self:passwd rootok;
|
|
allow initrc_t self:key manage_key_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace serefpolicy-3.10.0/policy/modules/system/ipsec.te
|
|
--- serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace 2011-11-02 16:20:59.901577000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/system/ipsec.te 2011-11-02 16:21:02.396309000 -0400
|
|
@@ -73,7 +73,7 @@ role system_r types setkey_t;
|
|
#
|
|
|
|
allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
|
|
-dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
|
|
+dontaudit ipsec_t self:capability sys_tty_config;
|
|
allow ipsec_t self:process { getcap setcap getsched signal setsched };
|
|
allow ipsec_t self:tcp_socket create_stream_socket_perms;
|
|
allow ipsec_t self:udp_socket create_socket_perms;
|
|
@@ -193,8 +193,8 @@ optional_policy(`
|
|
#
|
|
|
|
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
|
|
-dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
|
|
-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
|
|
+dontaudit ipsec_mgmt_t self:capability sys_tty_config;
|
|
+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
|
|
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
|
|
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
|
|
@@ -251,9 +251,6 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
|
|
kernel_getattr_core_if(ipsec_mgmt_t)
|
|
kernel_getattr_message_if(ipsec_mgmt_t)
|
|
|
|
-# don't audit using of lsof
|
|
-dontaudit ipsec_mgmt_t self:capability sys_ptrace;
|
|
-
|
|
domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
|
|
domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace serefpolicy-3.10.0/policy/modules/system/iscsi.te
|
|
--- serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace 2011-11-02 16:20:59.926567000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/system/iscsi.te 2011-11-02 16:21:02.402312000 -0400
|
|
@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t)
|
|
#
|
|
|
|
allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
|
|
-dontaudit iscsid_t self:capability sys_ptrace;
|
|
allow iscsid_t self:process { setrlimit setsched signal };
|
|
allow iscsid_t self:fifo_file rw_fifo_file_perms;
|
|
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
diff -up serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace serefpolicy-3.10.0/policy/modules/system/locallogin.te
|
|
--- serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace 2011-11-02 16:20:59.970558000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/system/locallogin.te 2011-11-02 16:21:02.410309000 -0400
|
|
@@ -35,7 +35,7 @@ role system_r types sulogin_t;
|
|
# Local login local policy
|
|
#
|
|
|
|
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_ptrace sys_resource sys_tty_config };
|
|
+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
|
|
allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
|
|
allow local_login_t self:fd use;
|
|
allow local_login_t self:fifo_file rw_fifo_file_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy-3.10.0/policy/modules/system/logging.if
|
|
--- serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace 2011-11-02 16:20:59.986543000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/system/logging.if 2011-11-02 16:21:02.421309000 -0400
|
|
@@ -1095,9 +1095,13 @@ interface(`logging_admin_audit',`
|
|
type auditd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 auditd_t:process { ptrace signal_perms };
|
|
+ allow $1 auditd_t:process signal_perms;
|
|
ps_process_pattern($1, auditd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 auditd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
|
|
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
|
|
|
|
@@ -1142,10 +1146,14 @@ interface(`logging_admin_syslog',`
|
|
')
|
|
|
|
allow $1 self:capability2 syslog;
|
|
- allow $1 syslogd_t:process { ptrace signal_perms };
|
|
- allow $1 klogd_t:process { ptrace signal_perms };
|
|
+ allow $1 syslogd_t:process signal_perms;
|
|
+ allow $1 klogd_t:process signal_perms;
|
|
ps_process_pattern($1, syslogd_t)
|
|
ps_process_pattern($1, klogd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 syslogd_t:process ptrace;
|
|
+ allow $1 klogd_t:process ptrace;
|
|
+ ')
|
|
|
|
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
|
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
|
|
diff -up serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace serefpolicy-3.10.0/policy/modules/system/mount.te
|
|
--- serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace 2011-11-02 16:21:00.088481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/system/mount.te 2011-11-02 16:21:02.429309000 -0400
|
|
@@ -48,7 +48,11 @@ role system_r types showmount_t;
|
|
|
|
# setuid/setgid needed to mount cifs
|
|
allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
|
|
-allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal };
|
|
+allow mount_t self:process { getcap getsched setcap setrlimit signal };
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ allow mount_t self:process ptrace;
|
|
+')
|
|
+
|
|
allow mount_t self:fifo_file rw_fifo_file_perms;
|
|
allow mount_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow mount_t self:unix_dgram_socket create_socket_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace serefpolicy-3.10.0/policy/modules/system/sysnetwork.te
|
|
--- serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace 2011-11-02 16:21:00.168481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/system/sysnetwork.te 2011-11-02 16:21:02.437309000 -0400
|
|
@@ -51,10 +51,13 @@ files_config_file(net_conf_t)
|
|
# DHCP client local policy
|
|
#
|
|
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
|
|
-dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
|
|
+dontaudit dhcpc_t self:capability sys_tty_config;
|
|
# for access("/etc/bashrc", X_OK) on Red Hat
|
|
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
|
|
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
|
|
+allow dhcpc_t self:process { getsched getcap setcap setfscreate signal_perms };
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ allow dhcpc_t self:process ptrace;
|
|
+')
|
|
|
|
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
|
|
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace serefpolicy-3.10.0/policy/modules/system/udev.te
|
|
--- serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace 2011-11-02 16:21:00.201481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/system/udev.te 2011-11-02 16:21:02.444309000 -0400
|
|
@@ -34,7 +34,7 @@ ifdef(`enable_mcs',`
|
|
# Local policy
|
|
#
|
|
|
|
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
|
|
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
|
|
dontaudit udev_t self:capability sys_tty_config;
|
|
|
|
ifdef(`hide_broken_symptoms',`
|
|
@@ -42,7 +42,11 @@ ifdef(`hide_broken_symptoms',`
|
|
dontaudit udev_t self:capability sys_module;
|
|
')
|
|
|
|
-allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
+allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ allow udev_t self:process ptrace;
|
|
+')
|
|
+
|
|
allow udev_t self:process { execmem setfscreate };
|
|
allow udev_t self:fd use;
|
|
allow udev_t self:fifo_file rw_fifo_file_perms;
|
|
diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace serefpolicy-3.10.0/policy/modules/system/unconfined.if
|
|
--- serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace 2011-11-02 16:21:00.347484000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/system/unconfined.if 2011-11-02 16:21:02.451309000 -0400
|
|
@@ -18,7 +18,12 @@ interface(`unconfined_domain_noaudit',`
|
|
')
|
|
|
|
# Use any Linux capability.
|
|
- allow $1 self:capability ~sys_module;
|
|
+
|
|
+ allow $1 self:capability ~{ sys_module sys_ptrace };
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 self:capability sys_ptrace;
|
|
+ ')
|
|
+
|
|
allow $1 self:capability2 syslog;
|
|
allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
|
|
|
|
diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpolicy-3.10.0/policy/modules/system/userdomain.if
|
|
--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace 2011-11-02 16:21:00.833481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-11-02 16:21:02.483309000 -0400
|
|
@@ -40,7 +40,10 @@ template(`userdom_base_user_template',`
|
|
role $1_r types $1_t;
|
|
allow system_r $1_r;
|
|
|
|
- allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
|
|
+ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1_usertype $1_usertype:process ptrace;
|
|
+ ')
|
|
allow $1_usertype $1_usertype:fd use;
|
|
allow $1_usertype $1_usertype:key { create view read write search link setattr };
|
|
|
|
@@ -594,7 +597,7 @@ template(`userdom_login_user_template',
|
|
allow $1_t self:capability { setgid chown fowner };
|
|
dontaudit $1_t self:capability { sys_nice fsetid };
|
|
|
|
- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
|
|
+ allow $1_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
|
|
dontaudit $1_t self:process setrlimit;
|
|
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
|
|
|
@@ -1052,7 +1055,10 @@ template(`userdom_admin_user_template',`
|
|
# $1_t local policy
|
|
#
|
|
|
|
- allow $1_t self:capability ~{ sys_module audit_control audit_write };
|
|
+ allow $1_t self:capability ~{ sys_ptrace sys_module audit_control audit_write };
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1_t self:capability sys_ptrace;
|
|
+ ')
|
|
allow $1_t self:capability2 syslog;
|
|
allow $1_t self:process { setexec setfscreate };
|
|
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
|
|
@@ -3693,7 +3699,9 @@ interface(`userdom_ptrace_all_users',`
|
|
attribute userdomain;
|
|
')
|
|
|
|
- allow $1 userdomain:process ptrace;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 userdomain:process ptrace;
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
diff -up serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace serefpolicy-3.10.0/policy/modules/system/xen.te
|
|
--- serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace 2011-11-02 16:21:00.309481000 -0400
|
|
+++ serefpolicy-3.10.0/policy/modules/system/xen.te 2011-11-02 16:21:02.493309000 -0400
|
|
@@ -206,7 +206,6 @@ tunable_policy(`xend_run_qemu',`
|
|
#
|
|
|
|
allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw };
|
|
-dontaudit xend_t self:capability { sys_ptrace };
|
|
allow xend_t self:process { signal sigkill };
|
|
dontaudit xend_t self:process ptrace;
|
|
# internal communication is often done using fifo and unix sockets.
|