From c14302d03dec490576b3dcba0358d7e8e88a103b Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Jan 15 2013 23:54:56 +0000 Subject: Rename gnomeclock to systemd_timedated --- diff --git a/modules-mls-base.conf b/modules-mls-base.conf index 309a9f2..436b9bd 100644 --- a/modules-mls-base.conf +++ b/modules-mls-base.conf @@ -267,13 +267,6 @@ authlogin = module # clock = module -# Layer: services -# Module: gnomeclock -# -# gnomeclock used by dbus/polkit to set time -# -gnomeclock = module - # Layer: system # Module: fstools # diff --git a/modules-mls-contrib.conf b/modules-mls-contrib.conf index 0fc3d2f..038c868 100644 --- a/modules-mls-contrib.conf +++ b/modules-mls-contrib.conf @@ -558,13 +558,6 @@ git = module # glance = module -# Layer: services -# Module: gnomeclock -# -# gnomeclock used by dbus/polkit to set time -# -gnomeclock = module - # Layer: apps # Module: gnome # diff --git a/modules-mls.conf b/modules-mls.conf index 60fb304..bf7e537 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -613,13 +613,6 @@ getty = module gnome = module # Layer: services -# Module: gnomeclock -# -# gnomeclock used by dbus/polkit to set time -# -gnomeclock = module - -# Layer: services # Module: plymouthd # # Plymouth diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf index 09c9b66..4447a26 100644 --- a/modules-targeted-base.conf +++ b/modules-targeted-base.conf @@ -274,13 +274,6 @@ authlogin = module # clock = module -# Layer: services -# Module: gnomeclock -# -# gnomeclock used by dbus/polkit to set time -# -gnomeclock = module - # Layer: system # Module: fstools # diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index ea6c8fa..99c2554 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -733,13 +733,6 @@ glance = module # glusterd = module -# Layer: services -# Module: gnomeclock -# -# gnomeclock used by dbus/polkit to set time -# -gnomeclock = module - # Layer: apps # Module: gnome # diff --git a/modules-targeted.conf b/modules-targeted.conf index 227ecab..ea58d12 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -717,13 +717,6 @@ getty = module gnome = module # Layer: services -# Module: gnomeclock -# -# gnomeclock used by dbus/polkit to set time -# -gnomeclock = module - -# Layer: services # Module: hddtemp # # hddtemp hard disk temperature tool running as a daemon diff --git a/permissivedomains.te b/permissivedomains.te index fb6ceb6..450d0f2 100644 --- a/permissivedomains.te +++ b/permissivedomains.te @@ -15,3 +15,11 @@ optional_policy(` permissive httpd_mythtv_script_t; ') + +optional_policy(` + gen_require(` + type systemd_hostnamed_t; + ') + + permissive systemd_hostnamed_t; +') diff --git a/ptrace.patch b/ptrace.patch deleted file mode 100644 index a3d3ca6..0000000 --- a/ptrace.patch +++ /dev/null @@ -1,3762 +0,0 @@ -diff -up serefpolicy-3.10.0/policy/global_tunables.ptrace serefpolicy-3.10.0/policy/global_tunables ---- serefpolicy-3.10.0/policy/global_tunables.ptrace 2011-11-07 16:15:26.982367527 -0500 -+++ serefpolicy-3.10.0/policy/global_tunables 2011-11-07 16:15:27.555367746 -0500 -@@ -6,6 +6,13 @@ - - ## - ##

-+## Allow sysadm to debug or ptrace all processes. -+##

-+## -+gen_tunable(deny_ptrace, false) -+ -+## -+##

- ## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla - ##

- ## -diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kdump.if ---- serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace 2011-11-07 16:15:26.997367533 -0500 -+++ serefpolicy-3.10.0/policy/modules/admin/kdump.if 2011-11-07 16:15:27.556367746 -0500 -@@ -140,8 +140,11 @@ interface(`kdump_admin',` - type kdump_initrc_exec_t; - ') - -- allow $1 kdump_t:process { ptrace signal_perms }; -+ allow $1 kdump_t:process signal_perms; - ps_process_pattern($1, kdump_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 kdump_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, kdump_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kismet.if ---- serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/kismet.if 2011-11-07 16:15:27.556367746 -0500 -@@ -239,7 +239,10 @@ interface(`kismet_admin',` - ') - - ps_process_pattern($1, kismet_t) -- allow $1 kismet_t:process { ptrace signal_perms }; -+ allow $1 kismet_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 kismet_t:process ptrace; -+ ') - - kismet_manage_pid_files($1) - kismet_manage_lib($1) -diff -up serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace serefpolicy-3.10.0/policy/modules/admin/kudzu.te ---- serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace 2011-11-07 16:15:26.999367533 -0500 -+++ serefpolicy-3.10.0/policy/modules/admin/kudzu.te 2011-11-07 16:15:27.557367747 -0500 -@@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t) - # Local policy - # - --allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod }; -+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod }; - dontaudit kudzu_t self:capability sys_tty_config; - allow kudzu_t self:process { signal_perms execmem }; - allow kudzu_t self:fifo_file rw_fifo_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace serefpolicy-3.10.0/policy/modules/admin/logrotate.te ---- serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace 2011-11-07 16:15:26.999367533 -0500 -+++ serefpolicy-3.10.0/policy/modules/admin/logrotate.te 2011-11-07 16:15:27.558367748 -0500 -@@ -30,8 +30,6 @@ files_type(logrotate_var_lib_t) - - # Change ownership on log files. - allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice }; --# for mailx --dontaudit logrotate_t self:capability { sys_ptrace }; - - allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - -diff -up serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace serefpolicy-3.10.0/policy/modules/admin/ncftool.te ---- serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace 2011-11-07 16:15:27.003367535 -0500 -+++ serefpolicy-3.10.0/policy/modules/admin/ncftool.te 2011-11-07 16:15:27.559367749 -0500 -@@ -17,8 +17,7 @@ role system_r types ncftool_t; - # ncftool local policy - # - --allow ncftool_t self:capability { net_admin sys_ptrace }; -- -+allow ncftool_t self:capability net_admin; - allow ncftool_t self:process signal; - - allow ncftool_t self:fifo_file manage_fifo_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/rpm.te ---- serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace 2011-11-07 16:15:27.521367733 -0500 -+++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-11-07 16:15:27.560367749 -0500 -@@ -250,7 +250,8 @@ optional_policy(` - # rpm-script Local policy - # - --allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin }; -+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; -+ - allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; - allow rpm_script_t self:fd use; - allow rpm_script_t self:fifo_file rw_fifo_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sectoolm.te ---- serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace 2011-11-07 16:15:27.018367540 -0500 -+++ serefpolicy-3.10.0/policy/modules/admin/sectoolm.te 2011-11-07 16:15:27.561367749 -0500 -@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t) - # sectool local policy - # - --allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; -+allow sectoolm_t self:capability { dac_override net_admin sys_nice }; - allow sectoolm_t self:process { getcap getsched signull setsched }; - dontaudit sectoolm_t self:process { execstack execmem }; - allow sectoolm_t self:fifo_file rw_fifo_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.if ---- serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace 2011-11-07 16:15:27.018367540 -0500 -+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.if 2011-11-07 16:15:27.562367749 -0500 -@@ -139,8 +139,11 @@ interface(`shorewall_admin',` - type shorewall_tmp_t, shorewall_etc_t; - ') - -- allow $1 shorewall_t:process { ptrace signal_perms }; -+ allow $1 shorewall_t:process signal_perms; - ps_process_pattern($1, shorewall_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 shorewall_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, shorewall_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.te ---- serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace 2011-11-07 16:15:27.019367540 -0500 -+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.te 2011-11-07 16:15:27.563367750 -0500 -@@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t) - # shorewall local policy - # - --allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace }; -+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice }; - dontaudit shorewall_t self:capability sys_tty_config; - allow shorewall_t self:fifo_file rw_fifo_file_perms; - -diff -up serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sosreport.te ---- serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace 2011-11-07 16:15:27.022367543 -0500 -+++ serefpolicy-3.10.0/policy/modules/admin/sosreport.te 2011-11-07 16:15:27.563367750 -0500 -@@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t) - # sosreport local policy - # - --allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override }; -+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; - allow sosreport_t self:process { setsched signull }; - allow sosreport_t self:fifo_file rw_fifo_file_perms; - allow sosreport_t self:tcp_socket create_stream_socket_perms; -diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace serefpolicy-3.10.0/policy/modules/admin/usermanage.te ---- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace 2011-11-07 16:15:27.501367726 -0500 -+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-11-07 16:15:27.564367750 -0500 -@@ -439,7 +439,8 @@ optional_policy(` - # Useradd local policy - # - --allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace }; -+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; -+ - dontaudit useradd_t self:capability sys_tty_config; - allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow useradd_t self:process setfscreate; -diff -up serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/chrome.te ---- serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace 2011-11-07 16:15:27.035367548 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/chrome.te 2011-11-07 16:15:27.565367750 -0500 -@@ -26,7 +26,7 @@ role system_r types chrome_sandbox_nacl_ - # - # chrome_sandbox local policy - # --allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; -+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot }; - allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; - allow chrome_sandbox_t self:process setsched; - allow chrome_sandbox_t self:fifo_file manage_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te.ptrace serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te ---- serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te.ptrace 2011-11-07 16:15:27.035367548 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te 2011-11-07 16:15:27.566367750 -0500 -@@ -14,7 +14,7 @@ application_domain(cpufreqselector_t, cp - # cpufreq-selector local policy - # - --allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; -+allow cpufreqselector_t self:capability sys_nice; - allow cpufreqselector_t self:process getsched; - allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; - allow cpufreqselector_t self:process getsched; -diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.if ---- serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace 2011-11-07 16:15:27.041367549 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/gnome.if 2011-11-07 16:15:27.567367751 -0500 -@@ -91,8 +91,7 @@ interface(`gnome_role_gkeyringd',` - auth_use_nsswitch($1_gkeyringd_t) - - ps_process_pattern($3, $1_gkeyringd_t) -- allow $3 $1_gkeyringd_t:process { ptrace signal_perms }; -- -+ allow $3 $1_gkeyringd_t:process signal_perms; - dontaudit $3 gkeyringd_exec_t:file entrypoint; - - stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) -diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.te ---- serefpolicy-3.10.0/policy/modules/apps/gnome.te.ptrace 2011-11-07 16:15:27.042367550 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/gnome.te 2011-11-07 16:15:27.568367752 -0500 -@@ -119,7 +119,7 @@ optional_policy(` - # gconf-defaults-mechanisms local policy - # - --allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace }; -+allow gconfdefaultsm_t self:capability { dac_override sys_nice }; - allow gconfdefaultsm_t self:process getsched; - allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms; - -@@ -168,7 +168,7 @@ tunable_policy(`use_samba_home_dirs',` - # gnome-system-monitor-mechanisms local policy - # - --allow gnomesystemmm_t self:capability { sys_nice sys_ptrace }; -+allow gnomesystemmm_t self:capability sys_nice; - allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms; - - kernel_read_system_state(gnomesystemmm_t) -diff -up serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace serefpolicy-3.10.0/policy/modules/apps/irc.if ---- serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace 2011-11-07 16:15:27.045367551 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/irc.if 2011-11-07 16:15:27.569367753 -0500 -@@ -33,7 +33,7 @@ interface(`irc_role',` - - domtrans_pattern($2, irssi_exec_t, irssi_t) - -- allow $2 irssi_t:process { ptrace signal_perms }; -+ allow $2 irssi_t:process signal_perms; - ps_process_pattern($2, irssi_t) - - manage_dirs_pattern($2, irssi_home_t, irssi_home_t) -diff -up serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace serefpolicy-3.10.0/policy/modules/apps/kde.te ---- serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace 2011-11-07 16:15:27.049367553 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/kde.te 2011-11-07 16:15:27.569367753 -0500 -@@ -13,9 +13,6 @@ dbus_system_domain(kdebacklighthelper_t, - # - # backlighthelper local policy - # -- --dontaudit kdebacklighthelper_t self:capability sys_ptrace; -- - allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms; - - kernel_read_system_state(kdebacklighthelper_t) -diff -up serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace serefpolicy-3.10.0/policy/modules/apps/livecd.te ---- serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace 2011-11-07 16:15:27.051367553 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/livecd.te 2011-11-07 16:15:27.570367753 -0500 -@@ -20,7 +20,10 @@ files_tmp_file(livecd_tmp_t) - - dontaudit livecd_t self:capability2 mac_admin; - --domain_ptrace_all_domains(livecd_t) -+tunable_policy(`deny_ptrace',`',` -+ domain_ptrace_all_domains(livecd_t) -+') -+ - domain_interactive_fd(livecd_t) - - manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) -diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.if ---- serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace 2011-11-07 16:15:27.053367553 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-11-07 16:15:27.570367753 -0500 -@@ -40,8 +40,8 @@ template(`mono_role_template',` - domain_interactive_fd($1_mono_t) - application_type($1_mono_t) - -- allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; -- allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; -+ allow $1_mono_t self:process { signal getsched execheap execmem execstack }; -+ allow $3 $1_mono_t:process { getattr noatsecure signal_perms }; - - domtrans_pattern($3, mono_exec_t, $1_mono_t) - -diff -up serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.te ---- serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/mono.te 2011-11-07 16:15:27.571367753 -0500 -@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t) - # Local policy - # - --allow mono_t self:process { ptrace signal getsched execheap execmem execstack }; -+allow mono_t self:process { signal getsched execheap execmem execstack }; - - init_dbus_chat_script(mono_t) - -diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.if ---- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace 2011-11-07 16:15:27.055367555 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-11-07 16:15:27.572367753 -0500 -@@ -221,7 +221,7 @@ interface(`mozilla_domtrans_plugin',` - allow mozilla_plugin_t $1:sem create_sem_perms; - - ps_process_pattern($1, mozilla_plugin_t) -- allow $1 mozilla_plugin_t:process { ptrace signal_perms }; -+ allow $1 mozilla_plugin_t:process signal_perms; - ') - - ######################################## -diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.te ---- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace 2011-11-07 16:15:27.524367735 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te 2011-11-07 16:15:27.573367753 -0500 -@@ -301,7 +301,7 @@ optional_policy(` - # mozilla_plugin local policy - # - --dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_nice }; -+dontaudit mozilla_plugin_t self:capability sys_nice; - - allow mozilla_plugin_t self:process { setsched signal_perms execmem }; - allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; -diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.if ---- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace 2011-11-07 16:15:27.059367556 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-11-07 16:15:27.573367753 -0500 -@@ -93,7 +93,7 @@ ifdef(`hide_broken_symptoms', ` - dontaudit nsplugin_t $2:shm destroy; - allow $2 nsplugin_t:sem rw_sem_perms; - -- allow $2 nsplugin_t:process { getattr ptrace signal_perms }; -+ allow $2 nsplugin_t:process { getattr signal_perms }; - allow $2 nsplugin_t:unix_stream_socket connectto; - - # Connect to pulseaudit server -diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.te ---- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace 2011-11-07 16:15:27.060367557 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-11-07 16:15:27.574367753 -0500 -@@ -54,7 +54,7 @@ application_executable_file(nsplugin_con - # - dontaudit nsplugin_t self:capability { sys_nice sys_tty_config }; - allow nsplugin_t self:fifo_file rw_file_perms; --allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms }; -+allow nsplugin_t self:process { setpgid getsched setsched signal_perms }; - - allow nsplugin_t self:sem create_sem_perms; - allow nsplugin_t self:shm create_shm_perms; -diff -up serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace serefpolicy-3.10.0/policy/modules/apps/openoffice.if ---- serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace 2011-11-07 16:15:27.000000000 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/openoffice.if 2011-11-07 16:16:09.397383796 -0500 -@@ -69,7 +69,7 @@ interface(`openoffice_role_template',` - - allow $1_openoffice_t self:process { getsched sigkill execmem execstack }; - -- allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh }; -+ allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh }; - allow $1_openoffice_t $3:tcp_socket { read write }; - - domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t) -diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace serefpolicy-3.10.0/policy/modules/apps/podsleuth.te ---- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace 2011-11-07 16:15:27.525367736 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te 2011-11-07 16:15:27.575367754 -0500 -@@ -27,7 +27,8 @@ ubac_constrained(podsleuth_tmpfs_t) - # podsleuth local policy - # - allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; --allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack }; -+allow podsleuth_t self:process { signal signull getsched execheap execmem execstack }; -+ - allow podsleuth_t self:fifo_file rw_file_perms; - allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; - allow podsleuth_t self:sem create_sem_perms; -diff -up serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.if ---- serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/uml.if 2011-11-07 16:15:27.576367755 -0500 -@@ -31,9 +31,9 @@ interface(`uml_role',` - allow $2 uml_t:unix_dgram_socket sendto; - allow uml_t $2:unix_dgram_socket sendto; - -- # allow ps, ptrace, signal -+ # allow ps, signal - ps_process_pattern($2, uml_t) -- allow $2 uml_t:process { ptrace signal_perms }; -+ allow $2 uml_t:process signal_perms; - - allow $2 uml_ro_t:dir list_dir_perms; - read_files_pattern($2, uml_ro_t, uml_ro_t) -diff -up serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.te ---- serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace 2011-11-07 16:15:27.075367563 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/uml.te 2011-11-07 16:15:27.577367756 -0500 -@@ -53,7 +53,7 @@ files_pid_file(uml_switch_var_run_t) - # - - allow uml_t self:fifo_file rw_fifo_file_perms; --allow uml_t self:process { signal_perms ptrace }; -+allow uml_t self:process signal_perms; - allow uml_t self:unix_stream_socket create_stream_socket_perms; - allow uml_t self:unix_dgram_socket create_socket_perms; - # Use the network. -diff -up serefpolicy-3.10.0/policy/modules/apps/vmware.te.ptrace serefpolicy-3.10.0/policy/modules/apps/vmware.te ---- serefpolicy-3.10.0/policy/modules/apps/vmware.te.ptrace 2011-11-07 16:15:27.079367563 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/vmware.te 2011-11-07 16:15:27.577367756 -0500 -@@ -72,7 +72,7 @@ ifdef(`enable_mcs',` - # VMWare host local policy - # - --allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; -+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override }; - dontaudit vmware_host_t self:capability sys_tty_config; - allow vmware_host_t self:process { execstack execmem signal_perms }; - allow vmware_host_t self:fifo_file rw_fifo_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace serefpolicy-3.10.0/policy/modules/apps/wine.if ---- serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace 2011-11-07 16:15:27.081367565 -0500 -+++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-11-07 16:15:27.578367756 -0500 -@@ -100,7 +100,7 @@ template(`wine_role_template',` - role $2 types $1_wine_t; - - allow $1_wine_t self:process { execmem execstack }; -- allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms }; -+ allow $3 $1_wine_t:process { getattr noatsecure signal_perms }; - domtrans_pattern($3, wine_exec_t, $1_wine_t) - corecmd_bin_domtrans($1_wine_t, $1_t) - -diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/domain.te ---- serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace 2011-11-07 16:15:27.097367571 -0500 -+++ serefpolicy-3.10.0/policy/modules/kernel/domain.te 2011-11-07 16:15:27.579367756 -0500 -@@ -181,7 +181,10 @@ allow unconfined_domain_type domain:fifo - allow unconfined_domain_type unconfined_domain_type:dbus send_msg; - - # Act upon any other process. --allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -+allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap }; -+tunable_policy(`deny_ptrace',`',` -+ allow unconfined_domain_type domain:process ptrace; -+') - - # Create/access any System V IPC objects. - allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -407,3 +410,4 @@ optional_policy(` - ') - - dontaudit domain domain:process { noatsecure siginh rlimitinh } ; -+dontaudit domain self:capability sys_ptrace; -diff -up serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/kernel.te ---- serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace 2011-11-07 16:15:27.107367575 -0500 -+++ serefpolicy-3.10.0/policy/modules/kernel/kernel.te 2011-11-07 16:15:27.580367756 -0500 -@@ -191,7 +191,11 @@ sid tcp_socket gen_context(system_u:obj - # kernel local policy - # - --allow kernel_t self:capability *; -+allow kernel_t self:capability ~{ sys_ptrace }; -+tunable_policy(`deny_ptrace',`',` -+ allow kernel_t self:capability sys_ptrace; -+') -+ - allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow kernel_t self:shm create_shm_perms; - allow kernel_t self:sem create_sem_perms; -@@ -442,7 +446,7 @@ allow kern_unconfined unlabeled_t:dir_fi - allow kern_unconfined unlabeled_t:filesystem *; - allow kern_unconfined unlabeled_t:association *; - allow kern_unconfined unlabeled_t:packet *; --allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; -+allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap }; - - gen_require(` - bool secure_mode_insmod; -diff -up serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/dbadm.te ---- serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace 2011-11-07 16:15:27.117367578 -0500 -+++ serefpolicy-3.10.0/policy/modules/roles/dbadm.te 2011-11-07 16:15:27.580367756 -0500 -@@ -28,7 +28,7 @@ userdom_base_user_template(dbadm) - # database admin local policy - # - --allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace }; -+allow dbadm_t self:capability { dac_override dac_read_search }; - - files_dontaudit_search_all_dirs(dbadm_t) - files_delete_generic_locks(dbadm_t) -diff -up serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/logadm.te ---- serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/roles/logadm.te 2011-11-07 16:15:27.581367756 -0500 -@@ -14,6 +14,5 @@ userdom_base_user_template(logadm) - # logadmin local policy - # - --allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; -- -+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; - logging_admin(logadm_t, logadm_r) -diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/sysadm.te ---- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace 2011-11-07 16:15:27.527367736 -0500 -+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-11-07 16:15:27.581367756 -0500 -@@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1) - # Declarations - # - --## --##

--## Allow sysadm to debug or ptrace all processes. --##

--## --gen_tunable(allow_ptrace, false) -- - role sysadm_r; - - userdom_admin_user_template(sysadm) -@@ -90,7 +83,7 @@ ifndef(`enable_mls',` - logging_stream_connect_syslog(sysadm_t) - ') - --tunable_policy(`allow_ptrace',` -+tunable_policy(`deny_ptrace',`',` - domain_ptrace_all_domains(sysadm_t) - ') - -diff -up serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/webadm.te ---- serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace 2011-11-07 16:15:27.122367581 -0500 -+++ serefpolicy-3.10.0/policy/modules/roles/webadm.te 2011-11-07 16:15:27.582367756 -0500 -@@ -28,7 +28,7 @@ userdom_base_user_template(webadm) - # webadmin local policy - # - --allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; -+allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; - - files_dontaudit_search_all_dirs(webadm_t) - files_manage_generic_locks(webadm_t) -diff -up serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace serefpolicy-3.10.0/policy/modules/services/abrt.if ---- serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace 2011-11-07 16:15:27.124367581 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/abrt.if 2011-11-07 16:15:27.583367757 -0500 -@@ -336,9 +336,13 @@ interface(`abrt_admin',` - type abrt_initrc_exec_t; - ') - -- allow $1 abrt_t:process { ptrace signal_perms }; -+ allow $1 abrt_t:process { signal_perms }; - ps_process_pattern($1, abrt_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 abrt_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, abrt_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 abrt_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.if ---- serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace 2011-11-07 16:15:27.126367581 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/accountsd.if 2011-11-07 16:15:27.584367758 -0500 -@@ -138,8 +138,12 @@ interface(`accountsd_admin',` - type accountsd_t; - ') - -- allow $1 accountsd_t:process { ptrace signal_perms }; -+ allow $1 accountsd_t:process signal_perms; - ps_process_pattern($1, accountsd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 acountsd_t:process ptrace; -+ ') -+ - accountsd_manage_lib_files($1) - ') -diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.te ---- serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace 2011-11-07 16:15:27.126367581 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/accountsd.te 2011-11-07 16:15:27.585367759 -0500 -@@ -19,7 +19,7 @@ files_type(accountsd_var_lib_t) - # accountsd local policy - # - --allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace }; -+allow accountsd_t self:capability { dac_override setuid setgid }; - allow accountsd_t self:process signal; - allow accountsd_t self:fifo_file rw_fifo_file_perms; - -diff -up serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace serefpolicy-3.10.0/policy/modules/services/afs.if ---- serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace 2011-11-07 16:15:27.127367582 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/afs.if 2011-11-07 16:15:27.586367759 -0500 -@@ -97,9 +97,13 @@ interface(`afs_admin',` - type afs_t, afs_initrc_exec_t; - ') - -- allow $1 afs_t:process { ptrace signal_perms }; -+ allow $1 afs_t:process signal_perms; - ps_process_pattern($1, afs_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 afs_t:process ptrace; -+ ') -+ - # Allow afs_admin to restart the afs service - afs_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace serefpolicy-3.10.0/policy/modules/services/aiccu.if ---- serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/aiccu.if 2011-11-07 16:15:27.586367759 -0500 -@@ -79,9 +79,13 @@ interface(`aiccu_admin',` - type aiccu_var_run_t; - ') - -- allow $1 aiccu_t:process { ptrace signal_perms }; -+ allow $1 aiccu_t:process signal_perms; - ps_process_pattern($1, aiccu_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 aiccu_t:process ptrace; -+ ') -+ - aiccu_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 aiccu_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace serefpolicy-3.10.0/policy/modules/services/aide.if ---- serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace 2011-11-07 16:15:27.129367584 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/aide.if 2011-11-07 16:15:27.587367759 -0500 -@@ -61,9 +61,13 @@ interface(`aide_admin',` - type aide_t, aide_db_t, aide_log_t; - ') - -- allow $1 aide_t:process { ptrace signal_perms }; -+ allow $1 aide_t:process signal_perms; - ps_process_pattern($1, aide_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 aide_t:process ptrace; -+ ') -+ - files_list_etc($1) - admin_pattern($1, aide_db_t) - -diff -up serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace serefpolicy-3.10.0/policy/modules/services/aisexec.if ---- serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace 2011-11-07 16:15:27.130367584 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/aisexec.if 2011-11-07 16:15:27.588367759 -0500 -@@ -82,9 +82,13 @@ interface(`aisexecd_admin',` - type aisexec_initrc_exec_t; - ') - -- allow $1 aisexec_t:process { ptrace signal_perms }; -+ allow $1 aisexec_t:process signal_perms; - ps_process_pattern($1, aisexec_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 aisexec_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, aisexec_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 aisexec_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace serefpolicy-3.10.0/policy/modules/services/ajaxterm.if ---- serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace 2011-11-07 16:15:27.132367584 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/ajaxterm.if 2011-11-07 16:15:27.589367759 -0500 -@@ -76,9 +76,13 @@ interface(`ajaxterm_admin',` - type ajaxterm_t, ajaxterm_initrc_exec_t; - ') - -- allow $1 ajaxterm_t:process { ptrace signal_perms }; -+ allow $1 ajaxterm_t:process signal_perms; - ps_process_pattern($1, ajaxterm_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ajaxterm_t:process ptrace; -+ ') -+ - ajaxterm_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 ajaxterm_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace serefpolicy-3.10.0/policy/modules/services/amavis.if ---- serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/amavis.if 2011-11-07 16:15:27.590367760 -0500 -@@ -231,9 +231,13 @@ interface(`amavis_admin',` - type amavis_initrc_exec_t; - ') - -- allow $1 amavis_t:process { ptrace signal_perms }; -+ allow $1 amavis_t:process signal_perms; - ps_process_pattern($1, amavis_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 amavis_t:process ptrace; -+ ') -+ - amavis_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 amavis_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace serefpolicy-3.10.0/policy/modules/services/apache.if ---- serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace 2011-11-07 16:15:27.546367744 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/apache.if 2011-11-07 16:15:27.592367761 -0500 -@@ -1297,9 +1297,13 @@ interface(`apache_admin',` - type httpd_unit_file_t; - ') - -- allow $1 httpd_t:process { ptrace signal_perms }; -+ allow $1 httpd_t:process signal_perms; - ps_process_pattern($1, httpd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 httpd_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, httpd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 httpd_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/apcupsd.if ---- serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/apcupsd.if 2011-11-07 16:15:27.593367761 -0500 -@@ -146,9 +146,13 @@ interface(`apcupsd_admin',` - type apcupsd_initrc_exec_t; - ') - -- allow $1 apcupsd_t:process { ptrace signal_perms }; -+ allow $1 apcupsd_t:process signal_perms; - ps_process_pattern($1, apcupsd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 apcupsd_t:process ptrace; -+ ') -+ - apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 apcupsd_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace serefpolicy-3.10.0/policy/modules/services/apm.te ---- serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace 2011-11-07 16:15:27.141367588 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/apm.te 2011-11-07 16:15:27.594367761 -0500 -@@ -60,7 +60,7 @@ logging_send_syslog_msg(apm_t) - # mknod: controlling an orderly resume of PCMCIA requires creating device - # nodes 254,{0,1,2} for some reason. - allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; --dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; -+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config }; - allow apmd_t self:process { signal_perms getsession }; - allow apmd_t self:fifo_file rw_fifo_file_perms; - allow apmd_t self:netlink_socket create_socket_perms; -diff -up serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace serefpolicy-3.10.0/policy/modules/services/arpwatch.if ---- serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace 2011-11-07 16:15:27.141367588 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/arpwatch.if 2011-11-07 16:15:27.595367761 -0500 -@@ -137,9 +137,13 @@ interface(`arpwatch_admin',` - type arpwatch_initrc_exec_t; - ') - -- allow $1 arpwatch_t:process { ptrace signal_perms }; -+ allow $1 arpwatch_t:process signal_perms; - ps_process_pattern($1, arpwatch_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 arpwatch_t:process ptrace; -+ ') -+ - arpwatch_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 arpwatch_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace serefpolicy-3.10.0/policy/modules/services/asterisk.if ---- serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace 2011-11-07 16:15:27.142367589 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/asterisk.if 2011-11-07 16:15:27.596367762 -0500 -@@ -64,9 +64,13 @@ interface(`asterisk_admin',` - type asterisk_initrc_exec_t; - ') - -- allow $1 asterisk_t:process { ptrace signal_perms }; -+ allow $1 asterisk_t:process signal_perms; - ps_process_pattern($1, asterisk_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 asterisk_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, asterisk_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 asterisk_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace serefpolicy-3.10.0/policy/modules/services/automount.if ---- serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace 2011-11-07 16:15:27.144367589 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/automount.if 2011-11-07 16:15:27.597367763 -0500 -@@ -150,9 +150,13 @@ interface(`automount_admin',` - type automount_var_run_t, automount_initrc_exec_t; - ') - -- allow $1 automount_t:process { ptrace signal_perms }; -+ allow $1 automount_t:process signal_perms; - ps_process_pattern($1, automount_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 automount_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, automount_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 automount_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace serefpolicy-3.10.0/policy/modules/services/avahi.if ---- serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace 2011-11-07 16:15:27.145367589 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/avahi.if 2011-11-07 16:15:27.597367763 -0500 -@@ -154,9 +154,13 @@ interface(`avahi_admin',` - type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; - ') - -- allow $1 avahi_t:process { ptrace signal_perms }; -+ allow $1 avahi_t:process signal_perms; - ps_process_pattern($1, avahi_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 avahi_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, avahi_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 avahi_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace serefpolicy-3.10.0/policy/modules/services/bind.if ---- serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace 2011-11-07 16:15:27.147367590 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/bind.if 2011-11-07 16:15:27.598367764 -0500 -@@ -408,12 +408,20 @@ interface(`bind_admin',` - type dnssec_t, ndc_t, named_keytab_t; - ') - -- allow $1 named_t:process { ptrace signal_perms }; -+ allow $1 named_t:process signal_perms; - ps_process_pattern($1, named_t) - -- allow $1 ndc_t:process { ptrace signal_perms }; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 named_t:process ptrace; -+ ') -+ -+ allow $1 ndc_t:process signal_perms; - ps_process_pattern($1, ndc_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ndc_t:process ptrace; -+ ') -+ - bind_run_ndc($1, $2) - - init_labeled_script_domtrans($1, named_initrc_exec_t) -diff -up serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace serefpolicy-3.10.0/policy/modules/services/bitlbee.if ---- serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/bitlbee.if 2011-11-07 16:15:27.599367764 -0500 -@@ -43,9 +43,13 @@ interface(`bitlbee_admin',` - type bitlbee_initrc_exec_t; - ') - -- allow $1 bitlbee_t:process { ptrace signal_perms }; -+ allow $1 bitlbee_t:process signal_perms; - ps_process_pattern($1, bitlbee_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 bitlbee_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bitlbee_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpolicy-3.10.0/policy/modules/services/bluetooth.if ---- serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace 2011-11-07 16:15:27.149367591 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/bluetooth.if 2011-11-07 16:15:27.600367764 -0500 -@@ -28,7 +28,11 @@ interface(`bluetooth_role',` - - # allow ps to show cdrecord and allow the user to kill it - ps_process_pattern($2, bluetooth_helper_t) -- allow $2 bluetooth_helper_t:process { ptrace signal_perms }; -+ allow $2 bluetooth_helper_t:process signal_perms; -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 bluetooth_helper_t:process ptrace; -+ ') - - manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) - manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) -@@ -220,9 +224,13 @@ interface(`bluetooth_admin',` - type bluetooth_conf_t, bluetooth_conf_rw_t; - ') - -- allow $1 bluetooth_t:process { ptrace signal_perms }; -+ allow $1 bluetooth_t:process signal_perms; - ps_process_pattern($1, bluetooth_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 bluetooth_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 bluetooth_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.if ---- serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace 2011-11-07 16:15:27.151367591 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/boinc.if 2011-11-07 16:15:27.600367764 -0500 -@@ -137,9 +137,13 @@ interface(`boinc_admin',` - type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t; - ') - -- allow $1 boinc_t:process { ptrace signal_perms }; -+ allow $1 boinc_t:process signal_perms; - ps_process_pattern($1, boinc_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 boic_t:process ptrace; -+ ') -+ - boinc_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 boinc_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.te ---- serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace 2011-11-07 16:15:27.531367738 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/boinc.te 2011-11-07 16:15:27.601367764 -0500 -@@ -121,9 +121,13 @@ mta_send_mail(boinc_t) - domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) - allow boinc_t boinc_project_t:process sigkill; - --allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop }; -+allow boinc_project_t self:process { setpgid setsched signal signull sigkill sigstop }; - allow boinc_project_t self:process { execmem execstack }; - -+tunable_policy(`deny_ptrace',`',` -+ allow boinc_project_t self:process ptrace; -+') -+ - allow boinc_project_t self:fifo_file rw_fifo_file_perms; - allow boinc_project_t self:sem create_sem_perms; - -diff -up serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace serefpolicy-3.10.0/policy/modules/services/bugzilla.if ---- serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace 2011-11-07 16:15:27.153367592 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/bugzilla.if 2011-11-07 16:15:27.602367764 -0500 -@@ -62,9 +62,13 @@ interface(`bugzilla_admin',` - type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t; - ') - -- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; -+ allow $1 httpd_bugzilla_script_t:process signal_perms; - ps_process_pattern($1, httpd_bugzilla_script_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 httpd_bugzilla_script_t:process ptrace; -+ ') -+ - files_list_tmp($1) - admin_pattern($1, httpd_bugzilla_tmp_t) - -diff -up serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace serefpolicy-3.10.0/policy/modules/services/callweaver.if ---- serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace 2011-11-07 16:15:27.156367594 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/callweaver.if 2011-11-07 16:15:27.603367765 -0500 -@@ -336,9 +336,13 @@ interface(`callweaver_admin',` - type callweaver_spool_t; - ') - -- allow $1 callweaver_t:process { ptrace signal_perms }; -+ allow $1 callweaver_t:process signal_perms; - ps_process_pattern($1, callweaver_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 callweaver_t:process ptrace; -+ ') -+ - callweaver_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 callweaver_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace serefpolicy-3.10.0/policy/modules/services/canna.if ---- serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/canna.if 2011-11-07 16:15:27.604367766 -0500 -@@ -42,9 +42,13 @@ interface(`canna_admin',` - type canna_var_run_t, canna_initrc_exec_t; - ') - -- allow $1 canna_t:process { ptrace signal_perms }; -+ allow $1 canna_t:process signal_perms; - ps_process_pattern($1, canna_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 canna_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, canna_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 canna_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmaster.if ---- serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace 2011-11-07 16:15:27.160367595 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/certmaster.if 2011-11-07 16:15:27.604367766 -0500 -@@ -119,9 +119,13 @@ interface(`certmaster_admin',` - type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t; - ') - -- allow $1 certmaster_t:process { ptrace signal_perms }; -+ allow $1 certmaster_t:process signal_perms; - ps_process_pattern($1, certmaster_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 certmaster_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, certmaster_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 certmaster_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmonger.if ---- serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace 2011-11-07 16:15:27.161367596 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/certmonger.if 2011-11-07 16:15:27.605367766 -0500 -@@ -158,7 +158,11 @@ interface(`certmonger_admin',` - ') - - ps_process_pattern($1, certmonger_t) -- allow $1 certmonger_t:process { ptrace signal_perms }; -+ allow $1 certmonger_t:process signal_perms; -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 certmonger_t:process ptrace; -+ ') - - # Allow certmonger_t to restart the apache service - certmonger_initrc_domtrans($1) -diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.if ---- serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace 2011-11-07 16:15:27.163367596 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/cgroup.if 2011-11-07 16:15:27.606367766 -0500 -@@ -171,15 +171,27 @@ interface(`cgroup_admin',` - type cgrules_etc_t, cgclear_t; - ') - -- allow $1 cgclear_t:process { ptrace signal_perms }; -+ allow $1 cgclear_t:process signal_perms; - ps_process_pattern($1, cgclear_t) - -- allow $1 cgconfig_t:process { ptrace signal_perms }; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cglear_t:process ptrace; -+ ') -+ -+ allow $1 cgconfig_t:process signal_perms; - ps_process_pattern($1, cgconfig_t) - -- allow $1 cgred_t:process { ptrace signal_perms }; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cgconfig_t:process ptrace; -+ ') -+ -+ allow $1 cgred_t:process signal_perms; - ps_process_pattern($1, cgred_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cgred_t:process ptrace; -+ ') -+ - admin_pattern($1, cgconfig_etc_t) - admin_pattern($1, cgrules_etc_t) - files_list_etc($1) -diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.te ---- serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace 2011-11-07 16:15:27.164367596 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/cgroup.te 2011-11-07 16:15:27.607367766 -0500 -@@ -76,7 +76,8 @@ fs_unmount_cgroup(cgconfig_t) - # cgred personal policy. - # - --allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; -+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override }; -+ - allow cgred_t self:netlink_socket { write bind create read }; - allow cgred_t self:unix_dgram_socket { write create connect }; - -diff -up serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/chronyd.if ---- serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace 2011-11-07 16:15:27.165367596 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/chronyd.if 2011-11-07 16:15:27.607367766 -0500 -@@ -217,9 +217,13 @@ interface(`chronyd_admin',` - type chronyd_keys_t; - ') - -- allow $1 chronyd_t:process { ptrace signal_perms }; -+ allow $1 chronyd_t:process signal_perms; - ps_process_pattern($1, chronyd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 chronyd_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, chronyd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 chronyd_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace serefpolicy-3.10.0/policy/modules/services/clamav.if ---- serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace 2011-11-07 16:15:27.167367598 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/clamav.if 2011-11-07 16:15:27.608367766 -0500 -@@ -176,13 +176,19 @@ interface(`clamav_admin',` - type freshclam_t, freshclam_var_log_t; - ') - -- allow $1 clamd_t:process { ptrace signal_perms }; -+ allow $1 clamd_t:process signal_perms; - ps_process_pattern($1, clamd_t) - -- allow $1 clamscan_t:process { ptrace signal_perms }; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 clamd_t:process ptrace; -+ allow $1 clamscan_t:process ptrace; -+ allow $1 freshclam_t:process ptrace; -+ ') -+ -+ allow $1 clamscan_t:process signal_perms; - ps_process_pattern($1, clamscan_t) - -- allow $1 freshclam_t:process { ptrace signal_perms }; -+ allow $1 freshclam_t:process signal_perms; - ps_process_pattern($1, freshclam_t) - - init_labeled_script_domtrans($1, clamd_initrc_exec_t) -diff -up serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace serefpolicy-3.10.0/policy/modules/services/cmirrord.if ---- serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace 2011-11-07 16:15:27.172367599 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/cmirrord.if 2011-11-07 16:15:27.609367767 -0500 -@@ -101,9 +101,13 @@ interface(`cmirrord_admin',` - type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; - ') - -- allow $1 cmirrord_t:process { ptrace signal_perms }; -+ allow $1 cmirrord_t:process signal_perms; - ps_process_pattern($1, cmirrord_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cmorrord_t:process ptrace; -+ ') -+ - cmirrord_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 cmirrord_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.if ---- serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace 2011-11-07 16:15:27.173367600 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/cobbler.if 2011-11-07 16:15:27.609367767 -0500 -@@ -189,9 +189,13 @@ interface(`cobblerd_admin',` - type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t; - ') - -- allow $1 cobblerd_t:process { ptrace signal_perms }; -+ allow $1 cobblerd_t:process signal_perms; - ps_process_pattern($1, cobblerd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cobblerd_t:process ptrace; -+ ') -+ - files_list_etc($1) - admin_pattern($1, cobbler_etc_t) - -diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.te ---- serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace 2011-11-07 16:15:27.174367601 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/cobbler.te 2011-11-07 16:15:27.610367768 -0500 -@@ -60,7 +60,7 @@ files_tmp_file(cobbler_tmp_t) - # - - allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice }; --dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config }; -+dontaudit cobblerd_t self:capability sys_tty_config; - - allow cobblerd_t self:process { getsched setsched signal }; - allow cobblerd_t self:fifo_file rw_fifo_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace serefpolicy-3.10.0/policy/modules/services/collectd.if ---- serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace 2011-11-07 16:15:27.175367601 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/collectd.if 2011-11-07 16:15:27.611367769 -0500 -@@ -142,9 +142,13 @@ interface(`collectd_admin',` - type collectd_var_lib_t; - ') - -- allow $1 collectd_t:process { ptrace signal_perms }; -+ allow $1 collectd_t:process signal_perms; - ps_process_pattern($1, collectd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 collectd_t:process ptrace; -+ ') -+ - collectd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 collectd_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/consolekit.te ---- serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace 2011-11-07 16:15:27.178367601 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/consolekit.te 2011-11-07 16:15:27.611367769 -0500 -@@ -23,7 +23,8 @@ files_tmpfs_file(consolekit_tmpfs_t) - # consolekit local policy - # - --allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; -+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice }; -+ - allow consolekit_t self:process { getsched signal }; - allow consolekit_t self:fifo_file rw_fifo_file_perms; - allow consolekit_t self:unix_stream_socket create_stream_socket_perms; -@@ -144,6 +145,8 @@ optional_policy(` - - optional_policy(` - #reading .Xauthity -- unconfined_ptrace(consolekit_t) -+ tunable_policy(`deny_ptrace',`',` -+ unconfined_ptrace(consolekit_t) -+ ') - unconfined_stream_connect(consolekit_t) - ') -diff -up serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.if ---- serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace 2011-11-07 16:15:27.179367602 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/corosync.if 2011-11-07 16:15:27.612367769 -0500 -@@ -101,9 +101,13 @@ interface(`corosyncd_admin',` - type corosync_initrc_exec_t; - ') - -- allow $1 corosync_t:process { ptrace signal_perms }; -+ allow $1 corosync_t:process signal_perms; - ps_process_pattern($1, corosync_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 corosync_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, corosync_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 corosync_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.te ---- serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace 2011-11-07 16:15:27.180367603 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/corosync.te 2011-11-07 16:15:27.613367769 -0500 -@@ -33,7 +33,7 @@ files_pid_file(corosync_var_run_t) - # corosync local policy - # - --allow corosync_t self:capability { dac_override setuid sys_nice sys_ptrace sys_resource ipc_lock }; -+allow corosync_t self:capability { dac_override setuid sys_nice sys_resource ipc_lock }; - allow corosync_t self:process { setpgid setrlimit setsched signal signull }; - - allow corosync_t self:fifo_file rw_fifo_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3.10.0/policy/modules/services/cron.if ---- serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace 2011-11-07 16:15:27.184367604 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/cron.if 2011-11-07 16:15:27.613367769 -0500 -@@ -140,7 +140,11 @@ interface(`cron_role',` - - # crontab shows up in user ps - ps_process_pattern($2, crontab_t) -- allow $2 crontab_t:process { ptrace signal_perms }; -+ allow $2 crontab_t:process signal_perms; -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 crontab_t:process ptrace; -+ ') - - # Run helper programs as the user domain - #corecmd_bin_domtrans(crontab_t, $2) -@@ -183,7 +187,10 @@ interface(`cron_unconfined_role',` - - # cronjob shows up in user ps - ps_process_pattern($2, unconfined_cronjob_t) -- allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; -+ allow $2 unconfined_cronjob_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 unconfined_cronjob_t:process ptrace; -+ ') - - optional_policy(` - gen_require(` -@@ -230,7 +237,10 @@ interface(`cron_admin_role',` - - # crontab shows up in user ps - ps_process_pattern($2, admin_crontab_t) -- allow $2 admin_crontab_t:process { ptrace signal_perms }; -+ allow $2 admin_crontab_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 admin_crontab_t:process ptrace; -+ ') - - # Run helper programs as the user domain - #corecmd_bin_domtrans(admin_crontab_t, $2) -diff -up serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace serefpolicy-3.10.0/policy/modules/services/cron.te ---- serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace 2011-11-07 16:15:27.532367738 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/cron.te 2011-11-07 16:15:27.614367769 -0500 -@@ -350,7 +350,6 @@ optional_policy(` - # - - allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; --dontaudit system_cronjob_t self:capability sys_ptrace; - - allow system_cronjob_t self:process { signal_perms getsched setsched }; - allow system_cronjob_t self:fifo_file rw_fifo_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.if ---- serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace 2011-11-07 16:15:27.186367605 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/ctdbd.if 2011-11-07 16:15:27.615367769 -0500 -@@ -236,8 +236,11 @@ interface(`ctdbd_admin',` - type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; - ') - -- allow $1 ctdbd_t:process { ptrace signal_perms }; -+ allow $1 ctdbd_t:process signal_perms; - ps_process_pattern($1, ctdbd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ctdbd_t:process ptrace; -+ ') - - ctdbd_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.te ---- serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace 2011-11-07 16:15:27.187367606 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/ctdbd.te 2011-11-07 16:15:27.616367770 -0500 -@@ -33,7 +33,7 @@ files_pid_file(ctdbd_var_run_t) - # ctdbd local policy - # - --allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice sys_ptrace }; -+allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; - allow ctdbd_t self:process { setpgid signal_perms setsched }; - - allow ctdbd_t self:fifo_file rw_fifo_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace serefpolicy-3.10.0/policy/modules/services/cups.if ---- serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace 2011-11-07 16:15:27.188367606 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/cups.if 2011-11-07 16:15:27.617367771 -0500 -@@ -327,9 +327,13 @@ interface(`cups_admin',` - type ptal_var_run_t; - ') - -- allow $1 cupsd_t:process { ptrace signal_perms }; -+ allow $1 cupsd_t:process signal_perms; - ps_process_pattern($1, cupsd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cupsd_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, cupsd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cupsd_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace serefpolicy-3.10.0/policy/modules/services/cvs.if ---- serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace 2011-11-07 16:15:27.190367606 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/cvs.if 2011-11-07 16:15:27.617367771 -0500 -@@ -80,9 +80,13 @@ interface(`cvs_admin',` - type cvs_data_t, cvs_var_run_t; - ') - -- allow $1 cvs_t:process { ptrace signal_perms }; -+ allow $1 cvs_t:process signal_perms; - ps_process_pattern($1, cvs_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cvs_t:process ptrace; -+ ') -+ - # Allow cvs_t to restart the apache service - init_labeled_script_domtrans($1, cvs_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace serefpolicy-3.10.0/policy/modules/services/cyrus.if ---- serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cyrus.if 2011-11-07 16:15:27.618367771 -0500 -@@ -62,9 +62,13 @@ interface(`cyrus_admin',` - type cyrus_var_run_t, cyrus_initrc_exec_t; - ') - -- allow $1 cyrus_t:process { ptrace signal_perms }; -+ allow $1 cyrus_t:process signal_perms; - ps_process_pattern($1, cyrus_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 cyrus_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, cyrus_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 cyrus_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace serefpolicy-3.10.0/policy/modules/services/dbus.if ---- serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace 2011-11-07 16:15:27.194367609 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/dbus.if 2011-11-07 16:15:27.619367771 -0500 -@@ -71,7 +71,11 @@ template(`dbus_role_template',` - domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) - - ps_process_pattern($3, $1_dbusd_t) -- allow $3 $1_dbusd_t:process { ptrace signal_perms }; -+ allow $3 $1_dbusd_t:process signal_perms; -+ -+ tunable_policy(`deny_ptrace',`',` -+ allow $3 $1_dbusd_t:process ptrace; -+ ') - - # cjp: this seems very broken - corecmd_bin_domtrans($1_dbusd_t, $1_t) -diff -up serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace serefpolicy-3.10.0/policy/modules/services/ddclient.if ---- serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace 2011-11-07 16:15:27.197367609 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/ddclient.if 2011-11-07 16:15:27.620367771 -0500 -@@ -68,9 +68,13 @@ interface(`ddclient_admin',` - type ddclient_var_run_t; - ') - -- allow $1 ddclient_t:process { ptrace signal_perms }; -+ allow $1 ddclient_t:process signal_perms; - ps_process_pattern($1, ddclient_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ddclient_t:process ptrace; -+ ') -+ - init_labeled_script_domtrans($1, ddclient_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 ddclient_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace serefpolicy-3.10.0/policy/modules/services/denyhosts.if ---- serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace 2011-11-07 16:15:27.198367609 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/denyhosts.if 2011-11-07 16:15:27.620367771 -0500 -@@ -67,9 +67,13 @@ interface(`denyhosts_admin',` - type denyhosts_var_log_t, denyhosts_initrc_exec_t; - ') - -- allow $1 denyhosts_t:process { ptrace signal_perms }; -+ allow $1 denyhosts_t:process signal_perms; - ps_process_pattern($1, denyhosts_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 denyhosts_t:process ptrace; -+ ') -+ - denyhosts_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 denyhosts_initrc_exec_t system_r; -diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.if ---- serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace 2011-11-07 16:15:27.200367611 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/devicekit.if 2011-11-07 16:15:27.621367771 -0500 -@@ -308,13 +308,18 @@ interface(`devicekit_admin',` - type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; - ') - -- allow $1 devicekit_t:process { ptrace signal_perms }; -+ allow $1 devicekit_t:process signal_perms; - ps_process_pattern($1, devicekit_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 devicekit_t:process ptrace; -+ allow $1 devicekit_disk_t:process ptrace; -+ allow $1 devicekit_power_t:process ptrace; -+ ') - -- allow $1 devicekit_disk_t:process { ptrace signal_perms }; -+ allow $1 devicekit_disk_t:process signal_perms; - ps_process_pattern($1, devicekit_disk_t) - -- allow $1 devicekit_power_t:process { ptrace signal_perms }; -+ allow $1 devicekit_power_t:process signal_perms; - ps_process_pattern($1, devicekit_power_t) - - admin_pattern($1, devicekit_tmp_t) -diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.te ---- serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace 2011-11-07 16:15:27.201367611 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/devicekit.te 2011-11-07 16:15:27.622367772 -0500 -@@ -65,7 +65,8 @@ optional_policy(` - # DeviceKit disk local policy - # - --allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; -+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio }; -+ - allow devicekit_disk_t self:process { getsched signal_perms }; - allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; - allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -199,7 +200,7 @@ optional_policy(` - # DeviceKit-Power local policy - # - --allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; -+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice }; - allow devicekit_power_t self:process { getsched signal_perms }; - allow devicekit_power_t self:fifo_file rw_fifo_file_perms; - allow devicekit_power_t self:unix_dgram_socket create_socket_perms; -diff -up serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace serefpolicy-3.10.0/policy/modules/services/dhcp.if ---- serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace 2011-11-07 16:15:27.202367611 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/dhcp.if 2011-11-07 16:15:27.622367772 -0500 -@@ -105,8 +105,11 @@ interface(`dhcpd_admin',` - type dhcpd_var_run_t, dhcpd_initrc_exec_t; - ') - -- allow $1 dhcpd_t:process { ptrace signal_perms }; -+ allow $1 dhcpd_t:process signal_perms; - ps_process_pattern($1, dhcpd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 dhcpd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace serefpolicy-3.10.0/policy/modules/services/dictd.if ---- serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/dictd.if 2011-11-07 16:15:27.623367773 -0500 -@@ -38,8 +38,11 @@ interface(`dictd_admin',` - type dictd_var_run_t, dictd_initrc_exec_t; - ') - -- allow $1 dictd_t:process { ptrace signal_perms }; -+ allow $1 dictd_t:process signal_perms; - ps_process_pattern($1, dictd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 dictd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, dictd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace serefpolicy-3.10.0/policy/modules/services/dnsmasq.if ---- serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace 2011-11-07 16:15:27.209367614 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/dnsmasq.if 2011-11-07 16:15:27.624367774 -0500 -@@ -298,8 +298,11 @@ interface(`dnsmasq_admin',` - type dnsmasq_initrc_exec_t; - ') - -- allow $1 dnsmasq_t:process { ptrace signal_perms }; -+ allow $1 dnsmasq_t:process signal_perms; - ps_process_pattern($1, dnsmasq_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 dnsmasq_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace serefpolicy-3.10.0/policy/modules/services/dovecot.if ---- serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace 2011-11-07 16:15:27.211367614 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/dovecot.if 2011-11-07 16:15:27.624367774 -0500 -@@ -119,8 +119,11 @@ interface(`dovecot_admin',` - type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t; - ') - -- allow $1 dovecot_t:process { ptrace signal_perms }; -+ allow $1 dovecot_t:process signal_perms; - ps_process_pattern($1, dovecot_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 dovecot_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, dovecot_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/drbd.if ---- serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace 2011-11-07 16:15:27.212367614 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/drbd.if 2011-11-07 16:15:27.625367774 -0500 -@@ -120,8 +120,11 @@ interface(`drbd_admin',` - type drbd_var_lib_t; - ') - -- allow $1 drbd_t:process { ptrace signal_perms }; -+ allow $1 drbd_t:process signal_perms; - ps_process_pattern($1, drbd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 drbd_t:process ptrace; -+ ') - - files_search_var_lib($1) - admin_pattern($1, drbd_var_lib_t) -diff -up serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace serefpolicy-3.10.0/policy/modules/services/dspam.if ---- serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace 2011-11-07 16:15:27.214367616 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/dspam.if 2011-11-07 16:15:27.627367774 -0500 -@@ -244,8 +244,11 @@ interface(`dspam_admin',` - type dspam_var_run_t; - ') - -- allow $1 dspam_t:process { ptrace signal_perms }; -+ allow $1 dspam_t:process signal_perms; - ps_process_pattern($1, dspam_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 dspam_t:process ptrace; -+ ') - - dspam_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace serefpolicy-3.10.0/policy/modules/services/exim.if ---- serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace 2011-11-07 16:15:27.216367617 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/exim.if 2011-11-07 16:15:27.627367774 -0500 -@@ -260,8 +260,11 @@ interface(`exim_admin',` - type exim_tmp_t, exim_spool_t, exim_var_run_t; - ') - -- allow $1 exim_t:process { ptrace signal_perms }; -+ allow $1 exim_t:process signal_perms; - ps_process_pattern($1, exim_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 exim_t:process ptrace; -+ ') - - exim_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace serefpolicy-3.10.0/policy/modules/services/fail2ban.if ---- serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace 2011-11-07 16:15:27.217367617 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/fail2ban.if 2011-11-07 16:15:27.628367774 -0500 -@@ -199,8 +199,11 @@ interface(`fail2ban_admin',` - type fail2ban_client_t; - ') - -- allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms }; -+ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms; - ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace; -+ ') - - init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace serefpolicy-3.10.0/policy/modules/services/fcoemon.if ---- serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace 2011-11-07 16:15:27.219367617 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/fcoemon.if 2011-11-07 16:15:27.629367774 -0500 -@@ -81,8 +81,11 @@ interface(`fcoemon_admin',` - type fcoemon_var_run_t; - ') - -- allow $1 fcoemon_t:process { ptrace signal_perms }; -+ allow $1 fcoemon_t:process signal_perms; - ps_process_pattern($1, fcoemon_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 fcoemon_t:process ptrace; -+ ') - - files_search_pids($1) - admin_pattern($1, fcoemon_var_run_t) -diff -up serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/fetchmail.if ---- serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace 2011-11-07 16:15:27.221367619 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/fetchmail.if 2011-11-07 16:15:27.629367774 -0500 -@@ -18,8 +18,11 @@ interface(`fetchmail_admin',` - type fetchmail_var_run_t; - ') - -- allow $1 fetchmail_t:process { ptrace signal_perms }; -+ allow $1 fetchmail_t:process signal_perms; - ps_process_pattern($1, fetchmail_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 fetchmail_t:process ptrace; -+ ') - - files_list_etc($1) - admin_pattern($1, fetchmail_etc_t) -diff -up serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace serefpolicy-3.10.0/policy/modules/services/firewalld.if ---- serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace 2011-11-07 16:15:27.223367619 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/firewalld.if 2011-11-07 16:15:27.630367775 -0500 -@@ -62,8 +62,11 @@ interface(`firewalld_admin',` - type firewalld_initrc_exec_t; - ') - -- allow $1 firewalld_t:process { ptrace signal_perms }; -+ allow $1 firewalld_t:process signal_perms; - ps_process_pattern($1, firewalld_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 firewalld_t:process ptrace; -+ ') - - firewalld_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace serefpolicy-3.10.0/policy/modules/services/fprintd.te ---- serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace 2011-11-07 16:15:27.225367619 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/fprintd.te 2011-11-07 16:15:27.631367776 -0500 -@@ -17,7 +17,8 @@ files_type(fprintd_var_lib_t) - # Local policy - # - --allow fprintd_t self:capability { sys_nice sys_ptrace }; -+allow fprintd_t self:capability sys_nice; -+ - allow fprintd_t self:fifo_file rw_fifo_file_perms; - allow fprintd_t self:process { getsched setsched signal }; - -diff -up serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ftp.if ---- serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace 2011-11-07 16:15:27.226367620 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/ftp.if 2011-11-07 16:15:27.631367776 -0500 -@@ -237,8 +237,11 @@ interface(`ftp_admin',` - type ftpd_initrc_exec_t; - ') - -- allow $1 ftpd_t:process { ptrace signal_perms }; -+ allow $1 ftpd_t:process signal_perms; - ps_process_pattern($1, ftpd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ftpd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, ftpd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/git.if.ptrace serefpolicy-3.10.0/policy/modules/services/git.if ---- serefpolicy-3.10.0/policy/modules/services/git.if.ptrace 2011-11-07 16:15:27.229367622 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/git.if 2011-11-07 16:15:27.632367777 -0500 -@@ -42,8 +42,11 @@ interface(`git_session_role',` - - domtrans_pattern($2, gitd_exec_t, git_session_t) - -- allow $2 git_session_t:process { ptrace signal_perms }; -+ allow $2 git_session_t:process signal_perms; - ps_process_pattern($2, git_session_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 git_session_t:process ptrace; -+ ') - ') - - ######################################## -diff -up serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace serefpolicy-3.10.0/policy/modules/services/glance.if ---- serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace 2011-11-07 16:15:27.231367622 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/glance.if 2011-11-07 16:15:27.633367777 -0500 -@@ -245,10 +245,14 @@ interface(`glance_admin',` - type glance_api_initrc_exec_t; - ') - -- allow $1 glance_registry_t:process { ptrace signal_perms }; -+ allow $1 glance_registry_t:process signal_perms; - ps_process_pattern($1, glance_registry_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 glance_registry_t:process ptrace; -+ allow $1 glance_api_t:process ptrace; -+ ') - -- allow $1 glance_api_t:process { ptrace signal_perms }; -+ allow $1 glance_api_t:process signal_perms; - ps_process_pattern($1, glance_api_t) - - init_labeled_script_domtrans($1, glance_registry_initrc_exec_t) -diff -up serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace serefpolicy-3.10.0/policy/modules/services/gnomeclock.te ---- serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace 2011-11-07 16:15:27.233367623 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/gnomeclock.te 2011-11-07 16:15:27.633367777 -0500 -@@ -14,7 +14,7 @@ dbus_system_domain(gnomeclock_t, gnomecl - # gnomeclock local policy - # - --allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; -+allow gnomeclock_t self:capability { sys_nice sys_time }; - allow gnomeclock_t self:process { getattr getsched signal }; - allow gnomeclock_t self:fifo_file rw_fifo_file_perms; - allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; -diff -up serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/gpsd.te ---- serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace 2011-11-07 16:15:27.235367624 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/gpsd.te 2011-11-07 16:15:27.634367777 -0500 -@@ -25,7 +25,7 @@ files_pid_file(gpsd_var_run_t) - # - - allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config }; --dontaudit gpsd_t self:capability { dac_read_search dac_override sys_ptrace }; -+dontaudit gpsd_t self:capability { dac_read_search dac_override }; - allow gpsd_t self:process { setsched signal_perms }; - allow gpsd_t self:shm create_shm_perms; - allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; -diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy-3.10.0/policy/modules/services/hadoop.if ---- serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace 2011-11-07 16:15:27.533367738 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/hadoop.if 2011-11-07 16:15:27.635367777 -0500 -@@ -222,14 +222,21 @@ interface(`hadoop_role',` - hadoop_domtrans($2) - role $1 types hadoop_t; - -- allow $2 hadoop_t:process { ptrace signal_perms }; -+ allow $2 hadoop_t:process signal_perms; - ps_process_pattern($2, hadoop_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 hadoop_t:process ptrace; -+ ') - - hadoop_domtrans_zookeeper_client($2) - role $1 types zookeeper_t; - -- allow $2 zookeeper_t:process { ptrace signal_perms }; -+ allow $2 zookeeper_t:process signal_perms; - ps_process_pattern($2, zookeeper_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 zookeeper_t:process ptrace; -+ ') -+ - ') - - ######################################## -diff -up serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace serefpolicy-3.10.0/policy/modules/services/hal.if ---- serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace 2011-11-07 16:15:27.238367624 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/hal.if 2011-11-07 16:15:27.636367777 -0500 -@@ -70,7 +70,9 @@ interface(`hal_ptrace',` - type hald_t; - ') - -- allow $1 hald_t:process ptrace; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 hald_t:process ptrace; -+ ') - ') - - ######################################## -diff -up serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace serefpolicy-3.10.0/policy/modules/services/hal.te ---- serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace 2011-11-07 16:15:27.240367626 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/hal.te 2011-11-07 16:15:27.637367778 -0500 -@@ -64,7 +64,7 @@ typealias hald_var_run_t alias pmtools_v - - # execute openvt which needs setuid - allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; --dontaudit hald_t self:capability {sys_ptrace sys_tty_config }; -+dontaudit hald_t self:capability sys_tty_config; - allow hald_t self:process { getsched getattr signal_perms }; - allow hald_t self:fifo_file rw_fifo_file_perms; - allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; -diff -up serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace serefpolicy-3.10.0/policy/modules/services/hddtemp.if ---- serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace 2011-11-07 16:15:27.241367627 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/hddtemp.if 2011-11-07 16:15:27.637367778 -0500 -@@ -60,8 +60,11 @@ interface(`hddtemp_admin',` - type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; - ') - -- allow $1 hddtemp_t:process { ptrace signal_perms }; -+ allow $1 hddtemp_t:process signal_perms; - ps_process_pattern($1, hddtemp_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 hddtemp_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace serefpolicy-3.10.0/policy/modules/services/icecast.if ---- serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace 2011-11-07 16:15:27.242367627 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/icecast.if 2011-11-07 16:15:27.638367779 -0500 -@@ -173,8 +173,11 @@ interface(`icecast_admin',` - type icecast_t, icecast_initrc_exec_t; - ') - -- allow $1 icecast_t:process { ptrace signal_perms }; -+ allow $1 icecast_t:process signal_perms; - ps_process_pattern($1, icecast_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 icecast_t:process ptrace; -+ ') - - # Allow icecast_t to restart the apache service - icecast_initrc_domtrans($1) -diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.if ---- serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace 2011-11-07 16:15:27.243367627 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/ifplugd.if 2011-11-07 16:15:27.639367779 -0500 -@@ -117,7 +117,7 @@ interface(`ifplugd_admin',` - type ifplugd_initrc_exec_t; - ') - -- allow $1 ifplugd_t:process { ptrace signal_perms }; -+ allow $1 ifplugd_t:process signal_perms; - ps_process_pattern($1, ifplugd_t) - - init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) -diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.te ---- serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace 2011-11-07 16:15:27.243367627 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/ifplugd.te 2011-11-07 16:15:27.639367779 -0500 -@@ -26,7 +26,7 @@ files_pid_file(ifplugd_var_run_t) - # - - allow ifplugd_t self:capability { net_admin sys_nice net_bind_service }; --dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace }; -+dontaudit ifplugd_t self:capability sys_tty_config; - allow ifplugd_t self:process { signal signull }; - allow ifplugd_t self:fifo_file rw_fifo_file_perms; - allow ifplugd_t self:tcp_socket create_stream_socket_perms; -diff -up serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace serefpolicy-3.10.0/policy/modules/services/inn.if ---- serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace 2011-11-07 16:15:27.247367629 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/inn.if 2011-11-07 16:15:27.640367779 -0500 -@@ -202,8 +202,11 @@ interface(`inn_admin',` - type innd_initrc_exec_t; - ') - -- allow $1 innd_t:process { ptrace signal_perms }; -+ allow $1 innd_t:process signal_perms; - ps_process_pattern($1, innd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 innd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, innd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace serefpolicy-3.10.0/policy/modules/services/jabber.if ---- serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace 2011-11-07 16:15:27.249367629 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/jabber.if 2011-11-07 16:15:27.641367779 -0500 -@@ -143,10 +143,14 @@ interface(`jabber_admin',` - type jabberd_initrc_exec_t, jabberd_router_t; - ') - -- allow $1 jabberd_t:process { ptrace signal_perms }; -+ allow $1 jabberd_t:process signal_perms; - ps_process_pattern($1, jabberd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 jabberd_t:process ptrace; -+ allow $1 jabberd_router_t:process ptrace; -+ ') - -- allow $1 jabberd_router_t:process { ptrace signal_perms }; -+ allow $1 jabberd_router_t:process signal_perms; - ps_process_pattern($1, jabberd_router_t) - - init_labeled_script_domtrans($1, jabberd_initrc_exec_t) -diff -up serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerberos.if ---- serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace 2011-11-07 16:15:27.252367630 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/kerberos.if 2011-11-07 16:15:27.641367779 -0500 -@@ -340,13 +340,18 @@ interface(`kerberos_admin',` - type krb5kdc_var_run_t, krb5_host_rcache_t; - ') - -- allow $1 kadmind_t:process { ptrace signal_perms }; -+ allow $1 kadmind_t:process signal_perms; - ps_process_pattern($1, kadmind_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 kadmind_t:process ptrace; -+ allow $1 krb5kdc_t:process ptrace; -+ allow $1 kpropd_t:process ptrace; -+ ') - -- allow $1 krb5kdc_t:process { ptrace signal_perms }; -+ allow $1 krb5kdc_t:process signal_perms; - ps_process_pattern($1, krb5kdc_t) - -- allow $1 kpropd_t:process { ptrace signal_perms }; -+ allow $1 kpropd_t:process signal_perms; - ps_process_pattern($1, kpropd_t) - - init_labeled_script_domtrans($1, kerberos_initrc_exec_t) -diff -up serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerneloops.if ---- serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace 2011-11-07 16:15:27.253367631 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/kerneloops.if 2011-11-07 16:15:27.642367779 -0500 -@@ -101,8 +101,11 @@ interface(`kerneloops_admin',` - type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t; - ') - -- allow $1 kerneloops_t:process { ptrace signal_perms }; -+ allow $1 kerneloops_t:process signal_perms; - ps_process_pattern($1, kerneloops_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 kerneloops_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.if ---- serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace 2011-11-07 16:15:27.256367632 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.if 2011-11-07 16:15:27.643367780 -0500 -@@ -58,8 +58,11 @@ interface(`ksmtuned_admin',` - type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t; - ') - -- allow $1 ksmtuned_t:process { ptrace signal_perms }; -+ allow $1 ksmtuned_t:process signal_perms; - ps_process_pattern($1, ksmtuned_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ksmtuned_t:process ptrace; -+ ') - - files_list_pids($1) - admin_pattern($1, ksmtuned_var_run_t) -diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.te ---- serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace 2011-11-07 16:15:27.256367632 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.te 2011-11-07 16:15:27.644367781 -0500 -@@ -23,7 +23,7 @@ files_pid_file(ksmtuned_var_run_t) - # ksmtuned local policy - # - --allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; -+allow ksmtuned_t self:capability sys_tty_config; - allow ksmtuned_t self:fifo_file rw_file_perms; - - manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) -diff -up serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/l2tpd.if ---- serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace 2011-11-07 16:15:27.258367632 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/l2tpd.if 2011-11-07 16:15:27.644367781 -0500 -@@ -101,8 +101,11 @@ interface(`l2tpd_admin',` - type l2tpd_var_run_t; - ') - -- allow $1 l2tpd_t:process { ptrace signal_perms }; -+ allow $1 l2tpd_t:process signal_perms; - ps_process_pattern($1, l2tpd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 l2tpd_t:process ptrace; -+ ') - - l2tpd_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace serefpolicy-3.10.0/policy/modules/services/ldap.if ---- serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace 2011-11-07 16:15:27.260367634 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/ldap.if 2011-11-07 16:15:27.645367782 -0500 -@@ -174,8 +174,11 @@ interface(`ldap_admin',` - type slapd_initrc_exec_t; - ') - -- allow $1 slapd_t:process { ptrace signal_perms }; -+ allow $1 slapd_t:process signal_perms; - ps_process_pattern($1, slapd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 slapd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, slapd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lircd.if ---- serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/lircd.if 2011-11-07 16:15:27.646367782 -0500 -@@ -80,8 +80,11 @@ interface(`lircd_admin',` - type lircd_initrc_exec_t, lircd_etc_t; - ') - -- allow $1 lircd_t:process { ptrace signal_perms }; -+ allow $1 lircd_t:process signal_perms; - ps_process_pattern($1, lircd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 lircd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, lircd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace serefpolicy-3.10.0/policy/modules/services/lldpad.if ---- serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace 2011-11-07 16:15:27.264367634 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/lldpad.if 2011-11-07 16:15:27.646367782 -0500 -@@ -180,8 +180,11 @@ interface(`lldpad_admin',` - type lldpad_var_run_t; - ') - -- allow $1 lldpad_t:process { ptrace signal_perms }; -+ allow $1 lldpad_t:process signal_perms; - ps_process_pattern($1, lldpad_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 lldpad_t:process ptrace; -+ ') - - lldpad_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lpd.if ---- serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace 2011-11-07 16:15:27.265367635 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/lpd.if 2011-11-07 16:15:27.647367782 -0500 -@@ -28,7 +28,10 @@ interface(`lpd_role',` - dontaudit lpr_t $2:unix_stream_socket { read write }; - - ps_process_pattern($2, lpr_t) -- allow $2 lpr_t:process { ptrace signal_perms }; -+ allow $2 lpr_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 lpr_t:process ptrace; -+ ') - - optional_policy(` - cups_read_config($2) -diff -up serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace serefpolicy-3.10.0/policy/modules/services/mailscanner.if ---- serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace 2011-11-07 16:15:27.269367637 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/mailscanner.if 2011-11-07 16:15:27.648367782 -0500 -@@ -47,8 +47,11 @@ interface(`mailscanner_admin',` - role_transition $2 mscan_initrc_exec_t system_r; - allow $2 system_r; - -- allow $1 mscan_t:process { ptrace signal_perms }; -+ allow $1 mscan_t:process signal_perms; - ps_process_pattern($1, mscan_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 mscan_t:process ptrace; -+ ') - - admin_pattern($1, mscan_etc_t) - files_list_etc($1) -diff -up serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.te ---- serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace 2011-11-07 16:15:27.271367637 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/matahari.te 2011-11-07 16:15:27.649367782 -0500 -@@ -25,9 +25,6 @@ files_pid_file(matahari_var_run_t) - # - # matahari_hostd local policy - # -- --allow matahari_hostd_t self:capability sys_ptrace; -- - kernel_read_network_state(matahari_hostd_t) - - dev_read_sysfs(matahari_hostd_t) -diff -up serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace serefpolicy-3.10.0/policy/modules/services/memcached.if ---- serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace 2011-11-07 16:15:27.272367638 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/memcached.if 2011-11-07 16:15:27.649367782 -0500 -@@ -59,8 +59,11 @@ interface(`memcached_admin',` - type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; - ') - -- allow $1 memcached_t:process { ptrace signal_perms }; -+ allow $1 memcached_t:process signal_perms; - ps_process_pattern($1, memcached_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 memcached_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, memcached_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace serefpolicy-3.10.0/policy/modules/services/mock.if ---- serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace 2011-11-07 16:15:27.275367639 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/mock.if 2011-11-07 16:15:27.650367783 -0500 -@@ -245,7 +245,10 @@ interface(`mock_role',` - mock_run($2, $1) - - ps_process_pattern($2, mock_t) -- allow $2 mock_t:process { ptrace signal_perms }; -+ allow $2 mock_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 mock_t:process ptrace; -+ ') - ') - - ####################################### -@@ -289,10 +292,14 @@ interface(`mock_admin',` - type mock_build_t, mock_etc_t, mock_tmp_t; - ') - -- allow $1 mock_t:process { ptrace signal_perms }; -+ allow $1 mock_t:process signal_perms; - ps_process_pattern($1, mock_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 mock_t:process ptrace; -+ allow $1 mock_build_t:process ptrace; -+ ') - -- allow $1 mock_build_t:process { ptrace signal_perms }; -+ allow $1 mock_build_t:process signal_perms; - ps_process_pattern($1, mock_build_t) - - files_list_var_lib($1) -diff -up serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace serefpolicy-3.10.0/policy/modules/services/mock.te ---- serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace 2011-11-07 16:15:27.276367639 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/mock.te 2011-11-07 16:15:27.651367784 -0500 -@@ -41,7 +41,7 @@ files_config_file(mock_etc_t) - # mock local policy - # - --allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; -+allow mock_t self:capability { sys_admin setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner }; - allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid }; - # Needed because mock can run java and mono withing build environment - allow mock_t self:process { execmem execstack }; -@@ -164,7 +164,7 @@ optional_policy(` - # - # mock_build local policy - # --allow mock_build_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner }; -+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner }; - dontaudit mock_build_t self:capability audit_write; - allow mock_build_t self:process { fork setsched setpgid signal_perms }; - allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; -diff -up serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace serefpolicy-3.10.0/policy/modules/services/mojomojo.if ---- serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace 2011-11-07 16:15:27.278367640 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/mojomojo.if 2011-11-07 16:15:27.652367784 -0500 -@@ -24,8 +24,11 @@ interface(`mojomojo_admin',` - type httpd_mojomojo_script_exec_t; - ') - -- allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; -+ allow $1 httpd_mojomojo_script_t:process signal_perms; - ps_process_pattern($1, httpd_mojomojo_script_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 httpd_mojomo_script_t:process ptrace; -+ ') - - files_list_tmp($1) - admin_pattern($1, httpd_mojomojo_tmp_t) -diff -up serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/mpd.if ---- serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/mpd.if 2011-11-07 16:15:27.653367784 -0500 -@@ -244,8 +244,11 @@ interface(`mpd_admin',` - type mpd_tmpfs_t; - ') - -- allow $1 mpd_t:process { ptrace signal_perms }; -+ allow $1 mpd_t:process signal_perms; - ps_process_pattern($1, mpd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 mpd_t:process ptrace; -+ ') - - mpd_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace serefpolicy-3.10.0/policy/modules/services/munin.if ---- serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace 2011-11-07 16:15:27.283367642 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/munin.if 2011-11-07 16:15:27.653367784 -0500 -@@ -183,8 +183,11 @@ interface(`munin_admin',` - type httpd_munin_content_t, munin_initrc_exec_t; - ') - -- allow $1 munin_t:process { ptrace signal_perms }; -+ allow $1 munin_t:process signal_perms; - ps_process_pattern($1, munin_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 munin_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, munin_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.if ---- serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace 2011-11-07 16:15:27.285367643 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/mysql.if 2011-11-07 16:15:27.654367784 -0500 -@@ -389,8 +389,11 @@ interface(`mysql_admin',` - type mysqld_etc_t; - ') - -- allow $1 mysqld_t:process { ptrace signal_perms }; -+ allow $1 mysqld_t:process signal_perms; - ps_process_pattern($1, mysqld_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 mysqld_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, mysqld_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.te ---- serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace 2011-11-07 16:15:27.286367644 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/mysql.te 2011-11-07 16:15:27.655367784 -0500 -@@ -158,7 +158,6 @@ optional_policy(` - # - - allow mysqld_safe_t self:capability { chown dac_override fowner kill }; --dontaudit mysqld_safe_t self:capability sys_ptrace; - allow mysqld_safe_t self:process { setsched getsched setrlimit }; - allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; - -diff -up serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace serefpolicy-3.10.0/policy/modules/services/nagios.if ---- serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace 2011-11-07 16:15:27.287367644 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/nagios.if 2011-11-07 16:15:27.655367784 -0500 -@@ -225,8 +225,11 @@ interface(`nagios_admin',` - type nagios_etc_t, nrpe_etc_t, nagios_spool_t; - ') - -- allow $1 nagios_t:process { ptrace signal_perms }; -+ allow $1 nagios_t:process signal_perms; - ps_process_pattern($1, nagios_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 nagios_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, nagios_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/networkmanager.te ---- serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace 2011-11-07 16:15:27.291367645 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/networkmanager.te 2011-11-07 16:15:27.656367785 -0500 -@@ -44,13 +44,17 @@ init_system_domain(wpa_cli_t, wpa_cli_ex - - # networkmanager will ptrace itself if gdb is installed - # and it receives a unexpected signal (rh bug #204161) --allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; --dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; -+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; -+dontaudit NetworkManager_t self:capability sys_tty_config; - ifdef(`hide_broken_symptoms',` - # caused by some bogus kernel code - dontaudit NetworkManager_t self:capability sys_module; - ') --allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; -+allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms }; -+tunable_policy(`deny_ptrace',`',` -+ allow NetworkManager_t self:process ptrace; -+') -+ - allow NetworkManager_t self:fifo_file rw_fifo_file_perms; - allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; - allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; -diff -up serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace serefpolicy-3.10.0/policy/modules/services/nis.if ---- serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace 2011-11-07 16:15:27.292367646 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/nis.if 2011-11-07 16:15:27.657367786 -0500 -@@ -390,16 +390,22 @@ interface(`nis_admin',` - type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t; - ') - -- allow $1 ypbind_t:process { ptrace signal_perms }; -+ allow $1 ypbind_t:process signal_perms; - ps_process_pattern($1, ypbind_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ypbind_t:process ptrace; -+ allow $1 yppasswdd_t:process ptrace; -+ allow $1 ypserv_t:process ptrace; -+ allow $1 ypxfr_t:process ptrace; -+ ') - -- allow $1 yppasswdd_t:process { ptrace signal_perms }; -+ allow $1 yppasswdd_t:process signal_perms; - ps_process_pattern($1, yppasswdd_t) - -- allow $1 ypserv_t:process { ptrace signal_perms }; -+ allow $1 ypserv_t:process signal_perms; - ps_process_pattern($1, ypserv_t) - -- allow $1 ypxfr_t:process { ptrace signal_perms }; -+ allow $1 ypxfr_t:process signal_perms; - ps_process_pattern($1, ypxfr_t) - - nis_initrc_domtrans($1) -diff -up serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.if ---- serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace 2011-11-07 16:15:27.295367647 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/nscd.if 2011-11-07 16:15:27.658367787 -0500 -@@ -321,8 +321,11 @@ interface(`nscd_admin',` - type nscd_initrc_exec_t; - ') - -- allow $1 nscd_t:process { ptrace signal_perms }; -+ allow $1 nscd_t:process signal_perms; - ps_process_pattern($1, nscd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 nscd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, nscd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.te ---- serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace 2011-11-07 16:15:27.296367647 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/nscd.te 2011-11-07 16:15:27.659367787 -0500 -@@ -40,7 +40,7 @@ logging_log_file(nscd_log_t) - # Local policy - # - --allow nscd_t self:capability { kill setgid setuid sys_ptrace }; -+allow nscd_t self:capability { kill setgid setuid }; - dontaudit nscd_t self:capability sys_tty_config; - allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; - allow nscd_t self:fifo_file read_fifo_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nslcd.if ---- serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace 2011-11-07 16:15:27.296367647 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/nslcd.if 2011-11-07 16:15:27.659367787 -0500 -@@ -98,7 +98,10 @@ interface(`nslcd_admin',` - ') - - ps_process_pattern($1, nslcd_t) -- allow $1 nslcd_t:process { ptrace signal_perms }; -+ allow $1 nslcd_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 nslcd_t:process ptrace; -+ ') - - # Allow nslcd_t to restart the apache service - nslcd_initrc_domtrans($1) -diff -up serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ntp.if ---- serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace 2011-11-07 16:15:27.299367648 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/ntp.if 2011-11-07 16:15:27.660367787 -0500 -@@ -204,8 +204,11 @@ interface(`ntp_admin',` - type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t; - ') - -- allow $1 ntpd_t:process { ptrace signal_perms }; -+ allow $1 ntpd_t:process signal_perms; - ps_process_pattern($1, ntpd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ntpd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, ntpd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace serefpolicy-3.10.0/policy/modules/services/oident.if ---- serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace 2011-11-07 16:15:27.304367650 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/oident.if 2011-11-07 16:15:27.661367787 -0500 -@@ -89,8 +89,11 @@ interface(`oident_admin',` - type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t; - ') - -- allow $1 oidentd_t:process { ptrace signal_perms }; -+ allow $1 oidentd_t:process signal_perms; - ps_process_pattern($1, oidentd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 oidentd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, oidentd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace serefpolicy-3.10.0/policy/modules/services/openvpn.if ---- serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/openvpn.if 2011-11-07 16:15:27.661367787 -0500 -@@ -144,8 +144,11 @@ interface(`openvpn_admin',` - type openvpn_var_run_t, openvpn_initrc_exec_t; - ') - -- allow $1 openvpn_t:process { ptrace signal_perms }; -+ allow $1 openvpn_t:process signal_perms; - ps_process_pattern($1, openvpn_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 openvpn_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, openvpn_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace serefpolicy-3.10.0/policy/modules/services/pads.if ---- serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace 2011-11-07 16:15:27.307367651 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/pads.if 2011-11-07 16:15:27.662367787 -0500 -@@ -31,8 +31,11 @@ interface(`pads_admin',` - type pads_var_run_t; - ') - -- allow $1 pads_t:process { ptrace signal_perms }; -+ allow $1 pads_t:process signal_perms; - ps_process_pattern($1, pads_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 pads_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, pads_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace serefpolicy-3.10.0/policy/modules/services/pingd.if ---- serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace 2011-11-07 16:15:27.311367654 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/pingd.if 2011-11-07 16:15:27.663367788 -0500 -@@ -80,8 +80,11 @@ interface(`pingd_admin',` - type pingd_initrc_exec_t; - ') - -- allow $1 pingd_t:process { ptrace signal_perms }; -+ allow $1 pingd_t:process signal_perms; - ps_process_pattern($1, pingd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 pingd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, pingd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace serefpolicy-3.10.0/policy/modules/services/piranha.te ---- serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace 2011-11-07 16:15:27.314367654 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/piranha.te 2011-11-07 16:15:27.663367788 -0500 -@@ -65,7 +65,11 @@ init_domtrans_script(piranha_fos_t) - # - - allow piranha_web_t self:capability { setuid sys_nice kill setgid }; --allow piranha_web_t self:process { getsched setsched signal signull ptrace }; -+allow piranha_web_t self:process { getsched setsched signal signull }; -+tunable_policy(`deny_ptrace',`',` -+ allow piranha_web_t self:process ptrace; -+') -+ - allow piranha_web_t self:rawip_socket create_socket_perms; - allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms; - allow piranha_web_t self:sem create_sem_perms; -diff -up serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace serefpolicy-3.10.0/policy/modules/services/plymouthd.if ---- serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace 2011-11-07 16:15:27.315367654 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/plymouthd.if 2011-11-07 16:15:27.664367789 -0500 -@@ -291,8 +291,11 @@ interface(`plymouthd_admin',` - type plymouthd_var_run_t; - ') - -- allow $1 plymouthd_t:process { ptrace signal_perms }; -+ allow $1 plymouthd_t:process signal_perms; - ps_process_pattern($1, plymouthd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 plymouthd_t:process ptrace; -+ ') - - files_list_var_lib($1) - admin_pattern($1, plymouthd_spool_t) -diff -up serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace serefpolicy-3.10.0/policy/modules/services/policykit.te ---- serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace 2011-11-07 16:15:27.317367655 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/policykit.te 2011-11-07 16:15:27.665367789 -0500 -@@ -38,7 +38,7 @@ files_pid_file(policykit_var_run_t) - # policykit local policy - # - --allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace }; -+allow policykit_t self:capability { dac_override dac_read_search setgid setuid }; - allow policykit_t self:process { getsched getattr signal }; - allow policykit_t self:fifo_file rw_fifo_file_perms; - allow policykit_t self:unix_dgram_socket create_socket_perms; -@@ -235,7 +235,7 @@ optional_policy(` - # polkit_resolve local policy - # - --allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; -+allow policykit_resolve_t self:capability { setuid sys_nice }; - allow policykit_resolve_t self:process getattr; - allow policykit_resolve_t self:fifo_file rw_fifo_file_perms; - -diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy-3.10.0/policy/modules/services/polipo.if ---- serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace 2011-11-07 16:15:27.318367656 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/polipo.if 2011-11-07 16:15:27.666367789 -0500 -@@ -32,8 +32,11 @@ template(`polipo_role',` - # Policy - # - -- allow $2 polipo_session_t:process { ptrace signal_perms }; -+ allow $2 polipo_session_t:process signal_perms; - ps_process_pattern($2, polipo_session_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 polipo_session_t:process ptrace; -+ ') - - tunable_policy(`polipo_session_users',` - domtrans_pattern($2, polipo_exec_t, polipo_session_t) -@@ -163,8 +166,11 @@ interface(`polipo_admin',` - type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t; - ') - -- allow $1 polipo_t:process { ptrace signal_perms }; -+ allow $1 polipo_t:process signal_perms; - ps_process_pattern($1, polipo_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 polipo_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, polipo_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace serefpolicy-3.10.0/policy/modules/services/portreserve.if ---- serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/portreserve.if 2011-11-07 16:15:27.667367789 -0500 -@@ -104,8 +104,11 @@ interface(`portreserve_admin',` - type portreserve_initrc_exec_t; - ') - -- allow $1 portreserve_t:process { ptrace signal_perms }; -+ allow $1 portreserve_t:process signal_perms; - ps_process_pattern($1, portreserve_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 portreserve_t:process ptrace; -+ ') - - portreserve_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfix.if ---- serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace 2011-11-07 16:15:27.323367657 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/postfix.if 2011-11-07 16:15:27.668367789 -0500 -@@ -729,25 +729,36 @@ interface(`postfix_admin',` - type postfix_smtpd_t, postfix_var_run_t; - ') - -- allow $1 postfix_bounce_t:process { ptrace signal_perms }; -+ allow $1 postfix_bounce_t:process signal_perms; - ps_process_pattern($1, postfix_bounce_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 postfix_bounce_t:process ptrace; -+ ') - -- allow $1 postfix_cleanup_t:process { ptrace signal_perms }; -+ allow $1 postfix_cleanup_t:process signal_perms; - ps_process_pattern($1, postfix_cleanup_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 postfix_cleanup_t:process ptrace; -+ allow $1 postfix_local_t:process ptrace; -+ allow $1 postfix_master_t:process ptrace; -+ allow $1 postfix_pickup_t:process ptrace; -+ allow $1 postfix_qmgr_t:process ptrace; -+ allow $1 postfix_smtpd_t:process ptrace; -+ ') - -- allow $1 postfix_local_t:process { ptrace signal_perms }; -+ allow $1 postfix_local_t:process signal_perms; - ps_process_pattern($1, postfix_local_t) - -- allow $1 postfix_master_t:process { ptrace signal_perms }; -+ allow $1 postfix_master_t:process signal_perms; - ps_process_pattern($1, postfix_master_t) - -- allow $1 postfix_pickup_t:process { ptrace signal_perms }; -+ allow $1 postfix_pickup_t:process signal_perms; - ps_process_pattern($1, postfix_pickup_t) - -- allow $1 postfix_qmgr_t:process { ptrace signal_perms }; -+ allow $1 postfix_qmgr_t:process signal_perms; - ps_process_pattern($1, postfix_qmgr_t) - -- allow $1 postfix_smtpd_t:process { ptrace signal_perms }; -+ allow $1 postfix_smtpd_t:process signal_perms; - ps_process_pattern($1, postfix_smtpd_t) - - postfix_run_map($1, $2) -diff -up serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if ---- serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace 2011-11-07 16:15:27.325367658 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if 2011-11-07 16:15:27.668367789 -0500 -@@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',` - type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; - ') - -- allow $1 postfix_policyd_t:process { ptrace signal_perms }; -+ allow $1 postfix_policyd_t:process signal_perms; - ps_process_pattern($1, postfix_policyd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 postfix_policyd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgresql.if ---- serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace 2011-11-07 16:15:27.327367660 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/postgresql.if 2011-11-07 16:15:27.669367790 -0500 -@@ -541,8 +541,11 @@ interface(`postgresql_admin',` - - typeattribute $1 sepgsql_admin_type; - -- allow $1 postgresql_t:process { ptrace signal_perms }; -+ allow $1 postgresql_t:process signal_perms; - ps_process_pattern($1, postgresql_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 postgresql_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, postgresql_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgrey.if ---- serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace 2011-11-07 16:15:27.328367660 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/postgrey.if 2011-11-07 16:15:27.670367791 -0500 -@@ -62,8 +62,11 @@ interface(`postgrey_admin',` - type postgrey_var_lib_t, postgrey_var_run_t; - ') - -- allow $1 postgrey_t:process { ptrace signal_perms }; -+ allow $1 postgrey_t:process signal_perms; - ps_process_pattern($1, postgrey_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 postgrey_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, postgrey_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ppp.if ---- serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace 2011-11-07 16:15:27.330367660 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/ppp.if 2011-11-07 16:15:27.671367792 -0500 -@@ -386,10 +386,14 @@ interface(`ppp_admin',` - type pppd_initrc_exec_t, pppd_etc_rw_t; - ') - -- allow $1 pppd_t:process { ptrace signal_perms }; -+ allow $1 pppd_t:process signal_perms; - ps_process_pattern($1, pppd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 pppd_t:process ptrace; -+ allow $1 pptp_t:process ptrace; -+ ') - -- allow $1 pptp_t:process { ptrace signal_perms }; -+ allow $1 pptp_t:process signal_perms; - ps_process_pattern($1, pptp_t) - - ppp_initrc_domtrans($1) -diff -up serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace serefpolicy-3.10.0/policy/modules/services/prelude.if ---- serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace 2011-11-07 16:15:27.332367661 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/prelude.if 2011-11-07 16:15:27.672367792 -0500 -@@ -118,13 +118,18 @@ interface(`prelude_admin',` - type prelude_lml_t; - ') - -- allow $1 prelude_t:process { ptrace signal_perms }; -+ allow $1 prelude_t:process signal_perms; - ps_process_pattern($1, prelude_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 prelude_t:process ptrace; -+ allow $1 prelude_audisp_t:process ptrace; -+ allow $1 prelude_lml_t:process ptrace; -+ ') - -- allow $1 prelude_audisp_t:process { ptrace signal_perms }; -+ allow $1 prelude_audisp_t:process signal_perms; - ps_process_pattern($1, prelude_audisp_t) - -- allow $1 prelude_lml_t:process { ptrace signal_perms }; -+ allow $1 prelude_lml_t:process signal_perms; - ps_process_pattern($1, prelude_lml_t) - - init_labeled_script_domtrans($1, prelude_initrc_exec_t) -diff -up serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace serefpolicy-3.10.0/policy/modules/services/privoxy.if ---- serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/privoxy.if 2011-11-07 16:15:27.673367792 -0500 -@@ -23,8 +23,11 @@ interface(`privoxy_admin',` - type privoxy_etc_rw_t, privoxy_var_run_t; - ') - -- allow $1 privoxy_t:process { ptrace signal_perms }; -+ allow $1 privoxy_t:process signal_perms; - ps_process_pattern($1, privoxy_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 privoxy_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, privoxy_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace serefpolicy-3.10.0/policy/modules/services/psad.if ---- serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace 2011-11-07 16:15:27.336367662 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/psad.if 2011-11-07 16:15:27.673367792 -0500 -@@ -295,8 +295,11 @@ interface(`psad_admin',` - type psad_tmp_t; - ') - -- allow $1 psad_t:process { ptrace signal_perms }; -+ allow $1 psad_t:process signal_perms; - ps_process_pattern($1, psad_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 psad_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, psad_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace serefpolicy-3.10.0/policy/modules/services/puppet.te ---- serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace 2011-11-07 16:15:27.339367664 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/puppet.te 2011-11-07 16:15:27.674367792 -0500 -@@ -62,7 +62,7 @@ files_tmp_file(puppetmaster_tmp_t) - # Puppet personal policy - # - --allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config }; -+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; - allow puppet_t self:process { signal signull getsched setsched }; - allow puppet_t self:fifo_file rw_fifo_file_perms; - allow puppet_t self:netlink_route_socket create_netlink_socket_perms; -diff -up serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace serefpolicy-3.10.0/policy/modules/services/pyzor.if ---- serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace 2011-11-07 16:15:27.340367665 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/pyzor.if 2011-11-07 16:15:27.675367792 -0500 -@@ -29,7 +29,10 @@ interface(`pyzor_role',` - - # allow ps to show pyzor and allow the user to kill it - ps_process_pattern($2, pyzor_t) -- allow $2 pyzor_t:process { ptrace signal_perms }; -+ allow $2 pyzor_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 pyzor_t:process ptrace; -+ ') - ') - - ######################################## -@@ -113,8 +116,11 @@ interface(`pyzor_admin',` - type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t; - ') - -- allow $1 pyzord_t:process { ptrace signal_perms }; -+ allow $1 pyzord_t:process signal_perms; - ps_process_pattern($1, pyzord_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 pyzord_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, pyzord_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace serefpolicy-3.10.0/policy/modules/services/qpid.if ---- serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace 2011-11-07 16:15:27.344367665 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/qpid.if 2011-11-07 16:15:27.675367792 -0500 -@@ -177,8 +177,11 @@ interface(`qpidd_admin',` - type qpidd_t, qpidd_initrc_exec_t; - ') - -- allow $1 qpidd_t:process { ptrace signal_perms }; -+ allow $1 qpidd_t:process signal_perms; - ps_process_pattern($1, qpidd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 qpidd_t:process ptrace; -+ ') - - # Allow qpidd_t to restart the apache service - qpidd_initrc_domtrans($1) -diff -up serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace serefpolicy-3.10.0/policy/modules/services/radius.if ---- serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/radius.if 2011-11-07 16:15:27.676367793 -0500 -@@ -38,8 +38,11 @@ interface(`radius_admin',` - type radiusd_initrc_exec_t; - ') - -- allow $1 radiusd_t:process { ptrace signal_perms }; -+ allow $1 radiusd_t:process signal_perms; - ps_process_pattern($1, radiusd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 radiusd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, radiusd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace serefpolicy-3.10.0/policy/modules/services/radvd.if ---- serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace 2011-11-07 16:15:27.347367667 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/radvd.if 2011-11-07 16:15:27.677367794 -0500 -@@ -23,8 +23,11 @@ interface(`radvd_admin',` - type radvd_var_run_t; - ') - -- allow $1 radvd_t:process { ptrace signal_perms }; -+ allow $1 radvd_t:process signal_perms; - ps_process_pattern($1, radvd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 radvd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, radvd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace serefpolicy-3.10.0/policy/modules/services/razor.if ---- serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace 2011-11-07 16:15:27.348367667 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/razor.if 2011-11-07 16:15:27.677367794 -0500 -@@ -132,7 +132,10 @@ interface(`razor_role',` - - # allow ps to show razor and allow the user to kill it - ps_process_pattern($2, razor_t) -- allow $2 razor_t:process { ptrace signal_perms }; -+ allow $2 razor_t:process signal_perms; -+ tunable_policy(`deny_ptrace',`',` -+ allow $2 razor_t:process ptrace; -+ ') - - manage_dirs_pattern($2, razor_home_t, razor_home_t) - manage_files_pattern($2, razor_home_t, razor_home_t) -diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.if ---- serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace 2011-11-07 16:15:27.352367669 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/rgmanager.if 2011-11-07 16:15:27.678367794 -0500 -@@ -117,8 +117,11 @@ interface(`rgmanager_admin',` - type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; - ') - -- allow $1 rgmanager_t:process { ptrace signal_perms }; -+ allow $1 rgmanager_t:process signal_perms; - ps_process_pattern($1, rgmanager_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 rgmanager_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.te ---- serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace 2011-11-07 16:15:27.353367670 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/rgmanager.te 2011-11-07 16:15:27.679367794 -0500 -@@ -37,7 +37,6 @@ files_pid_file(rgmanager_var_run_t) - # - - allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; --dontaudit rgmanager_t self:capability { sys_ptrace }; - allow rgmanager_t self:process { setsched signal }; - dontaudit rgmanager_t self:process ptrace; - -diff -up serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if ---- serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace 2011-11-07 16:15:27.359367672 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if 2011-11-07 16:15:27.679367794 -0500 -@@ -284,8 +284,11 @@ interface(`rhsmcertd_admin',` - type rhsmcertd_var_run_t; - ') - -- allow $1 rhsmcertd_t:process { ptrace signal_perms }; -+ allow $1 rhsmcertd_t:process signal_perms; - ps_process_pattern($1, rhsmcertd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 rhsmcertd_t:process ptrace; -+ ') - - rhsmcertd_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace serefpolicy-3.10.0/policy/modules/services/ricci.if ---- serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace 2011-11-07 16:15:27.361367672 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/ricci.if 2011-11-07 16:15:27.680367794 -0500 -@@ -245,8 +245,11 @@ interface(`ricci_admin',` - type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; - ') - -- allow $1 ricci_t:process { ptrace signal_perms }; -+ allow $1 ricci_t:process signal_perms; - ps_process_pattern($1, ricci_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ricci_t:process ptrace; -+ ') - - ricci_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace serefpolicy-3.10.0/policy/modules/services/roundup.if ---- serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/roundup.if 2011-11-07 16:15:27.681367794 -0500 -@@ -23,8 +23,11 @@ interface(`roundup_admin',` - type roundup_initrc_exec_t; - ') - -- allow $1 roundup_t:process { ptrace signal_perms }; -+ allow $1 roundup_t:process signal_perms; - ps_process_pattern($1, roundup_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 roundup_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, roundup_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace serefpolicy-3.10.0/policy/modules/services/rpcbind.if ---- serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace 2011-11-07 16:15:27.367367675 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/rpcbind.if 2011-11-07 16:15:27.682367795 -0500 -@@ -155,8 +155,11 @@ interface(`rpcbind_admin',` - type rpcbind_initrc_exec_t; - ') - -- allow $1 rpcbind_t:process { ptrace signal_perms }; -+ allow $1 rpcbind_t:process signal_perms; - ps_process_pattern($1, rpcbind_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 rpcbind_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace serefpolicy-3.10.0/policy/modules/services/rtkit.te ---- serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace 2011-11-07 16:15:27.370367675 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/rtkit.te 2011-11-07 16:15:27.682367795 -0500 -@@ -15,7 +15,7 @@ init_system_domain(rtkit_daemon_t, rtkit - # rtkit_daemon local policy - # - --allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; -+allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice }; - allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; - - kernel_read_system_state(rtkit_daemon_t) -diff -up serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace serefpolicy-3.10.0/policy/modules/services/rwho.if ---- serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace 2011-11-07 16:15:27.371367676 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/rwho.if 2011-11-07 16:15:27.683367796 -0500 -@@ -138,8 +138,11 @@ interface(`rwho_admin',` - type rwho_initrc_exec_t; - ') - -- allow $1 rwho_t:process { ptrace signal_perms }; -+ allow $1 rwho_t:process signal_perms; - ps_process_pattern($1, rwho_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 rwho_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, rwho_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace serefpolicy-3.10.0/policy/modules/services/samba.if ---- serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace 2011-11-07 16:15:27.373367677 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/samba.if 2011-11-07 16:15:27.684367797 -0500 -@@ -784,13 +784,18 @@ interface(`samba_admin',` - type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t; - ') - -- allow $1 smbd_t:process { ptrace signal_perms }; -+ allow $1 smbd_t:process signal_perms; - ps_process_pattern($1, smbd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 smbd_t:process ptrace; -+ allow $1 nmbd_t:process ptrace; -+ allow $1 samba_unconfined_script_t:process ptrace; -+ ') - -- allow $1 nmbd_t:process { ptrace signal_perms }; -+ allow $1 nmbd_t:process signal_perms; - ps_process_pattern($1, nmbd_t) - -- allow $1 samba_unconfined_script_t:process { ptrace signal_perms }; -+ allow $1 samba_unconfined_script_t:process signal_perms; - ps_process_pattern($1, samba_unconfined_script_t) - - samba_run_smbcontrol($1, $2, $3) -diff -up serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace serefpolicy-3.10.0/policy/modules/services/samhain.if ---- serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/samhain.if 2011-11-07 16:15:27.685367797 -0500 -@@ -271,10 +271,14 @@ interface(`samhain_admin',` - type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; - ') - -- allow $1 samhain_t:process { ptrace signal_perms }; -+ allow $1 samhain_t:process signal_perms; - ps_process_pattern($1, samhain_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 samhain_t:process ptrace; -+ allow $1 samhaind_t:process ptrace; -+ ') - -- allow $1 samhaind_t:process { ptrace signal_perms }; -+ allow $1 samhaind_t:process signal_perms; - ps_process_pattern($1, samhaind_t) - - files_list_var_lib($1) -diff -up serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace serefpolicy-3.10.0/policy/modules/services/sanlock.if ---- serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace 2011-11-07 16:15:27.376367677 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/sanlock.if 2011-11-07 16:15:27.685367797 -0500 -@@ -99,8 +99,11 @@ interface(`sanlock_admin',` - type sanlock_initrc_exec_t; - ') - -- allow $1 sanlock_t:process { ptrace signal_perms }; -+ allow $1 sanlock_t:process signal_perms; - ps_process_pattern($1, sanlock_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 sanlock_t:process ptrace; -+ ') - - sanlock_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace serefpolicy-3.10.0/policy/modules/services/sasl.if ---- serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace 2011-11-07 16:15:27.377367678 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/sasl.if 2011-11-07 16:15:27.686367797 -0500 -@@ -42,8 +42,11 @@ interface(`sasl_admin',` - type saslauthd_initrc_exec_t; - ') - -- allow $1 saslauthd_t:process { ptrace signal_perms }; -+ allow $1 saslauthd_t:process signal_perms; - ps_process_pattern($1, saslauthd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 saslauthd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.if ---- serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace 2011-11-07 16:15:27.379367680 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/sblim.if 2011-11-07 16:15:27.687367797 -0500 -@@ -65,11 +65,15 @@ interface(`sblim_admin',` - type sblim_var_run_t; - ') - -- allow $1 sblim_gatherd_t:process { ptrace signal_perms }; -+ allow $1 sblim_gatherd_t:process signal_perms; - ps_process_pattern($1, sblim_gatherd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 sblim_gatherd_t:process ptrace; -+ allow $1 sblim_reposd_t:process ptrace; -+ ') - -- allow $1 sblim_reposd_t:process { ptrace signal_perms }; -- ps_process_pattern($1, sblim_reposd_t) -+ allow $1 sblim_reposd_t:process signal_perms; -+ ps_process_pattern($1, sblim_reposd_t) - - files_search_pids($1) - admin_pattern($1, sblim_var_run_t) -diff -up serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.te ---- serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace 2011-11-07 16:15:27.379367680 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/sblim.te 2011-11-07 16:15:27.687367797 -0500 -@@ -24,7 +24,7 @@ files_pid_file(sblim_var_run_t) - # - - #needed by ps --allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override }; -+allow sblim_gatherd_t self:capability { kill dac_override }; - allow sblim_gatherd_t self:process signal; - - allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/sendmail.if ---- serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace 2011-11-07 16:15:27.380367680 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/sendmail.if 2011-11-07 16:15:27.688367797 -0500 -@@ -334,10 +334,14 @@ interface(`sendmail_admin',` - type mail_spool_t; - ') - -- allow $1 sendmail_t:process { ptrace signal_perms }; -+ allow $1 sendmail_t:process signal_perms; - ps_process_pattern($1, sendmail_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 sendmail_t:process ptrace; -+ allow $1 unconfined_sendmail_t:process ptrace; -+ ') - -- allow $1 unconfined_sendmail_t:process { ptrace signal_perms }; -+ allow $1 unconfined_sendmail_t:process signal_perms; - ps_process_pattern($1, unconfined_sendmail_t) - - sendmail_initrc_domtrans($1) -diff -up serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if ---- serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace 2011-11-07 16:15:27.382367680 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if 2011-11-07 16:15:27.689367798 -0500 -@@ -140,8 +140,11 @@ interface(`setroubleshoot_admin',` - type setroubleshoot_var_lib_t; - ') - -- allow $1 setroubleshootd_t:process { ptrace signal_perms }; -+ allow $1 setroubleshootd_t:process signal_perms; - ps_process_pattern($1, setroubleshootd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 setroubleshootd_t:process ptrace; -+ ') - - logging_list_logs($1) - admin_pattern($1, setroubleshoot_var_log_t) -diff -up serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace serefpolicy-3.10.0/policy/modules/services/smartmon.if ---- serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace 2011-11-07 16:15:27.384367680 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/smartmon.if 2011-11-07 16:15:27.690367799 -0500 -@@ -42,8 +42,11 @@ interface(`smartmon_admin',` - type fsdaemon_initrc_exec_t; - ') - -- allow $1 fsdaemon_t:process { ptrace signal_perms }; -+ allow $1 fsdaemon_t:process signal_perms; - ps_process_pattern($1, fsdaemon_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 smartmon_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace serefpolicy-3.10.0/policy/modules/services/smokeping.if ---- serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/smokeping.if 2011-11-07 16:15:27.690367799 -0500 -@@ -153,8 +153,11 @@ interface(`smokeping_admin',` - type smokeping_t, smokeping_initrc_exec_t; - ') - -- allow $1 smokeping_t:process { ptrace signal_perms }; -+ allow $1 smokeping_t:process signal_perms; - ps_process_pattern($1, smokeping_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 smokeping_t:process ptrace; -+ ') - - smokeping_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.if ---- serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace 2011-11-07 16:15:27.386367682 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/snmp.if 2011-11-07 16:15:27.691367799 -0500 -@@ -168,8 +168,11 @@ interface(`snmp_admin',` - type snmpd_var_lib_t, snmpd_var_run_t; - ') - -- allow $1 snmpd_t:process { ptrace signal_perms }; -+ allow $1 snmpd_t:process signal_perms; - ps_process_pattern($1, snmpd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 snmpd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, snmpd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.te ---- serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace 2011-11-07 16:15:27.387367683 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/snmp.te 2011-11-07 16:15:27.692367799 -0500 -@@ -26,7 +26,8 @@ files_type(snmpd_var_lib_t) - # Local policy - # - --allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config }; -+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config }; -+ - dontaudit snmpd_t self:capability { sys_module sys_tty_config }; - allow snmpd_t self:process { signal_perms getsched setsched }; - allow snmpd_t self:fifo_file rw_fifo_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace serefpolicy-3.10.0/policy/modules/services/snort.if ---- serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace 2011-11-07 16:15:27.387367683 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/snort.if 2011-11-07 16:15:27.693367799 -0500 -@@ -41,8 +41,11 @@ interface(`snort_admin',` - type snort_etc_t, snort_initrc_exec_t; - ') - -- allow $1 snort_t:process { ptrace signal_perms }; -+ allow $1 snort_t:process signal_perms; - ps_process_pattern($1, snort_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 snort_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, snort_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace serefpolicy-3.10.0/policy/modules/services/soundserver.if ---- serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace 2011-11-07 16:15:27.388367683 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/soundserver.if 2011-11-07 16:15:27.693367799 -0500 -@@ -37,8 +37,11 @@ interface(`soundserver_admin',` - type soundd_tmp_t, soundd_var_run_t; - ') - -- allow $1 soundd_t:process { ptrace signal_perms }; -+ allow $1 soundd_t:process signal_perms; - ps_process_pattern($1, soundd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 soundd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, soundd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace serefpolicy-3.10.0/policy/modules/services/spamassassin.if ---- serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace 2011-11-07 16:15:27.389367683 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/spamassassin.if 2011-11-07 16:15:27.694367799 -0500 -@@ -27,12 +27,12 @@ interface(`spamassassin_role',` - - domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) - -- allow $2 spamassassin_t:process { ptrace signal_perms }; -+ allow $2 spamassassin_t:process signal_perms; - ps_process_pattern($2, spamassassin_t) - - domtrans_pattern($2, spamc_exec_t, spamc_t) - -- allow $2 spamc_t:process { ptrace signal_perms }; -+ allow $2 spamc_t:process signal_perms; - ps_process_pattern($2, spamc_t) - - manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) -@@ -337,8 +337,11 @@ interface(`spamassassin_spamd_admin',` - type spamd_initrc_exec_t; - ') - -- allow $1 spamd_t:process { ptrace signal_perms }; -+ allow $1 spamd_t:process signal_perms; - ps_process_pattern($1, spamd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 spamd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, spamd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace serefpolicy-3.10.0/policy/modules/services/squid.if ---- serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace 2011-11-07 16:15:27.392367684 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/squid.if 2011-11-07 16:15:27.695367800 -0500 -@@ -209,8 +209,11 @@ interface(`squid_admin',` - type squid_log_t, squid_var_run_t, squid_initrc_exec_t; - ') - -- allow $1 squid_t:process { ptrace signal_perms }; -+ allow $1 squid_t:process signal_perms; - ps_process_pattern($1, squid_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 squid_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, squid_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace serefpolicy-3.10.0/policy/modules/services/ssh.if ---- serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace 2011-11-07 16:15:27.394367684 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-11-07 16:15:27.696367801 -0500 -@@ -367,7 +367,7 @@ template(`ssh_role_template',` - - # allow ps to show ssh - ps_process_pattern($3, ssh_t) -- allow $3 ssh_t:process { ptrace signal_perms }; -+ allow $3 ssh_t:process signal_perms; - - # for rsync - allow ssh_t $3:unix_stream_socket rw_socket_perms; -@@ -402,7 +402,7 @@ template(`ssh_role_template',` - stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) - - # Allow the user shell to signal the ssh program. -- allow $3 $1_ssh_agent_t:process { ptrace signal_perms }; -+ allow $3 $1_ssh_agent_t:process signal_perms; - - # allow ps to show ssh - ps_process_pattern($3, $1_ssh_agent_t) -diff -up serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace serefpolicy-3.10.0/policy/modules/services/sssd.if ---- serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace 2011-11-07 16:15:27.396367686 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/sssd.if 2011-11-07 16:15:27.697367802 -0500 -@@ -234,8 +234,11 @@ interface(`sssd_admin',` - type sssd_t, sssd_public_t, sssd_initrc_exec_t; - ') - -- allow $1 sssd_t:process { ptrace signal_perms }; -+ allow $1 sssd_t:process signal_perms; - ps_process_pattern($1, sssd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 sssd_t:process ptrace; -+ ') - - # Allow sssd_t to restart the apache service - sssd_initrc_domtrans($1) -diff -up serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/tcsd.if ---- serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace 2011-11-07 16:15:27.400367687 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/tcsd.if 2011-11-07 16:15:27.697367802 -0500 -@@ -137,8 +137,11 @@ interface(`tcsd_admin',` - type tcsd_var_lib_t; - ') - -- allow $1 tcsd_t:process { ptrace signal_perms }; -+ allow $1 tcsd_t:process signal_perms; - ps_process_pattern($1, tcsd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 tcsd_t:process ptrace; -+ ') - - tcsd_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/tftp.if ---- serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace 2011-11-07 16:15:27.403367688 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/tftp.if 2011-11-07 16:15:27.698367802 -0500 -@@ -109,8 +109,11 @@ interface(`tftp_admin',` - type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; - ') - -- allow $1 tftpd_t:process { ptrace signal_perms }; -+ allow $1 tftpd_t:process signal_perms; - ps_process_pattern($1, tftpd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 tftp_t:process ptrace; -+ ') - - files_list_var_lib($1) - admin_pattern($1, tftpdir_rw_t) -diff -up serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace serefpolicy-3.10.0/policy/modules/services/tor.if ---- serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace 2011-11-07 16:15:27.405367690 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/tor.if 2011-11-07 16:15:27.699367802 -0500 -@@ -42,8 +42,11 @@ interface(`tor_admin',` - type tor_initrc_exec_t; - ') - -- allow $1 tor_t:process { ptrace signal_perms }; -+ allow $1 tor_t:process signal_perms; - ps_process_pattern($1, tor_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 tor_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, tor_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/tuned.if ---- serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace 2011-11-07 16:15:27.406367690 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/tuned.if 2011-11-07 16:15:27.699367802 -0500 -@@ -115,8 +115,11 @@ interface(`tuned_admin',` - type tuned_t, tuned_var_run_t, tuned_initrc_exec_t; - ') - -- allow $1 tuned_t:process { ptrace signal_perms }; -+ allow $1 tuned_t:process signal_perms; - ps_process_pattern($1, tuned_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 tuned_t:process ptrace; -+ ') - - tuned_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ulogd.if ---- serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ulogd.if 2011-11-07 16:15:27.700367802 -0500 -@@ -123,8 +123,11 @@ interface(`ulogd_admin',` - type ulogd_var_log_t, ulogd_initrc_exec_t; - ') - -- allow $1 ulogd_t:process { ptrace signal_perms }; -+ allow $1 ulogd_t:process signal_perms; - ps_process_pattern($1, ulogd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 ulogd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, ulogd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace serefpolicy-3.10.0/policy/modules/services/uucp.if ---- serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/uucp.if 2011-11-07 16:15:27.701367802 -0500 -@@ -99,8 +99,11 @@ interface(`uucp_admin',` - type uucpd_var_run_t; - ') - -- allow $1 uucpd_t:process { ptrace signal_perms }; -+ allow $1 uucpd_t:process signal_perms; - ps_process_pattern($1, uucpd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 uucpd_t:process ptrace; -+ ') - - logging_list_logs($1) - admin_pattern($1, uucpd_log_t) -diff -up serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace serefpolicy-3.10.0/policy/modules/services/uuidd.if ---- serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace 2011-11-07 16:15:27.411367691 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/uuidd.if 2011-11-07 16:15:27.701367802 -0500 -@@ -177,8 +177,11 @@ interface(`uuidd_admin',` - type uuidd_var_run_t; - ') - -- allow $1 uuidd_t:process { ptrace signal_perms }; -+ allow $1 uuidd_t:process signal_perms; - ps_process_pattern($1, uuidd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 uuidd_t:process ptrace; -+ ') - - uuidd_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace serefpolicy-3.10.0/policy/modules/services/varnishd.if ---- serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/varnishd.if 2011-11-07 16:15:27.702367803 -0500 -@@ -155,8 +155,11 @@ interface(`varnishd_admin_varnishlog',` - type varnishlog_var_run_t; - ') - -- allow $1 varnishlog_t:process { ptrace signal_perms }; -+ allow $1 varnishlog_t:process signal_perms; - ps_process_pattern($1, varnishlog_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 varnishd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) - domain_system_change_exemption($1) -@@ -194,8 +197,11 @@ interface(`varnishd_admin',` - type varnishd_initrc_exec_t; - ') - -- allow $1 varnishd_t:process { ptrace signal_perms }; -+ allow $1 varnishd_t:process signal_perms; - ps_process_pattern($1, varnishd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 varnishd_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, varnishd_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace serefpolicy-3.10.0/policy/modules/services/vdagent.if ---- serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace 2011-11-07 16:15:27.413367693 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/vdagent.if 2011-11-07 16:15:27.703367804 -0500 -@@ -118,8 +118,11 @@ interface(`vdagent_admin',` - type vdagent_var_run_t; - ') - -- allow $1 vdagent_t:process { ptrace signal_perms }; -+ allow $1 vdagent_t:process signal_perms; - ps_process_pattern($1, vdagent_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 vdagent_t:process ptrace; -+ ') - - files_search_pids($1) - admin_pattern($1, vdagent_var_run_t) -diff -up serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vhostmd.if ---- serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace 2011-11-07 16:15:27.415367693 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/vhostmd.if 2011-11-07 16:15:27.703367804 -0500 -@@ -210,8 +210,11 @@ interface(`vhostmd_admin',` - type vhostmd_t, vhostmd_initrc_exec_t; - ') - -- allow $1 vhostmd_t:process { ptrace signal_perms }; -+ allow $1 vhostmd_t:process signal_perms; - ps_process_pattern($1, vhostmd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 vhostmd_t:process ptrace; -+ ') - - vhostmd_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace serefpolicy-3.10.0/policy/modules/services/virt.if ---- serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace 2011-11-07 16:15:27.417367693 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/virt.if 2011-11-07 16:15:27.704367804 -0500 -@@ -620,10 +620,14 @@ interface(`virt_admin',` - type virt_lxc_t; - ') - -- allow $1 virtd_t:process { ptrace signal_perms }; -+ allow $1 virtd_t:process signal_perms; - ps_process_pattern($1, virtd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 virtd_t:process ptrace; -+ allow $1 virt_lxc_t:process ptrace; -+ ') - -- allow $1 virt_lxc_t:process { ptrace signal_perms }; -+ allow $1 virt_lxc_t:process signal_perms; - ps_process_pattern($1, virt_lxc_t) - - init_labeled_script_domtrans($1, virtd_initrc_exec_t) -@@ -639,7 +643,7 @@ interface(`virt_admin',` - - virt_manage_images($1) - -- allow $1 virt_domain:process { ptrace signal_perms }; -+ allow $1 virt_domain:process signal_perms; - ') - - ######################################## -diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace serefpolicy-3.10.0/policy/modules/services/virt.te ---- serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace 2011-11-07 16:15:27.507367728 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/virt.te 2011-11-07 16:15:27.705367804 -0500 -@@ -250,7 +250,7 @@ optional_policy(` - # virtd local policy - # - --allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; -+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; - allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; - ifdef(`hide_broken_symptoms',` - # caused by some bogus kernel code -@@ -853,7 +853,6 @@ optional_policy(` - # virt_lxc_domain local policy - # - allow svirt_lxc_domain self:capability { kill setuid setgid dac_override }; --dontaudit svirt_lxc_domain self:capability sys_ptrace; - - allow virtd_t svirt_lxc_domain:process { signal_perms }; - allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; -diff -up serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vnstatd.if ---- serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace 2011-11-07 16:15:27.420367695 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/vnstatd.if 2011-11-07 16:15:27.706367804 -0500 -@@ -136,8 +136,11 @@ interface(`vnstatd_admin',` - type vnstatd_t, vnstatd_var_lib_t; - ') - -- allow $1 vnstatd_t:process { ptrace signal_perms }; -+ allow $1 vnstatd_t:process signal_perms; - ps_process_pattern($1, vnstatd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 vnstatd_t:process ptrace; -+ ') - - files_list_var_lib($1) - admin_pattern($1, vnstatd_var_lib_t) -diff -up serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/wdmd.if ---- serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace 2011-11-07 16:15:27.423367695 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/wdmd.if 2011-11-07 16:15:27.707367804 -0500 -@@ -62,8 +62,11 @@ interface(`wdmd_admin',` - type wdmd_initrc_exec_t; - ') - -- allow $1 wdmd_t:process { ptrace signal_perms }; -+ allow $1 wdmd_t:process signal_perms; - ps_process_pattern($1, wdmd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 wdmd_t:process ptrace; -+ ') - - wdmd_initrc_domtrans($1) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace serefpolicy-3.10.0/policy/modules/services/xserver.te ---- serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace 2011-11-07 16:15:27.536367739 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-11-07 16:15:27.708367805 -0500 -@@ -417,8 +417,13 @@ optional_policy(` - # XDM Local policy - # - --allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace }; --allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate ptrace }; -+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -+ -+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate }; -+tunable_policy(`deny_ptrace',`',` -+ allow xdm_t self:process ptrace; -+') -+ - allow xdm_t self:fifo_file rw_fifo_file_perms; - allow xdm_t self:shm create_shm_perms; - allow xdm_t self:sem create_sem_perms; -@@ -930,7 +935,8 @@ allow xserver_t input_xevent_t:x_event s - # execheap needed until the X module loader is fixed. - # NVIDIA Needs execstack - --allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; -+allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; -+ - dontaudit xserver_t self:capability chown; - allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow xserver_t self:fd use; -diff -up serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace serefpolicy-3.10.0/policy/modules/services/zabbix.if ---- serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace 2011-11-07 16:15:27.429367698 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/zabbix.if 2011-11-07 16:15:27.709367806 -0500 -@@ -142,8 +142,11 @@ interface(`zabbix_admin',` - type zabbix_initrc_exec_t; - ') - -- allow $1 zabbix_t:process { ptrace signal_perms }; -+ allow $1 zabbix_t:process signal_perms; - ps_process_pattern($1, zabbix_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 zabbix_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, zabbix_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace serefpolicy-3.10.0/policy/modules/services/zebra.if ---- serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace 2011-11-07 16:15:27.432367700 -0500 -+++ serefpolicy-3.10.0/policy/modules/services/zebra.if 2011-11-07 16:15:27.709367806 -0500 -@@ -64,8 +64,11 @@ interface(`zebra_admin',` - type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t; - ') - -- allow $1 zebra_t:process { ptrace signal_perms }; -+ allow $1 zebra_t:process signal_perms; - ps_process_pattern($1, zebra_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 zebra_t:process ptrace; -+ ') - - init_labeled_script_domtrans($1, zebra_initrc_exec_t) - domain_system_change_exemption($1) -diff -up serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace serefpolicy-3.10.0/policy/modules/system/hotplug.te ---- serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace 2011-11-07 16:15:27.443367703 -0500 -+++ serefpolicy-3.10.0/policy/modules/system/hotplug.te 2011-11-07 16:15:27.710367807 -0500 -@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t) - # - - allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; --dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config }; -+dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config }; - # for access("/etc/bashrc", X_OK) on Red Hat - dontaudit hotplug_t self:capability { dac_override dac_read_search }; - allow hotplug_t self:process { setpgid getsession getattr signal_perms }; -diff -up serefpolicy-3.10.0/policy/modules/system/init.if.ptrace serefpolicy-3.10.0/policy/modules/system/init.if ---- serefpolicy-3.10.0/policy/modules/system/init.if.ptrace 2011-11-07 16:15:27.445367705 -0500 -+++ serefpolicy-3.10.0/policy/modules/system/init.if 2011-11-07 16:15:27.711367807 -0500 -@@ -1123,7 +1123,9 @@ interface(`init_ptrace',` - type init_t; - ') - -- allow $1 init_t:process ptrace; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 init_t:process ptrace; -+ ') - ') - - ######################################## -diff -up serefpolicy-3.10.0/policy/modules/system/init.te.ptrace serefpolicy-3.10.0/policy/modules/system/init.te ---- serefpolicy-3.10.0/policy/modules/system/init.te.ptrace 2011-11-07 16:15:27.537367740 -0500 -+++ serefpolicy-3.10.0/policy/modules/system/init.te 2011-11-07 16:15:27.712367807 -0500 -@@ -121,7 +121,7 @@ ifdef(`enable_mls',` - # - - # Use capabilities. old rule: --allow init_t self:capability ~{ audit_control audit_write sys_module }; -+allow init_t self:capability ~{ sys_ptrace audit_control audit_write sys_module }; - # is ~sys_module really needed? observed: - # sys_boot - # sys_tty_config -@@ -410,7 +410,8 @@ optional_policy(` - # - - allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; --allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module }; -+allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module }; -+ - dontaudit initrc_t self:capability sys_module; # sysctl is triggering this - allow initrc_t self:passwd rootok; - allow initrc_t self:key manage_key_perms; -diff -up serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace serefpolicy-3.10.0/policy/modules/system/ipsec.te ---- serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace 2011-11-07 16:15:27.449367705 -0500 -+++ serefpolicy-3.10.0/policy/modules/system/ipsec.te 2011-11-07 16:15:27.713367807 -0500 -@@ -73,7 +73,7 @@ role system_r types setkey_t; - # - - allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; --dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; -+dontaudit ipsec_t self:capability sys_tty_config; - allow ipsec_t self:process { getcap setcap getsched signal setsched }; - allow ipsec_t self:tcp_socket create_stream_socket_perms; - allow ipsec_t self:udp_socket create_socket_perms; -@@ -193,8 +193,8 @@ optional_policy(` - # - - allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; --dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; --allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; -+dontaudit ipsec_mgmt_t self:capability sys_tty_config; -+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal }; - allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; - allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; - allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -251,9 +251,6 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) - kernel_getattr_core_if(ipsec_mgmt_t) - kernel_getattr_message_if(ipsec_mgmt_t) - --# don't audit using of lsof --dontaudit ipsec_mgmt_t self:capability sys_ptrace; -- - domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t) - domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t) - -diff -up serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace serefpolicy-3.10.0/policy/modules/system/iscsi.te ---- serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace 2011-11-07 16:15:27.451367707 -0500 -+++ serefpolicy-3.10.0/policy/modules/system/iscsi.te 2011-11-07 16:15:27.714367807 -0500 -@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t) - # - - allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; --dontaudit iscsid_t self:capability sys_ptrace; - allow iscsid_t self:process { setrlimit setsched signal }; - allow iscsid_t self:fifo_file rw_fifo_file_perms; - allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; -diff -up serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace serefpolicy-3.10.0/policy/modules/system/locallogin.te ---- serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace 2011-11-07 16:15:27.455367708 -0500 -+++ serefpolicy-3.10.0/policy/modules/system/locallogin.te 2011-11-07 16:15:27.715367807 -0500 -@@ -35,7 +35,7 @@ role system_r types sulogin_t; - # Local login local policy - # - --allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_ptrace sys_resource sys_tty_config }; -+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; - allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap }; - allow local_login_t self:fd use; - allow local_login_t self:fifo_file rw_fifo_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy-3.10.0/policy/modules/system/logging.if ---- serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace 2011-11-07 16:15:27.457367709 -0500 -+++ serefpolicy-3.10.0/policy/modules/system/logging.if 2011-11-07 16:15:27.716367808 -0500 -@@ -1095,9 +1095,13 @@ interface(`logging_admin_audit',` - type auditd_initrc_exec_t; - ') - -- allow $1 auditd_t:process { ptrace signal_perms }; -+ allow $1 auditd_t:process signal_perms; - ps_process_pattern($1, auditd_t) - -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 auditd_t:process ptrace; -+ ') -+ - manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) - manage_files_pattern($1, auditd_etc_t, auditd_etc_t) - -@@ -1142,10 +1146,14 @@ interface(`logging_admin_syslog',` - ') - - allow $1 self:capability2 syslog; -- allow $1 syslogd_t:process { ptrace signal_perms }; -- allow $1 klogd_t:process { ptrace signal_perms }; -+ allow $1 syslogd_t:process signal_perms; -+ allow $1 klogd_t:process signal_perms; - ps_process_pattern($1, syslogd_t) - ps_process_pattern($1, klogd_t) -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 syslogd_t:process ptrace; -+ allow $1 klogd_t:process ptrace; -+ ') - - manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) - manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -diff -up serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace serefpolicy-3.10.0/policy/modules/system/mount.te ---- serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace 2011-11-07 16:15:27.466367713 -0500 -+++ serefpolicy-3.10.0/policy/modules/system/mount.te 2011-11-07 16:15:27.717367809 -0500 -@@ -48,7 +48,11 @@ role system_r types showmount_t; - - # setuid/setgid needed to mount cifs - allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid }; --allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal }; -+allow mount_t self:process { getcap getsched setcap setrlimit signal }; -+tunable_policy(`deny_ptrace',`',` -+ allow mount_t self:process ptrace; -+') -+ - allow mount_t self:fifo_file rw_fifo_file_perms; - allow mount_t self:unix_stream_socket create_stream_socket_perms; - allow mount_t self:unix_dgram_socket create_socket_perms; -diff -up serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace serefpolicy-3.10.0/policy/modules/system/sysnetwork.te ---- serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace 2011-11-07 16:15:27.474367716 -0500 -+++ serefpolicy-3.10.0/policy/modules/system/sysnetwork.te 2011-11-07 16:15:27.717367809 -0500 -@@ -51,10 +51,13 @@ files_config_file(net_conf_t) - # DHCP client local policy - # - allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; --dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; -+dontaudit dhcpc_t self:capability sys_tty_config; - # for access("/etc/bashrc", X_OK) on Red Hat - dontaudit dhcpc_t self:capability { dac_read_search sys_module }; --allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; -+allow dhcpc_t self:process { getsched getcap setcap setfscreate signal_perms }; -+tunable_policy(`deny_ptrace',`',` -+ allow dhcpc_t self:process ptrace; -+') - - allow dhcpc_t self:fifo_file rw_fifo_file_perms; - allow dhcpc_t self:tcp_socket create_stream_socket_perms; -diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace serefpolicy-3.10.0/policy/modules/system/udev.te ---- serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace 2011-11-07 16:15:27.478367717 -0500 -+++ serefpolicy-3.10.0/policy/modules/system/udev.te 2011-11-07 16:15:27.718367810 -0500 -@@ -34,7 +34,7 @@ ifdef(`enable_mcs',` - # Local policy - # - --allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; -+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; - dontaudit udev_t self:capability sys_tty_config; - - ifdef(`hide_broken_symptoms',` -@@ -42,7 +42,11 @@ ifdef(`hide_broken_symptoms',` - dontaudit udev_t self:capability sys_module; - ') - --allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+tunable_policy(`deny_ptrace',`',` -+ allow udev_t self:process ptrace; -+') -+ - allow udev_t self:process { execmem setfscreate }; - allow udev_t self:fd use; - allow udev_t self:fifo_file rw_fifo_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace serefpolicy-3.10.0/policy/modules/system/unconfined.if ---- serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace 2011-11-07 16:15:27.495367723 -0500 -+++ serefpolicy-3.10.0/policy/modules/system/unconfined.if 2011-11-07 16:15:27.719367810 -0500 -@@ -18,7 +18,12 @@ interface(`unconfined_domain_noaudit',` - ') - - # Use any Linux capability. -- allow $1 self:capability ~sys_module; -+ -+ allow $1 self:capability ~{ sys_module sys_ptrace }; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 self:capability sys_ptrace; -+ ') -+ - allow $1 self:capability2 syslog; - allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; - -diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpolicy-3.10.0/policy/modules/system/userdomain.if ---- serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace 2011-11-07 16:15:27.539367741 -0500 -+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-11-07 16:15:27.721367810 -0500 -@@ -47,7 +47,10 @@ template(`userdom_base_user_template',` - term_user_tty($1_t, user_tty_device_t) - term_dontaudit_getattr_generic_ptys($1_t) - -- allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; -+ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1_usertype $1_usertype:process ptrace; -+ ') - allow $1_usertype $1_usertype:fd use; - allow $1_usertype $1_t:key { create view read write search link setattr }; - -@@ -903,7 +906,7 @@ template(`userdom_login_user_template', - allow $1_t self:capability { setgid chown fowner }; - dontaudit $1_t self:capability { sys_nice fsetid }; - -- allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; -+ allow $1_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; - dontaudit $1_t self:process setrlimit; - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; - -@@ -1364,7 +1367,10 @@ template(`userdom_admin_user_template',` - # $1_t local policy - # - -- allow $1_t self:capability ~{ sys_module audit_control audit_write }; -+ allow $1_t self:capability ~{ sys_ptrace sys_module audit_control audit_write }; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1_t self:capability sys_ptrace; -+ ') - allow $1_t self:capability2 syslog; - allow $1_t self:process { setexec setfscreate }; - allow $1_t self:netlink_audit_socket nlmsg_readpriv; -@@ -4001,7 +4007,9 @@ interface(`userdom_ptrace_all_users',` - attribute userdomain; - ') - -- allow $1 userdomain:process ptrace; -+ tunable_policy(`deny_ptrace',`',` -+ allow $1 userdomain:process ptrace; -+ ') - ') - - ######################################## -diff -up serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace serefpolicy-3.10.0/policy/modules/system/xen.te ---- serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace 2011-11-07 16:15:27.487367720 -0500 -+++ serefpolicy-3.10.0/policy/modules/system/xen.te 2011-11-07 16:15:27.721367810 -0500 -@@ -206,7 +206,6 @@ tunable_policy(`xend_run_qemu',` - # - - allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw }; --dontaudit xend_t self:capability { sys_ptrace }; - allow xend_t self:process { signal sigkill }; - dontaudit xend_t self:process ptrace; - # internal communication is often done using fifo and unix sockets.