diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if index f756bc4..4b98c08 100644 --- a/policy/modules/apps/cdrecord.if +++ b/policy/modules/apps/cdrecord.if @@ -64,12 +64,6 @@ template(`cdrecord_per_userdomain_template', ` allow $2 $1_cdrecord_t:dir { search getattr read }; allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr }; allow $2 $1_cdrecord_t:process getattr; - #We need to suppress this denial because procps - #tries to access /proc/pid/environ and this now - #triggers a ptrace check in recent kernels - # (2.4 and 2.6). Might want to change procps - #to not do this, or only if running in a privileged domain. - dontaudit $2 $1_cdrecord_t:process ptrace; allow $2 $1_cdrecord_t:process signal; # Transition from the user domain to the derived domain. diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if index 946a9fb..16b640e 100644 --- a/policy/modules/apps/evolution.if +++ b/policy/modules/apps/evolution.if @@ -170,11 +170,6 @@ template(`evolution_per_userdomain_template',` allow $2 $1_evolution_t:dir { search getattr read }; allow $2 $1_evolution_t:{ file lnk_file } { read getattr }; allow $2 $1_evolution_t:process getattr; - # We need to suppress this denial because procps tries to access - # /proc/pid/environ and this now triggers a ptrace check in recent kernels - # (2.4 and 2.6). Might want to change procps to not do this, or only if - # running in a privileged domain. - dontaudit $2 $1_evolution_t:process ptrace; #FIXME check to see if really needed kernel_read_kernel_sysctls($1_evolution_t) diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if index 1cd0fbf..9fe7592 100644 --- a/policy/modules/apps/irc.if +++ b/policy/modules/apps/irc.if @@ -96,11 +96,6 @@ template(`irc_per_userdomain_template',` allow $2 $1_irc_t:dir { search getattr read }; allow $2 $1_irc_t:{ file lnk_file } { read getattr }; allow $2 $1_irc_t:process getattr; - # We need to suppress this denial because procps tries to access - # /proc/pid/environ and this now triggers a ptrace check in recent kernels - # (2.4 and 2.6). Might want to change procps to not do this, or only if - # running in a privileged domain. - dontaudit $2 $1_irc_t:process ptrace; kernel_read_proc_symlinks($1_irc_t) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if index 26e7bad..747bde4 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -106,11 +106,6 @@ template(`mozilla_per_userdomain_template',` allow $2 $1_mozilla_t:dir { search getattr read }; allow $2 $1_mozilla_t:{ file lnk_file } { read getattr }; allow $2 $1_mozilla_t:process getattr; - # We need to suppress this denial because procps tries to access - # /proc/pid/environ and this now triggers a ptrace check in recent kernels - # (2.4 and 2.6). Might want to change procps to not do this, or only if - # running in a privileged domain. - dontaudit $2 $1_mozilla_t:process ptrace; allow $2 $1_mozilla_t:process signal_perms; diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if index 12e9260..347f0fb 100644 --- a/policy/modules/apps/mplayer.if +++ b/policy/modules/apps/mplayer.if @@ -81,11 +81,6 @@ template(`mplayer_per_userdomain_template',` allow $2 $1_mencoder_t:dir { search getattr read }; allow $2 $1_mencoder_t:{ file lnk_file } { read getattr }; allow $2 $1_mencoder_t:process getattr; - # We need to suppress this denial because procps tries to access - # /proc/pid/environ and this now triggers a ptrace check in recent kernels - # (2.4 and 2.6). Might want to change procps to not do this, or only if - # running in a privileged domain. - dontaudit $2 $1_mencoder_t:process ptrace; allow $2 $1_mencoder_t:process signal_perms; # Read /proc files and directories @@ -295,11 +290,6 @@ template(`mplayer_per_userdomain_template',` allow $2 $1_mplayer_t:dir { search getattr read }; allow $2 $1_mplayer_t:{ file lnk_file } { read getattr }; allow $2 $1_mplayer_t:process getattr; - # We need to suppress this denial because procps tries to access - # /proc/pid/environ and this now triggers a ptrace check in recent kernels - # (2.4 and 2.6). Might want to change procps to not do this, or only if - # running in a privileged domain. - dontaudit $2 $1_mplayer_t:process ptrace; allow $2 $1_mplayer_t:process signal_perms; kernel_dontaudit_list_unlabeled($1_mplayer_t) diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if index 2e197eb..0c84014 100644 --- a/policy/modules/apps/thunderbird.if +++ b/policy/modules/apps/thunderbird.if @@ -87,11 +87,6 @@ template(`thunderbird_per_userdomain_template',` allow $2 $1_thunderbird_t:dir { search getattr read }; allow $2 $1_thunderbird_t:{ file lnk_file } { read getattr }; allow $2 $1_thunderbird_t:process getattr; - # We need to suppress this denial because procps tries to access - # /proc/pid/environ and this now triggers a ptrace check in recent kernels - # (2.4 and 2.6). Might want to change procps to not do this, or only if - # running in a privileged domain. - dontaudit $2 $1_thunderbird_t:process ptrace; # Access ~/.thunderbird allow $2 $1_thunderbird_home_t:dir manage_dir_perms; diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if index 4a6899b..22c035f 100644 --- a/policy/modules/apps/tvtime.if +++ b/policy/modules/apps/tvtime.if @@ -99,11 +99,6 @@ template(`tvtime_per_userdomain_template',` allow $2 $1_tvtime_t:dir { search getattr read }; allow $2 $1_tvtime_t:{ file lnk_file } { read getattr }; allow $2 $1_tvtime_t:process getattr; - # We need to suppress this denial because procps tries to access - # /proc/pid/environ and this now triggers a ptrace check in recent kernels - # (2.4 and 2.6). Might want to change procps to not do this, or only if - # running in a privileged domain. - dontaudit $2 $1_tvtime_t:process ptrace; allow $2 $1_tvtime_t:process signal_perms; kernel_read_all_sysctls($1_tvtime_t) diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if index abc568f..fb067bb 100644 --- a/policy/modules/apps/uml.if +++ b/policy/modules/apps/uml.if @@ -120,11 +120,6 @@ template(`uml_per_userdomain_template',` allow $2 $1_uml_t:dir { search getattr read }; allow $2 $1_uml_t:{ file lnk_file } { read getattr }; allow $2 $1_uml_t:process getattr; - # We need to suppress this denial because procps tries to access - # /proc/pid/environ and this now triggers a ptrace check in recent kernels - # (2.4 and 2.6). Might want to change procps to not do this, or only if - # running in a privileged domain. - dontaudit $2 $1_uml_t:process ptrace; allow $2 $1_uml_tmp_t:dir create_dir_perms; allow $2 $1_uml_tmp_t:file create_file_perms; diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index fb6b883..88033ab 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -186,7 +186,6 @@ template(`cron_per_userdomain_template',` allow $2 $1_crontab_t:dir { search getattr read }; allow $2 $1_crontab_t:{ file lnk_file } { read getattr }; allow $2 $1_crontab_t:process getattr; - dontaudit $2 $1_crontab_t:process ptrace; # for ^Z allow $2 $1_crontab_t:process signal; diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 6868bb6..bac7292 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -174,16 +174,6 @@ template(`xserver_common_domain_template',` optional_policy(` xfs_stream_connect($1_xserver_t) ') - - ifdef(`TODO',` - ifdef(`distro_redhat',` - ifdef(`rpm.te', ` - allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr }; - allow $1_xserver_t rpm_tmpfs_t:file { read write }; - rpm_use_fds($1_xserver_t) - ') - ') - ') dnl end TODO ') ####################################### @@ -317,8 +307,6 @@ template(`xserver_per_userdomain_template',` ') ifdef(`TODO',` - allow $1_t xdm_xserver_t:unix_stream_socket connectto; - ifdef(`xdm.te', ` allow $1_t xdm_tmp_t:sock_file unlink; allow $1_xserver_t xdm_var_run_t:dir search; @@ -352,11 +340,6 @@ template(`xserver_per_userdomain_template',` allow $2 $1_xauth_t:dir { search getattr read }; allow $2 $1_xauth_t:{ file lnk_file } { read getattr }; allow $2 $1_xauth_t:process getattr; - # We need to suppress this denial because procps tries to access - # /proc/pid/environ and this now triggers a ptrace check in recent kernels - # (2.4 and 2.6). Might want to change procps to not do this, or only if - # running in a privileged domain. - dontaudit $2 $1_xauth_t:process ptrace; allow $2 $1_xauth_home_t:file manage_file_perms; allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; @@ -419,11 +402,6 @@ template(`xserver_per_userdomain_template',` allow $2 $1_iceauth_t:dir { search getattr read }; allow $2 $1_iceauth_t:{ file lnk_file } { read getattr }; allow $2 $1_iceauth_t:process getattr; - # We need to suppress this denial because procps tries to access - # /proc/pid/environ and this now triggers a ptrace check in recent kernels - # (2.4 and 2.6). Might want to change procps to not do this, or only if - # running in a privileged domain. - dontaudit $2 $1_iceauth_t:process ptrace; allow $2 $1_iceauth_home_t:file manage_file_perms; allow $2 $1_iceauth_home_t:file { relabelfrom relabelto }; diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 4e76bd4..cfe04fa 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -620,12 +620,6 @@ interface(`init_read_script_state',` allow $1 initrc_t:dir r_dir_perms; allow $1 initrc_t:{ file lnk_file } r_file_perms; allow $1 initrc_t:process getattr; - - # We need to suppress this denial because procps tries to access - # /proc/pid/environ and this now triggers a ptrace check in recent kernels - # (2.4 and 2.6). Might want to change procps to not do this, or only if - # running in a privileged domain. - dontaudit $1 initrc_t:process ptrace; ') ########################################