diff --git a/apache.patch b/apache.patch index 4575cda..065be6a 100644 --- a/apache.patch +++ b/apache.patch @@ -1,81 +1,8 @@ -diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index cf3d50b..3ded83e 100644 ---- a/policy/modules/kernel/domain.if -+++ b/policy/modules/kernel/domain.if -@@ -75,34 +75,6 @@ interface(`domain_base_type',` - interface(`domain_type',` - # start with basic domain - domain_base_type($1) -- -- ifdef(`distro_redhat',` -- optional_policy(` -- unconfined_use_fds($1) -- ') -- ') -- -- # send init a sigchld and signull -- optional_policy(` -- init_sigchld($1) -- init_signull($1) -- ') -- -- # these seem questionable: -- -- optional_policy(` -- rpm_use_fds($1) -- rpm_read_pipes($1) -- ') -- -- optional_policy(` -- selinux_dontaudit_getattr_fs($1) -- selinux_dontaudit_read_fs($1) -- ') -- -- optional_policy(` -- seutil_dontaudit_read_config($1) -- ') - ') - - ######################################## -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index 00e20f7..db2a183 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -285,3 +285,30 @@ optional_policy(` - # broken kernel - dontaudit can_change_object_identity can_change_object_identity:key link; - -+ifdef(`distro_redhat',` -+ optional_policy(` -+ unconfined_use_fds(domain) -+ ') -+') -+ -+# send init a sigchld and signull -+optional_policy(` -+ init_sigchld(domain) -+ init_signull(domain) -+') -+ -+# these seem questionable: -+ -+optional_policy(` -+ rpm_use_fds(domain) -+ rpm_read_pipes(domain) -+') -+ -+optional_policy(` -+ selinux_dontaudit_getattr_fs(domain) -+ selinux_dontaudit_read_fs(domain) -+') -+ -+optional_policy(` -+ seutil_dontaudit_read_config(domain) -+') -diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index e12bbc0..606323d 100644 ---- a/policy/modules/services/apache.if -+++ b/policy/modules/services/apache.if +diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.if.apache serefpolicy-3.10.0/policy/modules/kernel/domain.if +diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.apache serefpolicy-3.10.0/policy/modules/kernel/domain.te +diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.apache serefpolicy-3.10.0/policy/modules/services/apache.if +--- serefpolicy-3.10.0/policy/modules/services/apache.if.apache 2011-10-11 10:17:05.262944711 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/apache.if 2011-10-11 10:17:13.416929487 -0400 @@ -16,55 +16,43 @@ template(`apache_content_template',` attribute httpd_exec_scripts, httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; @@ -240,11 +167,10 @@ index e12bbc0..606323d 100644 ') ') -diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index f165efd..adf2423 100644 ---- a/policy/modules/services/apache.te -+++ b/policy/modules/services/apache.te -@@ -217,10 +217,12 @@ gen_tunable(allow_httpd_sys_script_anon_write, false) +diff -up serefpolicy-3.10.0/policy/modules/services/apache.te.apache serefpolicy-3.10.0/policy/modules/services/apache.te +--- serefpolicy-3.10.0/policy/modules/services/apache.te.apache 2011-10-11 10:17:05.263944709 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/apache.te 2011-10-11 10:17:13.418929446 -0400 +@@ -217,10 +217,12 @@ gen_tunable(allow_httpd_sys_script_anon_ attribute httpdcontent; attribute httpd_user_content_type; diff --git a/booleans-mls.conf b/booleans-mls.conf index ed149cd..c264bb2 100644 --- a/booleans-mls.conf +++ b/booleans-mls.conf @@ -1,4 +1,4 @@ -d# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # allow_execmem = false @@ -38,9 +38,9 @@ allow_saslauthd_read_shadow = false # allow_smbd_anon_write = false -# Allow sysadm to ptrace all processes +# Deny all processes the ability to ptrace other processes # -allow_ptrace = false +deny_ptrace = false # Allow system to run with NIS # diff --git a/booleans-targeted.conf b/booleans-targeted.conf index d564050..2477bd2 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -210,9 +210,9 @@ allow_daemons_use_tty = false # allow_polyinstantiation = false -# Allow confined domains to ptrace them selves +# Deny all processes the ability to ptrace other processes # -allow_ptrace = true +deny_ptrace = false # Allow all domains to dump core # @@ -267,6 +267,10 @@ unconfined_mozilla_plugin_transition=true # unconfined_telepathy_transition=true +# Allow unconfined domain to transition to chrome_sandbox confined domain +# +unconfined_chrome_sandbox_transition=true + # Allow telepathy domains to connect to all network ports # telepathy_tcp_connect_generic_network_ports=true diff --git a/policy-F16.patch b/policy-F16.patch index 7ae3dcf..1eb543f 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -540,7 +540,7 @@ index 63eb96b..17a9f6d 100644 ## ## Execute bootloader interactively and do diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index d3da8f2..9152065 100644 +index d3da8f2..9e5a1d0 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -23,7 +23,7 @@ role system_r types bootloader_t; @@ -552,12 +552,55 @@ index d3da8f2..9152065 100644 # # The temp file is used for initrd creation; -@@ -116,18 +116,18 @@ init_rw_script_pipes(bootloader_t) +@@ -38,7 +38,7 @@ dev_node(bootloader_tmp_t) + # bootloader local policy + # + +-allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown }; ++allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown }; + allow bootloader_t self:process { signal_perms execmem }; + allow bootloader_t self:fifo_file rw_fifo_file_perms; + +@@ -78,6 +78,7 @@ dev_rw_nvram(bootloader_t) + + fs_getattr_xattr_fs(bootloader_t) + fs_getattr_tmpfs(bootloader_t) ++fs_list_hugetlbfs(bootloader_t) + fs_read_tmpfs_symlinks(bootloader_t) + #Needed for ia64 + fs_manage_dos_files(bootloader_t) +@@ -86,6 +87,7 @@ mls_file_read_all_levels(bootloader_t) + mls_file_write_all_levels(bootloader_t) + + term_getattr_all_ttys(bootloader_t) ++term_getattr_all_ptys(bootloader_t) + term_dontaudit_manage_pty_dirs(bootloader_t) + + corecmd_exec_all_executables(bootloader_t) +@@ -101,6 +103,7 @@ files_read_usr_src_files(bootloader_t) + files_read_usr_files(bootloader_t) + files_read_var_files(bootloader_t) + files_read_kernel_modules(bootloader_t) ++files_read_kernel_symbol_table(bootloader_t) + # for nscd + files_dontaudit_search_pids(bootloader_t) + # for blkid.tab +@@ -108,6 +111,7 @@ files_manage_etc_runtime_files(bootloader_t) + files_etc_filetrans_etc_runtime(bootloader_t, file) + files_dontaudit_search_home(bootloader_t) + ++ + init_getattr_initctl(bootloader_t) + init_use_script_ptys(bootloader_t) + init_use_script_fds(bootloader_t) +@@ -115,19 +119,21 @@ init_rw_script_pipes(bootloader_t) + libs_read_lib_files(bootloader_t) libs_exec_lib_files(bootloader_t) - -+auth_use_nsswitch(bootloader_t) ++libs_use_ld_so(bootloader_t) + ++auth_use_nsswitch(bootloader_t) + logging_send_syslog_msg(bootloader_t) logging_rw_generic_logs(bootloader_t) @@ -570,11 +613,12 @@ index d3da8f2..9152065 100644 seutil_dontaudit_search_config(bootloader_t) -userdom_use_user_terminals(bootloader_t) ++userdom_getattr_user_tmpfs_files(bootloader_t) +userdom_use_inherited_user_terminals(bootloader_t) userdom_dontaudit_search_user_home_dirs(bootloader_t) ifdef(`distro_debian',` -@@ -162,8 +162,10 @@ ifdef(`distro_redhat',` +@@ -162,8 +168,10 @@ ifdef(`distro_redhat',` files_manage_isid_type_blk_files(bootloader_t) files_manage_isid_type_chr_files(bootloader_t) @@ -587,7 +631,7 @@ index d3da8f2..9152065 100644 optional_policy(` unconfined_domain(bootloader_t) -@@ -171,6 +173,10 @@ ifdef(`distro_redhat',` +@@ -171,6 +179,10 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -598,7 +642,24 @@ index d3da8f2..9152065 100644 fstools_exec(bootloader_t) ') -@@ -197,10 +203,7 @@ optional_policy(` +@@ -180,6 +192,10 @@ optional_policy(` + ') + + optional_policy(` ++ gpm_getattr_gpmctl(bootloader_t) ++') ++ ++optional_policy(` + kudzu_domtrans(bootloader_t) + ') + +@@ -192,15 +208,13 @@ optional_policy(` + + optional_policy(` + modutils_exec_insmod(bootloader_t) ++ modutils_list_module_config(bootloader_t) + modutils_read_module_deps(bootloader_t) + modutils_read_module_config(bootloader_t) modutils_exec_insmod(bootloader_t) modutils_exec_depmod(bootloader_t) modutils_exec_update_mods(bootloader_t) @@ -3828,10 +3889,18 @@ index 81fb26f..66cf96c 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 441cf22..4779a8d 100644 +index 441cf22..772a68e 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te -@@ -79,18 +79,17 @@ selinux_compute_create_context(chfn_t) +@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto; + + kernel_read_system_state(chfn_t) + kernel_read_kernel_sysctls(chfn_t) ++kernel_dontaudit_getattr_core_if(chfn_t) + + selinux_get_fs_mount(chfn_t) + selinux_validate_context(chfn_t) +@@ -79,18 +80,17 @@ selinux_compute_create_context(chfn_t) selinux_compute_relabel_context(chfn_t) selinux_compute_user_contexts(chfn_t) @@ -3854,7 +3923,15 @@ index 441cf22..4779a8d 100644 # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) -@@ -118,6 +117,10 @@ userdom_use_unpriv_users_fds(chfn_t) +@@ -105,6 +105,7 @@ files_dontaudit_search_home(chfn_t) + # /usr/bin/passwd asks for w access to utmp, but it will operate + # correctly without it. Do not audit write denials to utmp. + init_dontaudit_rw_utmp(chfn_t) ++init_dontaudit_getattr_initctl(chfn_t) + + miscfiles_read_localization(chfn_t) + +@@ -118,6 +119,10 @@ userdom_use_unpriv_users_fds(chfn_t) # on user home dir userdom_dontaudit_search_user_home_content(chfn_t) @@ -3865,7 +3942,7 @@ index 441cf22..4779a8d 100644 ######################################## # # Crack local policy -@@ -194,8 +197,7 @@ selinux_compute_create_context(groupadd_t) +@@ -194,8 +199,7 @@ selinux_compute_create_context(groupadd_t) selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) @@ -3875,7 +3952,7 @@ index 441cf22..4779a8d 100644 init_use_fds(groupadd_t) init_read_utmp(groupadd_t) -@@ -277,6 +279,7 @@ kernel_read_kernel_sysctls(passwd_t) +@@ -277,6 +281,7 @@ kernel_read_kernel_sysctls(passwd_t) # for SSP dev_read_urand(passwd_t) @@ -3883,7 +3960,7 @@ index 441cf22..4779a8d 100644 fs_getattr_xattr_fs(passwd_t) fs_search_auto_mountpoints(passwd_t) -@@ -291,17 +294,18 @@ selinux_compute_create_context(passwd_t) +@@ -291,17 +296,18 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -3906,7 +3983,7 @@ index 441cf22..4779a8d 100644 domain_use_interactive_fds(passwd_t) -@@ -311,6 +315,8 @@ files_search_var(passwd_t) +@@ -311,6 +317,8 @@ files_search_var(passwd_t) files_dontaudit_search_pids(passwd_t) files_relabel_etc_files(passwd_t) @@ -3915,7 +3992,7 @@ index 441cf22..4779a8d 100644 # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) -@@ -323,7 +329,7 @@ miscfiles_read_localization(passwd_t) +@@ -323,7 +331,7 @@ miscfiles_read_localization(passwd_t) seutil_dontaudit_search_config(passwd_t) @@ -3924,7 +4001,7 @@ index 441cf22..4779a8d 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -332,6 +338,7 @@ userdom_read_user_tmp_files(passwd_t) +@@ -332,6 +340,7 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -3932,7 +4009,7 @@ index 441cf22..4779a8d 100644 optional_policy(` nscd_domtrans(passwd_t) -@@ -381,8 +388,7 @@ dev_read_urand(sysadm_passwd_t) +@@ -381,8 +390,7 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -3942,7 +4019,7 @@ index 441cf22..4779a8d 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) -@@ -426,7 +432,7 @@ optional_policy(` +@@ -426,7 +434,7 @@ optional_policy(` # Useradd local policy # @@ -3951,7 +4028,7 @@ index 441cf22..4779a8d 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -448,8 +454,12 @@ corecmd_exec_shell(useradd_t) +@@ -448,8 +456,12 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -3964,7 +4041,7 @@ index 441cf22..4779a8d 100644 files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) -@@ -460,6 +470,7 @@ fs_search_auto_mountpoints(useradd_t) +@@ -460,6 +472,7 @@ fs_search_auto_mountpoints(useradd_t) fs_getattr_xattr_fs(useradd_t) mls_file_upgrade(useradd_t) @@ -3972,7 +4049,7 @@ index 441cf22..4779a8d 100644 # Allow access to context for shadow file selinux_get_fs_mount(useradd_t) -@@ -469,8 +480,7 @@ selinux_compute_create_context(useradd_t) +@@ -469,8 +482,7 @@ selinux_compute_create_context(useradd_t) selinux_compute_relabel_context(useradd_t) selinux_compute_user_contexts(useradd_t) @@ -3982,7 +4059,7 @@ index 441cf22..4779a8d 100644 auth_domtrans_chk_passwd(useradd_t) auth_rw_lastlog(useradd_t) -@@ -498,21 +508,11 @@ seutil_domtrans_setfiles(useradd_t) +@@ -498,21 +510,11 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -4953,10 +5030,10 @@ index 00a19e3..9f6139c 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..89acd12 100644 +index f5afe78..47c5063 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,44 +1,786 @@ +@@ -1,44 +1,787 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -5065,6 +5142,7 @@ index f5afe78..89acd12 100644 + dbus_session_bus_client($1_gkeyringd_t) + gnome_home_dir_filetrans($1_gkeyringd_t) + gnome_manage_generic_home_dirs($1_gkeyringd_t) ++ gnome_read_generic_data_home_files($1_gkeyringd_t) + + optional_policy(` + telepathy_mission_control_read_state($1_gkeyringd_t) @@ -5761,7 +5839,7 @@ index f5afe78..89acd12 100644 ## ## ## -@@ -46,37 +788,60 @@ interface(`gnome_role',` +@@ -46,37 +789,60 @@ interface(`gnome_role',` ## ## # @@ -5833,7 +5911,7 @@ index f5afe78..89acd12 100644 ## ## ## -@@ -84,37 +849,38 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +850,38 @@ template(`gnome_read_gconf_config',` ## ## # @@ -5883,7 +5961,7 @@ index f5afe78..89acd12 100644 ## ## ## -@@ -122,17 +888,17 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +889,17 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -5905,7 +5983,7 @@ index f5afe78..89acd12 100644 ## ## ## -@@ -140,51 +906,335 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +907,335 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -6590,7 +6668,7 @@ index 40e0a2a..93d212c 100644 ## ## Send generic signals to user gpg processes. diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te -index 9050e8c..3b10693 100644 +index 9050e8c..b5d4ca3 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0) @@ -6665,7 +6743,7 @@ index 9050e8c..3b10693 100644 mta_write_config(gpg_t) -@@ -142,6 +161,11 @@ tunable_policy(`use_samba_home_dirs',` +@@ -142,6 +161,15 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -6674,10 +6752,14 @@ index 9050e8c..3b10693 100644 +') + +optional_policy(` ++ mta_read_spool(gpg_t) ++') ++ ++optional_policy(` mozilla_read_user_home_files(gpg_t) mozilla_write_user_home_files(gpg_t) ') -@@ -151,10 +175,10 @@ optional_policy(` +@@ -151,10 +179,10 @@ optional_policy(` xserver_rw_xdm_pipes(gpg_t) ') @@ -6692,7 +6774,7 @@ index 9050e8c..3b10693 100644 ######################################## # -@@ -191,7 +215,7 @@ files_read_etc_files(gpg_helper_t) +@@ -191,7 +219,7 @@ files_read_etc_files(gpg_helper_t) auth_use_nsswitch(gpg_helper_t) @@ -6701,7 +6783,7 @@ index 9050e8c..3b10693 100644 tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -205,11 +229,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -205,11 +233,12 @@ tunable_policy(`use_samba_home_dirs',` # # GPG agent local policy # @@ -6715,7 +6797,7 @@ index 9050e8c..3b10693 100644 allow gpg_agent_t self:fifo_file rw_fifo_file_perms; # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -@@ -239,19 +264,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) +@@ -239,19 +268,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) miscfiles_read_localization(gpg_agent_t) # Write to the user domain tty. @@ -6738,7 +6820,7 @@ index 9050e8c..3b10693 100644 userdom_manage_user_home_content_dirs(gpg_agent_t) userdom_manage_user_home_content_files(gpg_agent_t) ') -@@ -332,6 +358,10 @@ miscfiles_read_localization(gpg_pinentry_t) +@@ -332,6 +362,10 @@ miscfiles_read_localization(gpg_pinentry_t) # for .Xauthority userdom_read_user_home_content_files(gpg_pinentry_t) userdom_read_user_tmpfs_files(gpg_pinentry_t) @@ -6749,7 +6831,7 @@ index 9050e8c..3b10693 100644 tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(gpg_pinentry_t) -@@ -342,11 +372,21 @@ tunable_policy(`use_samba_home_dirs',` +@@ -342,11 +376,21 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -6771,7 +6853,7 @@ index 9050e8c..3b10693 100644 pulseaudio_exec(gpg_pinentry_t) pulseaudio_rw_home_files(gpg_pinentry_t) pulseaudio_setattr_home_dir(gpg_pinentry_t) -@@ -356,4 +396,28 @@ optional_policy(` +@@ -356,4 +400,28 @@ optional_policy(` optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) @@ -8477,10 +8559,10 @@ index 0000000..1925bd9 +') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te new file mode 100644 -index 0000000..9bf1dd8 +index 0000000..008fbe3 --- /dev/null +++ b/policy/modules/apps/nsplugin.te -@@ -0,0 +1,338 @@ +@@ -0,0 +1,340 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -8557,6 +8639,7 @@ index 0000000..9bf1dd8 + +tunable_policy(`nsplugin_can_network',` + corenet_tcp_connect_all_unreserved_ports(nsplugin_t) ++ corenet_tcp_connect_all_ephemeral_ports(nsplugin_t) +') + +manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) @@ -8670,6 +8753,7 @@ index 0000000..9bf1dd8 + gnome_exec_gconf(nsplugin_t) + gnome_manage_config(nsplugin_t) + gnome_read_gconf_home_files(nsplugin_t) ++ gnome_read_usr_config(nsplugin_t) +') + +optional_policy(` @@ -9393,10 +9477,10 @@ index 4c091ca..a58f123 100644 + +/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0) diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te -index f594e12..c4ee834 100644 +index f594e12..2025c1f 100644 --- a/policy/modules/apps/sambagui.te +++ b/policy/modules/apps/sambagui.te -@@ -27,6 +27,7 @@ corecmd_exec_bin(sambagui_t) +@@ -27,11 +27,13 @@ corecmd_exec_bin(sambagui_t) dev_dontaudit_read_urand(sambagui_t) @@ -9404,7 +9488,13 @@ index f594e12..c4ee834 100644 files_read_etc_files(sambagui_t) files_search_var_lib(sambagui_t) files_read_usr_files(sambagui_t) -@@ -56,6 +57,7 @@ optional_policy(` + + auth_use_nsswitch(sambagui_t) ++auth_dontaudit_read_shadow(sambagui_t) + + logging_send_syslog_msg(sambagui_t) + +@@ -56,6 +58,7 @@ optional_policy(` samba_manage_var_files(sambagui_t) samba_read_secrets(sambagui_t) samba_initrc_domtrans(sambagui_t) @@ -10921,7 +11011,7 @@ index 3cfb128..d49274d 100644 + gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy") +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te -index 2533ea0..b4888b3 100644 +index 2533ea0..6de0d2d 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te @@ -26,12 +26,18 @@ attribute telepathy_executable; @@ -11019,12 +11109,22 @@ index 2533ea0..b4888b3 100644 dev_read_rand(telepathy_mission_control_t) -@@ -194,6 +230,16 @@ tunable_policy(`use_samba_home_dirs',` +@@ -194,6 +230,26 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(telepathy_mission_control_t) ') +optional_policy(` -+ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t) ++ dbus_system_bus_client(telepathy_mission_control_t) ++ ++ optional_policy(` ++ devicekit_dbus_chat_power(telepathy_mission_control_t) ++ ') ++ optional_policy(` ++ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t) ++ ') ++ optional_policy(` ++ networkmanager_dbus_chat(telepathy_mission_control_t) ++ ') +') + +# ~/.cache/.mc_connections. @@ -11036,7 +11136,7 @@ index 2533ea0..b4888b3 100644 ####################################### # # Telepathy Butterfly and Haze local policy. -@@ -205,8 +251,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; +@@ -205,8 +261,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) @@ -11048,7 +11148,7 @@ index 2533ea0..b4888b3 100644 corenet_all_recvfrom_netlabel(telepathy_msn_t) corenet_all_recvfrom_unlabeled(telepathy_msn_t) -@@ -246,6 +295,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +@@ -246,6 +305,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` ') optional_policy(` @@ -11059,7 +11159,7 @@ index 2533ea0..b4888b3 100644 dbus_system_bus_client(telepathy_msn_t) optional_policy(` -@@ -361,14 +414,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms; +@@ -361,14 +424,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms; allow telepathy_domain self:tcp_socket create_socket_perms; allow telepathy_domain self:udp_socket create_socket_perms; @@ -11078,7 +11178,7 @@ index 2533ea0..b4888b3 100644 miscfiles_read_localization(telepathy_domain) optional_policy(` -@@ -376,5 +431,23 @@ optional_policy(` +@@ -376,5 +441,23 @@ optional_policy(` ') optional_policy(` @@ -12125,7 +12225,7 @@ index 9e9263a..59c2125 100644 manage_lnk_files_pattern($1, bin_t, bin_t) ') diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in -index 4f3b542..54e4c81 100644 +index 4f3b542..cf422f4 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',` @@ -12782,8 +12882,9 @@ index 4f3b542..54e4c81 100644 gen_require(` - attribute port_type, reserved_port_type; + attribute unreserved_port_type; -+ ') -+ + ') + +- allow $1 { port_type -reserved_port_type }:udp_socket name_bind; + allow $1 unreserved_port_type:udp_socket name_bind; +') + @@ -12800,9 +12901,8 @@ index 4f3b542..54e4c81 100644 +interface(`corenet_tcp_bind_all_ephemeral_ports',` + gen_require(` + attribute ephemeral_port_type; - ') - -- allow $1 { port_type -reserved_port_type }:udp_socket name_bind; ++ ') ++ + allow $1 ephemeral_port_type:tcp_socket name_bind; +') + @@ -12843,7 +12943,7 @@ index 4f3b542..54e4c81 100644 ') ######################################## -@@ -1900,6 +2341,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',` +@@ -1900,6 +2341,42 @@ interface(`corenet_tcp_connect_all_reserved_ports',` ######################################## ## @@ -12863,20 +12963,37 @@ index 4f3b542..54e4c81 100644 + allow $1 unreserved_port_type:dccp_socket name_connect; +') + ++####################################### ++## ++## Connect TCP sockets to ports > 1024. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_tcp_connect_unreserved_ports',` ++ gen_require(` ++ type unreserved_port_t; ++ ') ++ ++ allow $1 unreserved_port_t:tcp_socket name_connect; ++') ++ +######################################## +## ## Connect TCP sockets to all ports > 1024. ## ## -@@ -1910,10 +2369,47 @@ interface(`corenet_tcp_connect_all_reserved_ports',` +@@ -1910,10 +2387,47 @@ interface(`corenet_tcp_connect_all_reserved_ports',` # interface(`corenet_tcp_connect_all_unreserved_ports',` gen_require(` - attribute port_type, reserved_port_type; + attribute unreserved_port_type; - ') - -- allow $1 { port_type -reserved_port_type }:tcp_socket name_connect; ++ ') ++ + allow $1 unreserved_port_type:tcp_socket name_connect; +') + @@ -12912,13 +13029,14 @@ index 4f3b542..54e4c81 100644 +interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; -+ ') -+ + ') + +- allow $1 { port_type -reserved_port_type }:tcp_socket name_connect; + dontaudit $1 reserved_port_type:dccp_socket name_connect; ') ######################################## -@@ -1937,6 +2433,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` +@@ -1937,6 +2451,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` ######################################## ## @@ -12943,7 +13061,7 @@ index 4f3b542..54e4c81 100644 ## Connect TCP sockets to rpc ports. ## ## -@@ -1955,6 +2469,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',` +@@ -1955,6 +2487,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',` ######################################## ## @@ -12969,7 +13087,7 @@ index 4f3b542..54e4c81 100644 ## Do not audit attempts to connect TCP sockets ## all rpc ports. ## -@@ -1993,6 +2526,24 @@ interface(`corenet_rw_tun_tap_dev',` +@@ -1993,6 +2544,24 @@ interface(`corenet_rw_tun_tap_dev',` ######################################## ## @@ -12994,7 +13112,7 @@ index 4f3b542..54e4c81 100644 ## Do not audit attempts to read or write the TUN/TAP ## virtual network device. ## -@@ -2049,6 +2600,25 @@ interface(`corenet_rw_ppp_dev',` +@@ -2049,6 +2618,25 @@ interface(`corenet_rw_ppp_dev',` ######################################## ## @@ -13020,7 +13138,7 @@ index 4f3b542..54e4c81 100644 ## Bind TCP sockets to all RPC ports. ## ## -@@ -2068,6 +2638,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` +@@ -2068,6 +2656,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',` ######################################## ## @@ -13045,7 +13163,7 @@ index 4f3b542..54e4c81 100644 ## Do not audit attempts to bind TCP sockets to all RPC ports. ## ## -@@ -2194,6 +2782,25 @@ interface(`corenet_tcp_recv_netlabel',` +@@ -2194,6 +2800,25 @@ interface(`corenet_tcp_recv_netlabel',` ######################################## ## @@ -13071,7 +13189,7 @@ index 4f3b542..54e4c81 100644 ## Receive TCP packets from a NetLabel connection. ## ## -@@ -2213,6 +2820,31 @@ interface(`corenet_tcp_recvfrom_netlabel',` +@@ -2213,6 +2838,31 @@ interface(`corenet_tcp_recvfrom_netlabel',` ######################################## ## @@ -13103,7 +13221,7 @@ index 4f3b542..54e4c81 100644 ## Receive TCP packets from an unlabled connection. ## ## -@@ -2222,9 +2854,14 @@ interface(`corenet_tcp_recvfrom_netlabel',` +@@ -2222,9 +2872,14 @@ interface(`corenet_tcp_recvfrom_netlabel',` ## # interface(`corenet_tcp_recvfrom_unlabeled',` @@ -13118,7 +13236,7 @@ index 4f3b542..54e4c81 100644 # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems -@@ -2249,6 +2886,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` +@@ -2249,6 +2904,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',` ######################################## ## @@ -13145,7 +13263,7 @@ index 4f3b542..54e4c81 100644 ## Do not audit attempts to receive TCP packets from a NetLabel ## connection. ## -@@ -2269,6 +2926,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` +@@ -2269,6 +2944,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` ######################################## ## @@ -13173,7 +13291,7 @@ index 4f3b542..54e4c81 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2533,6 +3211,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` +@@ -2533,6 +3229,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` ## # interface(`corenet_all_recvfrom_unlabeled',` @@ -13181,7 +13299,7 @@ index 4f3b542..54e4c81 100644 kernel_tcp_recvfrom_unlabeled($1) kernel_udp_recvfrom_unlabeled($1) kernel_raw_recvfrom_unlabeled($1) -@@ -2571,7 +3250,31 @@ interface(`corenet_all_recvfrom_netlabel',` +@@ -2571,7 +3268,31 @@ interface(`corenet_all_recvfrom_netlabel',` ') allow $1 netlabel_peer_t:peer recv; @@ -13214,7 +13332,7 @@ index 4f3b542..54e4c81 100644 ') ######################################## -@@ -2585,6 +3288,7 @@ interface(`corenet_all_recvfrom_netlabel',` +@@ -2585,6 +3306,7 @@ interface(`corenet_all_recvfrom_netlabel',` ## # interface(`corenet_dontaudit_all_recvfrom_unlabeled',` @@ -13222,7 +13340,7 @@ index 4f3b542..54e4c81 100644 kernel_dontaudit_tcp_recvfrom_unlabeled($1) kernel_dontaudit_udp_recvfrom_unlabeled($1) kernel_dontaudit_raw_recvfrom_unlabeled($1) -@@ -2613,7 +3317,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` +@@ -2613,7 +3335,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',` ') dontaudit $1 netlabel_peer_t:peer recv; @@ -13259,7 +13377,7 @@ index 4f3b542..54e4c81 100644 ') ######################################## -@@ -2727,6 +3459,7 @@ interface(`corenet_raw_recvfrom_labeled',` +@@ -2727,6 +3477,7 @@ interface(`corenet_raw_recvfrom_labeled',` ## # interface(`corenet_all_recvfrom_labeled',` @@ -15080,10 +15198,45 @@ index 08f01e7..1c2562c 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..cf3d50b 100644 +index 6a1e4d1..3ded83e 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if -@@ -631,7 +631,7 @@ interface(`domain_read_all_domains_state',` +@@ -75,34 +75,6 @@ interface(`domain_base_type',` + interface(`domain_type',` + # start with basic domain + domain_base_type($1) +- +- ifdef(`distro_redhat',` +- optional_policy(` +- unconfined_use_fds($1) +- ') +- ') +- +- # send init a sigchld and signull +- optional_policy(` +- init_sigchld($1) +- init_signull($1) +- ') +- +- # these seem questionable: +- +- optional_policy(` +- rpm_use_fds($1) +- rpm_read_pipes($1) +- ') +- +- optional_policy(` +- selinux_dontaudit_getattr_fs($1) +- selinux_dontaudit_read_fs($1) +- ') +- +- optional_policy(` +- seutil_dontaudit_read_config($1) +- ') + ') + + ######################################## +@@ -631,7 +603,7 @@ interface(`domain_read_all_domains_state',` ######################################## ## @@ -15092,7 +15245,7 @@ index 6a1e4d1..cf3d50b 100644 ## ## ## -@@ -655,7 +655,7 @@ interface(`domain_getattr_all_domains',` +@@ -655,7 +627,7 @@ interface(`domain_getattr_all_domains',` ## ## ## @@ -15101,7 +15254,7 @@ index 6a1e4d1..cf3d50b 100644 ## ## # -@@ -1530,4 +1530,29 @@ interface(`domain_unconfined',` +@@ -1530,4 +1502,29 @@ interface(`domain_unconfined',` typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; @@ -15132,7 +15285,7 @@ index 6a1e4d1..cf3d50b 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..00e20f7 100644 +index fae1ab1..db2a183 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -15225,7 +15378,7 @@ index fae1ab1..00e20f7 100644 # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -160,3 +197,91 @@ allow unconfined_domain_type domain:key *; +@@ -160,3 +197,118 @@ allow unconfined_domain_type domain:key *; # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -15317,6 +15470,33 @@ index fae1ab1..00e20f7 100644 +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; + ++ifdef(`distro_redhat',` ++ optional_policy(` ++ unconfined_use_fds(domain) ++ ') ++') ++ ++# send init a sigchld and signull ++optional_policy(` ++ init_sigchld(domain) ++ init_signull(domain) ++') ++ ++# these seem questionable: ++ ++optional_policy(` ++ rpm_use_fds(domain) ++ rpm_read_pipes(domain) ++') ++ ++optional_policy(` ++ selinux_dontaudit_getattr_fs(domain) ++ selinux_dontaudit_read_fs(domain) ++') ++ ++optional_policy(` ++ seutil_dontaudit_read_config(domain) ++') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index c19518a..12e8e9c 100644 --- a/policy/modules/kernel/files.fc @@ -17335,7 +17515,7 @@ index 22821ff..20251b0 100644 ######################################## # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 97fcdac..a75dbe4 100644 +index 97fcdac..e5652a1 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -17818,7 +17998,33 @@ index 97fcdac..a75dbe4 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4457,6 +4732,8 @@ interface(`fs_mount_all_fs',` +@@ -4251,6 +4526,25 @@ interface(`fs_manage_tmpfs_files',` + + ######################################## + ## ++## Execute files on a tmpfs filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_exec_tmpfs_files',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ exec_files_pattern($1, tmpfs_t, tmpfs_t) ++') ++ ++######################################## ++## + ## Read and write, create and delete symbolic + ## links on tmpfs filesystems. + ## +@@ -4457,6 +4751,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -17827,7 +18033,7 @@ index 97fcdac..a75dbe4 100644 ') ######################################## -@@ -4503,7 +4780,7 @@ interface(`fs_unmount_all_fs',` +@@ -4503,7 +4799,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -17836,7 +18042,7 @@ index 97fcdac..a75dbe4 100644 ## Example attributes: ##

##
    -@@ -4866,3 +5143,24 @@ interface(`fs_unconfined',` +@@ -4866,3 +5162,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -20250,10 +20456,10 @@ index 2be17d2..bfabe3f 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e14b961..7cd6d4f 100644 +index e14b961..80db5fc 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -24,20 +24,51 @@ ifndef(`enable_mls',` +@@ -24,20 +24,47 @@ ifndef(`enable_mls',` # # Local policy # @@ -20293,11 +20499,7 @@ index e14b961..7cd6d4f 100644 # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) userdom_home_filetrans_user_home_dir(sysadm_t) -+userdom_manage_user_tmp_dirs(sysadm_t) -+userdom_manage_user_tmp_files(sysadm_t) -+userdom_manage_user_tmp_symlinks(sysadm_t) -+userdom_manage_user_tmp_chr_files(sysadm_t) -+userdom_manage_user_tmp_blk_files(sysadm_t) ++userdom_manage_tmp_role(sysadm_r, sysadm_t) + +optional_policy(` + ssh_filetrans_admin_home_content(sysadm_t) @@ -20305,7 +20507,7 @@ index e14b961..7cd6d4f 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,6 +86,7 @@ ifndef(`enable_mls',` +@@ -55,6 +82,7 @@ ifndef(`enable_mls',` logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t, sysadm_r) @@ -20313,7 +20515,7 @@ index e14b961..7cd6d4f 100644 ') tunable_policy(`allow_ptrace',` -@@ -67,9 +99,9 @@ optional_policy(` +@@ -67,9 +95,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -20324,7 +20526,7 @@ index e14b961..7cd6d4f 100644 ') optional_policy(` -@@ -98,6 +130,10 @@ optional_policy(` +@@ -98,6 +126,10 @@ optional_policy(` ') optional_policy(` @@ -20335,7 +20537,7 @@ index e14b961..7cd6d4f 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -110,11 +146,19 @@ optional_policy(` +@@ -110,11 +142,19 @@ optional_policy(` ') optional_policy(` @@ -20356,7 +20558,7 @@ index e14b961..7cd6d4f 100644 ') optional_policy(` -@@ -128,6 +172,10 @@ optional_policy(` +@@ -128,6 +168,10 @@ optional_policy(` ') optional_policy(` @@ -20367,7 +20569,7 @@ index e14b961..7cd6d4f 100644 dmesg_exec(sysadm_t) ') -@@ -163,6 +211,13 @@ optional_policy(` +@@ -163,6 +207,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -20381,7 +20583,7 @@ index e14b961..7cd6d4f 100644 ') optional_policy(` -@@ -170,15 +225,20 @@ optional_policy(` +@@ -170,15 +221,20 @@ optional_policy(` ') optional_policy(` @@ -20405,7 +20607,7 @@ index e14b961..7cd6d4f 100644 ') optional_policy(` -@@ -198,22 +258,19 @@ optional_policy(` +@@ -198,22 +254,19 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -20433,7 +20635,7 @@ index e14b961..7cd6d4f 100644 ') optional_policy(` -@@ -225,25 +282,47 @@ optional_policy(` +@@ -225,25 +278,47 @@ optional_policy(` ') optional_policy(` @@ -20481,7 +20683,7 @@ index e14b961..7cd6d4f 100644 portage_run(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) ') -@@ -253,19 +332,19 @@ optional_policy(` +@@ -253,19 +328,19 @@ optional_policy(` ') optional_policy(` @@ -20505,7 +20707,7 @@ index e14b961..7cd6d4f 100644 ') optional_policy(` -@@ -274,10 +353,7 @@ optional_policy(` +@@ -274,10 +349,7 @@ optional_policy(` optional_policy(` rpm_run(sysadm_t, sysadm_r) @@ -20517,7 +20719,7 @@ index e14b961..7cd6d4f 100644 ') optional_policy(` -@@ -302,12 +378,18 @@ optional_policy(` +@@ -302,12 +374,18 @@ optional_policy(` ') optional_policy(` @@ -20537,7 +20739,7 @@ index e14b961..7cd6d4f 100644 ') optional_policy(` -@@ -332,7 +414,10 @@ optional_policy(` +@@ -332,7 +410,10 @@ optional_policy(` ') optional_policy(` @@ -20549,7 +20751,7 @@ index e14b961..7cd6d4f 100644 ') optional_policy(` -@@ -343,19 +428,15 @@ optional_policy(` +@@ -343,19 +424,15 @@ optional_policy(` ') optional_policy(` @@ -20571,7 +20773,7 @@ index e14b961..7cd6d4f 100644 ') optional_policy(` -@@ -367,45 +448,45 @@ optional_policy(` +@@ -367,45 +444,45 @@ optional_policy(` ') optional_policy(` @@ -20628,7 +20830,7 @@ index e14b961..7cd6d4f 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -418,10 +499,6 @@ ifndef(`distro_redhat',` +@@ -418,10 +495,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20639,7 +20841,7 @@ index e14b961..7cd6d4f 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -439,6 +516,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +512,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -20647,7 +20849,7 @@ index e14b961..7cd6d4f 100644 ') optional_policy(` -@@ -446,11 +524,66 @@ ifndef(`distro_redhat',` +@@ -446,11 +520,66 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25661,10 +25863,10 @@ index 59aa54f..f944a65 100644 /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0) /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0) diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if -index 44a1e3d..f5c476a 100644 +index 44a1e3d..7802b7b 100644 --- a/policy/modules/services/bind.if +++ b/policy/modules/services/bind.if -@@ -20,6 +20,30 @@ interface(`bind_initrc_domtrans',` +@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',` ######################################## ## @@ -25683,7 +25885,6 @@ index 44a1e3d..f5c476a 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 named_unit_file_t:file read_file_perms; + allow $1 named_unit_file_t:service all_service_perms; + @@ -25695,7 +25896,7 @@ index 44a1e3d..f5c476a 100644 ## Execute ndc in the ndc domain. ## ## -@@ -186,7 +210,7 @@ interface(`bind_write_config',` +@@ -186,7 +209,7 @@ interface(`bind_write_config',` ') write_files_pattern($1, named_conf_t, named_conf_t) @@ -25704,7 +25905,7 @@ index 44a1e3d..f5c476a 100644 ') ######################################## -@@ -266,7 +290,7 @@ interface(`bind_setattr_pid_dirs',` +@@ -266,7 +289,7 @@ interface(`bind_setattr_pid_dirs',` type named_var_run_t; ') @@ -25713,7 +25914,7 @@ index 44a1e3d..f5c476a 100644 ') ######################################## -@@ -284,7 +308,7 @@ interface(`bind_setattr_zone_dirs',` +@@ -284,7 +307,7 @@ interface(`bind_setattr_zone_dirs',` type named_zone_t; ') @@ -25722,7 +25923,7 @@ index 44a1e3d..f5c476a 100644 ') ######################################## -@@ -308,6 +332,27 @@ interface(`bind_read_zone',` +@@ -308,6 +331,27 @@ interface(`bind_read_zone',` ######################################## ## @@ -25750,7 +25951,7 @@ index 44a1e3d..f5c476a 100644 ## Manage BIND zone files. ## ## -@@ -359,10 +404,9 @@ interface(`bind_udp_chat_named',` +@@ -359,10 +403,9 @@ interface(`bind_udp_chat_named',` interface(`bind_admin',` gen_require(` type named_t, named_tmp_t, named_log_t; @@ -25764,7 +25965,7 @@ index 44a1e3d..f5c476a 100644 ') allow $1 named_t:process { ptrace signal_perms }; -@@ -391,9 +435,10 @@ interface(`bind_admin',` +@@ -391,9 +434,10 @@ interface(`bind_admin',` admin_pattern($1, named_zone_t) admin_pattern($1, dnssec_t) @@ -27805,7 +28006,7 @@ index fd8cd0b..45096d8 100644 +/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0) +/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0) diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if -index 9a0da94..fecceac 100644 +index 9a0da94..714f905 100644 --- a/policy/modules/services/chronyd.if +++ b/policy/modules/services/chronyd.if @@ -19,6 +19,24 @@ interface(`chronyd_domtrans',` @@ -27833,7 +28034,7 @@ index 9a0da94..fecceac 100644 #################################### ## ## Execute chronyd -@@ -56,6 +74,126 @@ interface(`chronyd_read_log',` +@@ -56,6 +74,125 @@ interface(`chronyd_read_log',` read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) ') @@ -27912,7 +28113,6 @@ index 9a0da94..fecceac 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 chronyd_unit_file_t:file read_file_perms; + allow $1 chronyd_unit_file_t:service all_service_perms; + @@ -27960,7 +28160,7 @@ index 9a0da94..fecceac 100644 #################################### ## ## All of the rules required to administrate -@@ -75,9 +213,9 @@ interface(`chronyd_read_log',` +@@ -75,9 +212,9 @@ interface(`chronyd_read_log',` # interface(`chronyd_admin',` gen_require(` @@ -27973,7 +28173,7 @@ index 9a0da94..fecceac 100644 ') allow $1 chronyd_t:process { ptrace signal_perms }; -@@ -88,18 +226,19 @@ interface(`chronyd_admin',` +@@ -88,18 +225,19 @@ interface(`chronyd_admin',` role_transition $2 chronyd_initrc_exec_t system_r; allow $2 system_r; @@ -29061,10 +29261,10 @@ index 0000000..ed13d1e + diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te new file mode 100644 -index 0000000..1783fe6 +index 0000000..2ee2be0 --- /dev/null +++ b/policy/modules/services/collectd.te -@@ -0,0 +1,61 @@ +@@ -0,0 +1,77 @@ +policy_module(collectd, 1.0.0) + +######################################## @@ -29072,6 +29272,14 @@ index 0000000..1783fe6 +# Declarations +# + ++## ++##

    ++## Allow collectd to connect to the ++## network using TCP. ++##

    ++##     ++gen_tunable(collectd_can_network_connect, false) ++ +type collectd_t; +type collectd_exec_t; +init_daemon_domain(collectd_t, collectd_exec_t) @@ -29105,10 +29313,12 @@ index 0000000..1783fe6 +domain_use_interactive_fds(collectd_t) + +kernel_read_network_state(collectd_t) ++kernel_read_net_sysctls(collectd_t) +kernel_read_system_state(collectd_t) + +dev_read_sysfs(collectd_t) + ++files_getattr_all_dirs(collectd_t) +files_read_etc_files(collectd_t) +files_read_usr_files(collectd_t) + @@ -29120,6 +29330,12 @@ index 0000000..1783fe6 + +sysnet_dns_name_resolve(collectd_t) + ++tunable_policy(`collectd_can_network_connect',` ++ corenet_tcp_connect_all_ports(collectd_t) ++ corenet_tcp_sendrecv_all_ports(collectd_t) ++ corenet_sendrecv_all_client_packets(collectd_t) ++') ++ +optional_policy(` + apache_content_template(collectd) + @@ -29762,7 +29978,7 @@ index 2eefc08..6ea5693 100644 + +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if -index 35241ed..d972767 100644 +index 35241ed..445ced4 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -12,6 +12,11 @@ @@ -29977,7 +30193,7 @@ index 35241ed..d972767 100644 ##     ## ## -@@ -322,6 +331,30 @@ interface(`cron_initrc_domtrans',` +@@ -322,6 +331,29 @@ interface(`cron_initrc_domtrans',` ######################################## ## @@ -29996,7 +30212,6 @@ index 35241ed..d972767 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 crond_unit_file_t:file read_file_perms; + allow $1 crond_unit_file_t:service all_service_perms; + @@ -30008,7 +30223,7 @@ index 35241ed..d972767 100644 ## Inherit and use a file descriptor ## from the cron daemon. ## -@@ -377,6 +410,47 @@ interface(`cron_read_pipes',` +@@ -377,6 +409,47 @@ interface(`cron_read_pipes',` ######################################## ## @@ -30056,7 +30271,7 @@ index 35241ed..d972767 100644 ## Do not audit attempts to write cron daemon unnamed pipes. ## ## -@@ -390,6 +464,7 @@ interface(`cron_dontaudit_write_pipes',` +@@ -390,6 +463,7 @@ interface(`cron_dontaudit_write_pipes',` type crond_t; ') @@ -30064,7 +30279,7 @@ index 35241ed..d972767 100644 dontaudit $1 crond_t:fifo_file write; ') -@@ -408,7 +483,43 @@ interface(`cron_rw_pipes',` +@@ -408,7 +482,43 @@ interface(`cron_rw_pipes',` type crond_t; ') @@ -30109,7 +30324,7 @@ index 35241ed..d972767 100644 ') ######################################## -@@ -468,6 +579,25 @@ interface(`cron_search_spool',` +@@ -468,6 +578,25 @@ interface(`cron_search_spool',` ######################################## ## @@ -30135,7 +30350,7 @@ index 35241ed..d972767 100644 ## Manage pid files used by cron ## ## -@@ -481,6 +611,7 @@ interface(`cron_manage_pid_files',` +@@ -481,6 +610,7 @@ interface(`cron_manage_pid_files',` type crond_var_run_t; ') @@ -30143,7 +30358,7 @@ index 35241ed..d972767 100644 manage_files_pattern($1, crond_var_run_t, crond_var_run_t) ') -@@ -536,7 +667,7 @@ interface(`cron_write_system_job_pipes',` +@@ -536,7 +666,7 @@ interface(`cron_write_system_job_pipes',` type system_cronjob_t; ') @@ -30152,7 +30367,7 @@ index 35241ed..d972767 100644 ') ######################################## -@@ -554,7 +685,7 @@ interface(`cron_rw_system_job_pipes',` +@@ -554,7 +684,7 @@ interface(`cron_rw_system_job_pipes',` type system_cronjob_t; ') @@ -30161,7 +30376,7 @@ index 35241ed..d972767 100644 ') ######################################## -@@ -587,11 +718,14 @@ interface(`cron_rw_system_job_stream_sockets',` +@@ -587,11 +717,14 @@ interface(`cron_rw_system_job_stream_sockets',` # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -30177,7 +30392,7 @@ index 35241ed..d972767 100644 ') ######################################## -@@ -627,7 +761,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` +@@ -627,7 +760,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; @@ -30226,7 +30441,7 @@ index 35241ed..d972767 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..86ea0ba 100644 +index f7583ab..4100ff7 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -30591,7 +30806,7 @@ index f7583ab..86ea0ba 100644 ftp_read_log(system_cronjob_t) ') -@@ -456,15 +545,24 @@ optional_policy(` +@@ -456,15 +545,25 @@ optional_policy(` ') optional_policy(` @@ -30611,12 +30826,13 @@ index f7583ab..86ea0ba 100644 ') optional_policy(` ++ mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) + mta_system_content(system_cron_spool_t) ') optional_policy(` -@@ -480,7 +578,7 @@ optional_policy(` +@@ -480,7 +579,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -30625,7 +30841,7 @@ index f7583ab..86ea0ba 100644 ') optional_policy(` -@@ -495,6 +593,7 @@ optional_policy(` +@@ -495,6 +594,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -30633,7 +30849,7 @@ index f7583ab..86ea0ba 100644 ') optional_policy(` -@@ -502,7 +601,13 @@ optional_policy(` +@@ -502,7 +602,13 @@ optional_policy(` ') optional_policy(` @@ -30647,7 +30863,7 @@ index f7583ab..86ea0ba 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -595,9 +700,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +701,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -31173,7 +31389,7 @@ index 305ddf4..173cd16 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..e6225d3 100644 +index 0f28095..825cafb 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -31224,7 +31440,15 @@ index 0f28095..e6225d3 100644 kernel_read_system_state(cupsd_t) kernel_read_network_state(cupsd_t) -@@ -270,12 +274,6 @@ files_dontaudit_list_home(cupsd_t) +@@ -211,6 +215,7 @@ mls_rangetrans_target(cupsd_t) + mls_socket_write_all_levels(cupsd_t) + mls_fd_use_all_levels(cupsd_t) + ++term_use_usb_ttys(cupsd_t) + term_use_unallocated_ttys(cupsd_t) + term_search_ptys(cupsd_t) + +@@ -270,12 +275,6 @@ files_dontaudit_list_home(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_user_home_content(cupsd_t) @@ -31237,7 +31461,7 @@ index 0f28095..e6225d3 100644 optional_policy(` apm_domtrans_client(cupsd_t) ') -@@ -297,8 +295,10 @@ optional_policy(` +@@ -297,8 +296,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -31248,7 +31472,7 @@ index 0f28095..e6225d3 100644 ') ') -@@ -311,10 +311,22 @@ optional_policy(` +@@ -311,10 +312,22 @@ optional_policy(` ') optional_policy(` @@ -31271,7 +31495,7 @@ index 0f28095..e6225d3 100644 mta_send_mail(cupsd_t) ') -@@ -371,8 +383,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +@@ -371,8 +384,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -31282,7 +31506,7 @@ index 0f28095..e6225d3 100644 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -393,6 +406,10 @@ dev_read_sysfs(cupsd_config_t) +@@ -393,6 +407,10 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) dev_rw_generic_usb_dev(cupsd_config_t) @@ -31293,7 +31517,7 @@ index 0f28095..e6225d3 100644 files_search_all_mountpoints(cupsd_config_t) -@@ -425,11 +442,11 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -425,11 +443,11 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -31307,7 +31531,7 @@ index 0f28095..e6225d3 100644 ifdef(`distro_redhat',` optional_policy(` rpm_read_db(cupsd_config_t) -@@ -453,6 +470,10 @@ optional_policy(` +@@ -453,6 +471,10 @@ optional_policy(` ') optional_policy(` @@ -31318,7 +31542,7 @@ index 0f28095..e6225d3 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +488,10 @@ optional_policy(` +@@ -467,6 +489,10 @@ optional_policy(` ') optional_policy(` @@ -31329,7 +31553,7 @@ index 0f28095..e6225d3 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -587,13 +612,17 @@ auth_use_nsswitch(cups_pdf_t) +@@ -587,13 +613,17 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -31349,7 +31573,7 @@ index 0f28095..e6225d3 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_auto_mountpoints(cups_pdf_t) -@@ -606,6 +635,10 @@ tunable_policy(`use_samba_home_dirs',` +@@ -606,6 +636,10 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(cups_pdf_t) ') @@ -31360,7 +31584,7 @@ index 0f28095..e6225d3 100644 ######################################## # # HPLIP local policy -@@ -639,7 +672,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +@@ -639,7 +673,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) @@ -31369,7 +31593,7 @@ index 0f28095..e6225d3 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -685,6 +718,7 @@ domain_use_interactive_fds(hplip_t) +@@ -685,6 +719,7 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -31377,7 +31601,7 @@ index 0f28095..e6225d3 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +730,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -696,8 +731,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -31909,7 +32133,7 @@ index 1a1becd..843d5fd 100644 + dontaudit $1 session_bus_type:dbus send_msg; ') diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te -index 1bff6ee..9540fee 100644 +index 1bff6ee..f0266a9 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -10,6 +10,7 @@ gen_require(` @@ -31971,7 +32195,20 @@ index 1bff6ee..9540fee 100644 logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) -@@ -141,6 +148,20 @@ optional_policy(` +@@ -136,11 +143,33 @@ seutil_sigchld_newrole(system_dbusd_t) + userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) + userdom_dontaudit_search_user_home_dirs(system_dbusd_t) + ++tunable_policy(`use_nfs_home_dirs',` ++ fs_read_nfs_files(system_dbusd_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(system_dbusd_t) ++') ++ + optional_policy(` + bind_domtrans(system_dbusd_t) ') optional_policy(` @@ -31992,7 +32229,7 @@ index 1bff6ee..9540fee 100644 policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) -@@ -151,12 +172,166 @@ optional_policy(` +@@ -151,12 +180,166 @@ optional_policy(` ') optional_policy(` @@ -32048,9 +32285,9 @@ index 1bff6ee..9540fee 100644 +') + +######################################## -+# -+# session_bus_type rules # ++# session_bus_type rules ++# +dontaudit session_bus_type self:capability sys_resource; +allow session_bus_type self:process { getattr sigkill signal }; +dontaudit session_bus_type self:process { ptrace setrlimit }; @@ -32135,7 +32372,7 @@ index 1bff6ee..9540fee 100644 + fs_manage_cifs_dirs(session_bus_type) + fs_manage_cifs_files(session_bus_type) +') - ++ +optional_policy(` + gnome_read_gconf_home_files(session_bus_type) +') @@ -32143,7 +32380,7 @@ index 1bff6ee..9540fee 100644 +optional_policy(` + hal_dbus_chat(session_bus_type) +') -+ + +optional_policy(` + xserver_search_xdm_lib(session_bus_type) + xserver_use_xdm_fds(session_bus_type) @@ -33825,10 +34062,10 @@ index b886676..ab3af9c 100644 /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if -index 9bd812b..f3c2d82 100644 +index 9bd812b..1bef72c 100644 --- a/policy/modules/services/dnsmasq.if +++ b/policy/modules/services/dnsmasq.if -@@ -41,6 +41,30 @@ interface(`dnsmasq_initrc_domtrans',` +@@ -41,6 +41,29 @@ interface(`dnsmasq_initrc_domtrans',` ######################################## ## @@ -33847,7 +34084,6 @@ index 9bd812b..f3c2d82 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 dnsmasq_unit_file_t:file read_file_perms; + allow $1 dnsmasq_unit_file_t:service all_service_perms; + @@ -33859,7 +34095,7 @@ index 9bd812b..f3c2d82 100644 ## Send dnsmasq a signal ## ## -@@ -101,9 +125,9 @@ interface(`dnsmasq_kill',` +@@ -101,9 +124,9 @@ interface(`dnsmasq_kill',` ## Read dnsmasq config files. ## ## @@ -33871,7 +34107,7 @@ index 9bd812b..f3c2d82 100644 ## # interface(`dnsmasq_read_config',` -@@ -120,9 +144,9 @@ interface(`dnsmasq_read_config',` +@@ -120,9 +143,9 @@ interface(`dnsmasq_read_config',` ## Write to dnsmasq config files. ##     ## @@ -33883,7 +34119,7 @@ index 9bd812b..f3c2d82 100644 ## # interface(`dnsmasq_write_config',` -@@ -144,12 +168,12 @@ interface(`dnsmasq_write_config',` +@@ -144,12 +167,12 @@ interface(`dnsmasq_write_config',` ##
## # @@ -33897,7 +34133,7 @@ index 9bd812b..f3c2d82 100644 delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') -@@ -163,17 +187,80 @@ interface(`dnsmasq_delete_pid_files',` +@@ -163,17 +186,80 @@ interface(`dnsmasq_delete_pid_files',` ## ## # @@ -33979,7 +34215,7 @@ index 9bd812b..f3c2d82 100644 ## All of the rules required to administrate ## an dnsmasq environment ## -@@ -208,4 +295,6 @@ interface(`dnsmasq_admin',` +@@ -208,4 +294,6 @@ interface(`dnsmasq_admin',` files_list_pids($1) admin_pattern($1, dnsmasq_var_run_t) @@ -35889,10 +36125,10 @@ index 69dcd2a..80eefd3 100644 /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0) +/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if -index 9d3201b..a8ad41e 100644 +index 9d3201b..7da7267 100644 --- a/policy/modules/services/ftp.if +++ b/policy/modules/services/ftp.if -@@ -1,5 +1,67 @@ +@@ -1,5 +1,66 @@ ## File transfer protocol service +###################################### @@ -35950,7 +36186,6 @@ index 9d3201b..a8ad41e 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 ftpd_unit_file_t:file read_file_perms; + allow $1 ftpd_unit_file_t:service all_service_perms; + @@ -35960,7 +36195,7 @@ index 9d3201b..a8ad41e 100644 ####################################### ## ## Allow domain dyntransition to sftpd_anon domain. -@@ -203,4 +265,6 @@ interface(`ftp_admin',` +@@ -203,4 +264,6 @@ interface(`ftp_admin',` logging_list_logs($1) admin_pattern($1, xferlog_t) @@ -37482,10 +37717,10 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..95d52e4 100644 +index 4fde46b..86ba356 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -15,18 +15,25 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +@@ -15,18 +15,23 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) # allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; @@ -37504,16 +37739,15 @@ index 4fde46b..95d52e4 100644 +files_read_etc_runtime_files(gnomeclock_t) files_read_usr_files(gnomeclock_t) +-auth_use_nsswitch(gnomeclock_t) +fs_getattr_xattr_fs(gnomeclock_t) -+ - auth_use_nsswitch(gnomeclock_t) -clock_domtrans(gnomeclock_t) -+init_stream_send(gnomeclock_t) ++auth_use_nsswitch(gnomeclock_t) miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,10 +42,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,10 +40,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -39767,10 +40001,10 @@ index c62f23e..f8a4301 100644 /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if -index 3aa8fa7..2a407cd 100644 +index 3aa8fa7..40b10fa 100644 --- a/policy/modules/services/ldap.if +++ b/policy/modules/services/ldap.if -@@ -1,5 +1,65 @@ +@@ -1,5 +1,64 @@ ## OpenLDAP directory server +####################################### @@ -39826,7 +40060,6 @@ index 3aa8fa7..2a407cd 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 slapd_unit_file_t:file read_file_perms; + allow $1 slapd_unit_file_t:service all_service_perms; + @@ -39836,7 +40069,7 @@ index 3aa8fa7..2a407cd 100644 ######################################## ## ## Read the contents of the OpenLDAP -@@ -21,6 +81,25 @@ interface(`ldap_list_db',` +@@ -21,6 +80,25 @@ interface(`ldap_list_db',` ######################################## ## @@ -39862,7 +40095,7 @@ index 3aa8fa7..2a407cd 100644 ## Read the OpenLDAP configuration files. ## ## -@@ -69,8 +148,7 @@ interface(`ldap_stream_connect',` +@@ -69,8 +147,7 @@ interface(`ldap_stream_connect',` ') files_search_pids($1) @@ -39872,7 +40105,7 @@ index 3aa8fa7..2a407cd 100644 ') ######################################## -@@ -110,6 +188,7 @@ interface(`ldap_admin',` +@@ -110,6 +187,7 @@ interface(`ldap_admin',` admin_pattern($1, slapd_lock_t) @@ -39880,7 +40113,7 @@ index 3aa8fa7..2a407cd 100644 admin_pattern($1, slapd_replog_t) files_list_tmp($1) -@@ -117,4 +196,6 @@ interface(`ldap_admin',` +@@ -117,4 +195,6 @@ interface(`ldap_admin',` files_list_pids($1) admin_pattern($1, slapd_var_run_t) @@ -42252,7 +42485,7 @@ index 256166a..6321a93 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..f6c92f9 100644 +index 343cee3..fff3a52 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -37,9 +37,9 @@ interface(`mta_stub',` @@ -42488,7 +42721,33 @@ index 343cee3..f6c92f9 100644 ') ####################################### -@@ -697,8 +762,8 @@ interface(`mta_rw_spool',` +@@ -680,6 +745,25 @@ interface(`mta_spool_filetrans',` + filetrans_pattern($1, mail_spool_t, $2, $3) + ') + ++####################################### ++## ++## Read the mail spool. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_read_spool',` ++ gen_require(` ++ type mail_spool_t; ++ ') ++ ++ files_search_spool($1) ++ read_files_pattern($1, mail_spool_t, mail_spool_t) ++') ++ + ######################################## + ## + ## Read and write the mail spool. +@@ -697,8 +781,8 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -42499,7 +42758,7 @@ index 343cee3..f6c92f9 100644 read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -838,7 +903,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -838,7 +922,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -42508,7 +42767,7 @@ index 343cee3..f6c92f9 100644 ') ######################################## -@@ -899,3 +964,112 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -899,3 +983,112 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -43882,7 +44141,7 @@ index 386543b..47e1b41 100644 /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if -index 2324d9e..ac2e779 100644 +index 2324d9e..8666a3c 100644 --- a/policy/modules/services/networkmanager.if +++ b/policy/modules/services/networkmanager.if @@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',` @@ -43898,7 +44157,7 @@ index 2324d9e..ac2e779 100644 ## # interface(`networkmanager_attach_tun_iface',` -@@ -116,6 +116,30 @@ interface(`networkmanager_initrc_domtrans',` +@@ -116,6 +116,29 @@ interface(`networkmanager_initrc_domtrans',` ######################################## ## @@ -43917,7 +44176,6 @@ index 2324d9e..ac2e779 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 NetworkManager_unit_file_t:file read_file_perms; + allow $1 NetworkManager_unit_file_t:service all_service_perms; + @@ -43929,7 +44187,7 @@ index 2324d9e..ac2e779 100644 ## Send and receive messages from ## NetworkManager over dbus. ## -@@ -137,6 +161,28 @@ interface(`networkmanager_dbus_chat',` +@@ -137,6 +160,28 @@ interface(`networkmanager_dbus_chat',` ######################################## ## @@ -43958,7 +44216,7 @@ index 2324d9e..ac2e779 100644 ## Send a generic signal to NetworkManager ## ## -@@ -191,3 +237,77 @@ interface(`networkmanager_read_pid_files',` +@@ -191,3 +236,77 @@ interface(`networkmanager_read_pid_files',` files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') @@ -44284,7 +44542,7 @@ index 15448d5..3587f6a 100644 +/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if -index abe3f7f..9e96501 100644 +index abe3f7f..2214d71 100644 --- a/policy/modules/services/nis.if +++ b/policy/modules/services/nis.if @@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',` @@ -44338,7 +44596,7 @@ index abe3f7f..9e96501 100644 ## Read ypserv configuration files. ## ## -@@ -337,6 +318,57 @@ interface(`nis_initrc_domtrans_ypbind',` +@@ -337,6 +318,55 @@ interface(`nis_initrc_domtrans_ypbind',` ######################################## ## @@ -44357,7 +44615,6 @@ index abe3f7f..9e96501 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 ypbind_unit_file_t:file read_file_perms; + allow $1 ypbind_unit_file_t:service all_service_perms; + @@ -44381,7 +44638,6 @@ index abe3f7f..9e96501 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 nis_unit_file_t:file read_file_perms; + allow $1 nis_unit_file_t:service all_service_perms; + @@ -44396,7 +44652,7 @@ index abe3f7f..9e96501 100644 ## All of the rules required to administrate ## an nis environment ## -@@ -354,10 +386,10 @@ interface(`nis_initrc_domtrans_ypbind',` +@@ -354,10 +384,10 @@ interface(`nis_initrc_domtrans_ypbind',` # interface(`nis_admin',` gen_require(` @@ -44409,7 +44665,7 @@ index abe3f7f..9e96501 100644 ') allow $1 ypbind_t:process { ptrace signal_perms }; -@@ -384,6 +416,7 @@ interface(`nis_admin',` +@@ -384,6 +414,7 @@ interface(`nis_admin',` files_list_pids($1) admin_pattern($1, ypbind_var_run_t) @@ -44417,7 +44673,7 @@ index abe3f7f..9e96501 100644 admin_pattern($1, yppasswdd_var_run_t) -@@ -393,4 +426,5 @@ interface(`nis_admin',` +@@ -393,4 +424,5 @@ interface(`nis_admin',` admin_pattern($1, ypserv_tmp_t) admin_pattern($1, ypserv_var_run_t) @@ -44497,7 +44753,7 @@ index 4876cae..eabed96 100644 allow ypserv_t self:unix_stream_socket create_stream_socket_perms; allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if -index 85188dc..891d4ab 100644 +index 85188dc..56dd1f0 100644 --- a/policy/modules/services/nscd.if +++ b/policy/modules/services/nscd.if @@ -116,7 +116,26 @@ interface(`nscd_socket_use',` @@ -44563,7 +44819,7 @@ index 85188dc..891d4ab 100644 # interface(`nscd_run',` gen_require(` -@@ -254,6 +277,30 @@ interface(`nscd_initrc_domtrans',` +@@ -254,6 +277,29 @@ interface(`nscd_initrc_domtrans',` ######################################## ## @@ -44582,7 +44838,6 @@ index 85188dc..891d4ab 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 nscd_unit_file_t:file read_file_perms; + allow $1 nscd_unit_file_t:service all_service_perms; + @@ -44594,7 +44849,7 @@ index 85188dc..891d4ab 100644 ## All of the rules required to administrate ## an nscd environment ## -@@ -288,4 +335,6 @@ interface(`nscd_admin',` +@@ -288,4 +334,6 @@ interface(`nscd_admin',` files_list_pids($1) admin_pattern($1, nscd_var_run_t) @@ -44795,10 +45050,10 @@ index e79dccc..50202ef 100644 /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if -index e80f8c0..c58528f 100644 +index e80f8c0..9e9091c 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if -@@ -98,6 +98,49 @@ interface(`ntp_initrc_domtrans',` +@@ -98,6 +98,48 @@ interface(`ntp_initrc_domtrans',` init_labeled_script_domtrans($1, ntpd_initrc_exec_t) ') @@ -44838,7 +45093,6 @@ index e80f8c0..c58528f 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 ntpd_unit_file_t:file read_file_perms; + allow $1 ntpd_unit_file_t:service all_service_perms; + @@ -44848,7 +45102,7 @@ index e80f8c0..c58528f 100644 ######################################## ## ## Read and write ntpd shared memory. -@@ -122,6 +165,25 @@ interface(`ntp_rw_shm',` +@@ -122,6 +164,25 @@ interface(`ntp_rw_shm',` ######################################## ## @@ -44874,7 +45128,7 @@ index e80f8c0..c58528f 100644 ## All of the rules required to administrate ## an ntp environment ## -@@ -140,11 +202,10 @@ interface(`ntp_rw_shm',` +@@ -140,11 +201,10 @@ interface(`ntp_rw_shm',` interface(`ntp_admin',` gen_require(` type ntpd_t, ntpd_tmp_t, ntpd_log_t; @@ -44888,7 +45142,7 @@ index e80f8c0..c58528f 100644 ps_process_pattern($1, ntpd_t) init_labeled_script_domtrans($1, ntpd_initrc_exec_t) -@@ -162,4 +223,6 @@ interface(`ntp_admin',` +@@ -162,4 +222,6 @@ interface(`ntp_admin',` files_list_pids($1) admin_pattern($1, ntpd_var_run_t) @@ -48521,7 +48775,7 @@ index 2d82c6d..adf5731 100644 -/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) +/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0) diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if -index b524673..d3f932f 100644 +index b524673..921a60f 100644 --- a/policy/modules/services/ppp.if +++ b/policy/modules/services/ppp.if @@ -66,7 +66,6 @@ interface(`ppp_sigchld',` @@ -48560,7 +48814,7 @@ index b524673..d3f932f 100644 allow $1 pppd_var_run_t:file manage_file_perms; ') -@@ -340,6 +340,30 @@ interface(`ppp_initrc_domtrans',` +@@ -340,6 +340,29 @@ interface(`ppp_initrc_domtrans',` ######################################## ## @@ -48579,7 +48833,6 @@ index b524673..d3f932f 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 pppd_unit_file_t:file read_file_perms; + allow $1 pppd_unit_file_t:service all_service_perms; + @@ -48591,7 +48844,7 @@ index b524673..d3f932f 100644 ## All of the rules required to administrate ## an ppp environment ## -@@ -348,21 +372,27 @@ interface(`ppp_initrc_domtrans',` +@@ -348,21 +371,27 @@ interface(`ppp_initrc_domtrans',` ## Domain allowed access. ## ## @@ -48624,7 +48877,7 @@ index b524673..d3f932f 100644 ppp_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 pppd_initrc_exec_t system_r; -@@ -374,6 +404,7 @@ interface(`ppp_admin',` +@@ -374,6 +403,7 @@ interface(`ppp_admin',` logging_list_logs($1) admin_pattern($1, pppd_log_t) @@ -48632,7 +48885,7 @@ index b524673..d3f932f 100644 admin_pattern($1, pppd_lock_t) files_list_etc($1) -@@ -386,10 +417,9 @@ interface(`ppp_admin',` +@@ -386,10 +416,9 @@ interface(`ppp_admin',` files_list_pids($1) admin_pattern($1, pppd_var_run_t) @@ -48646,7 +48899,7 @@ index b524673..d3f932f 100644 + ppp_systemctl($1) ') diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te -index 2af42e7..392bc4b 100644 +index 2af42e7..605815a 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0) @@ -48730,7 +48983,15 @@ index 2af42e7..392bc4b 100644 allow pppd_t pptp_t:process signal; -@@ -166,6 +170,8 @@ init_dontaudit_write_utmp(pppd_t) +@@ -143,6 +147,7 @@ fs_getattr_all_fs(pppd_t) + fs_search_auto_mountpoints(pppd_t) + + term_use_unallocated_ttys(pppd_t) ++term_use_usb_ttys(pppd_t) + term_setattr_unallocated_ttys(pppd_t) + term_ioctl_generic_ptys(pppd_t) + # for pppoe +@@ -166,6 +171,8 @@ init_dontaudit_write_utmp(pppd_t) init_signal_script(pppd_t) auth_use_nsswitch(pppd_t) @@ -48739,7 +49000,7 @@ index 2af42e7..392bc4b 100644 logging_send_syslog_msg(pppd_t) logging_send_audit_msgs(pppd_t) -@@ -176,7 +182,7 @@ sysnet_exec_ifconfig(pppd_t) +@@ -176,7 +183,7 @@ sysnet_exec_ifconfig(pppd_t) sysnet_manage_config(pppd_t) sysnet_etc_filetrans_config(pppd_t) @@ -48748,7 +49009,7 @@ index 2af42e7..392bc4b 100644 userdom_dontaudit_use_unpriv_user_fds(pppd_t) userdom_search_user_home_dirs(pppd_t) -@@ -187,13 +193,15 @@ optional_policy(` +@@ -187,13 +194,15 @@ optional_policy(` ') optional_policy(` @@ -48765,7 +49026,7 @@ index 2af42e7..392bc4b 100644 ') optional_policy(` -@@ -243,14 +251,17 @@ allow pptp_t pppd_log_t:file append_file_perms; +@@ -243,14 +252,17 @@ allow pptp_t pppd_log_t:file append_file_perms; allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) @@ -48784,6 +49045,14 @@ index 2af42e7..392bc4b 100644 dev_read_sysfs(pptp_t) +@@ -266,6 +278,7 @@ corenet_raw_sendrecv_generic_node(pptp_t) + corenet_tcp_sendrecv_all_ports(pptp_t) + corenet_tcp_bind_generic_node(pptp_t) + corenet_tcp_connect_generic_port(pptp_t) ++corenet_tcp_connect_unreserved_ports(pptp_t) + corenet_tcp_connect_all_reserved_ports(pptp_t) + corenet_sendrecv_generic_client_packets(pptp_t) + diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if index 2316653..77ef768 100644 --- a/policy/modules/services/prelude.if @@ -52825,7 +53094,7 @@ index 5c70c0c..f9f0f54 100644 + +/var/tmp/nfs_0 -- gen_context(system_u:object_r:gssd_tmp_t,s0) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if -index cda37bb..41b106f 100644 +index cda37bb..617e83f 100644 --- a/policy/modules/services/rpc.if +++ b/policy/modules/services/rpc.if @@ -32,7 +32,11 @@ interface(`rpc_stub',` @@ -52859,7 +53128,7 @@ index cda37bb..41b106f 100644 ') ######################################## -@@ -229,6 +233,30 @@ interface(`rpc_initrc_domtrans_nfsd',` +@@ -229,6 +233,29 @@ interface(`rpc_initrc_domtrans_nfsd',` ######################################## ## @@ -52878,7 +53147,6 @@ index cda37bb..41b106f 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 nfsd_unit_file_t:file read_file_perms; + allow $1 nfsd_unit_file_t:service all_service_perms; + @@ -52890,7 +53158,7 @@ index cda37bb..41b106f 100644 ## Execute domain in rpcd domain. ## ## -@@ -246,6 +274,32 @@ interface(`rpc_domtrans_rpcd',` +@@ -246,6 +273,32 @@ interface(`rpc_domtrans_rpcd',` allow rpcd_t $1:process signal; ') @@ -52923,7 +53191,7 @@ index cda37bb..41b106f 100644 ####################################### ## ## Execute domain in rpcd domain. -@@ -266,6 +320,30 @@ interface(`rpc_initrc_domtrans_rpcd',` +@@ -266,6 +319,29 @@ interface(`rpc_initrc_domtrans_rpcd',` ######################################## ## @@ -52942,7 +53210,6 @@ index cda37bb..41b106f 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 rpcd_unit_file_t:file read_file_perms; + allow $1 rpcd_unit_file_t:service all_service_perms; + @@ -52954,7 +53221,7 @@ index cda37bb..41b106f 100644 ## Read NFS exported content. ## ## -@@ -282,7 +360,7 @@ interface(`rpc_read_nfs_content',` +@@ -282,7 +358,7 @@ interface(`rpc_read_nfs_content',` allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms; allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms; @@ -52963,7 +53230,7 @@ index cda37bb..41b106f 100644 ') ######################################## -@@ -375,7 +453,7 @@ interface(`rpc_search_nfs_state_data',` +@@ -375,7 +451,7 @@ interface(`rpc_search_nfs_state_data',` ') files_search_var_lib($1) @@ -52972,7 +53239,7 @@ index cda37bb..41b106f 100644 ') ######################################## -@@ -414,4 +492,5 @@ interface(`rpc_manage_nfs_state_data',` +@@ -414,4 +490,5 @@ interface(`rpc_manage_nfs_state_data',` files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) @@ -53563,10 +53830,10 @@ index 69a6074..596dbb3 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if -index 82cb169..87d1eec 100644 +index 82cb169..0a29f68 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if -@@ -60,6 +60,30 @@ interface(`samba_initrc_domtrans',` +@@ -60,6 +60,29 @@ interface(`samba_initrc_domtrans',` ######################################## ## @@ -53585,7 +53852,6 @@ index 82cb169..87d1eec 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 samba_unit_file_t:file read_file_perms; + allow $1 samba_unit_file_t:service all_service_perms; + @@ -53597,7 +53863,7 @@ index 82cb169..87d1eec 100644 ## Execute samba net in the samba_net domain. ## ## -@@ -79,6 +103,25 @@ interface(`samba_domtrans_net',` +@@ -79,6 +102,25 @@ interface(`samba_domtrans_net',` ######################################## ## @@ -53623,7 +53889,7 @@ index 82cb169..87d1eec 100644 ## Execute samba net in the samba_net domain, and ## allow the specified role the samba_net domain. ## -@@ -103,6 +146,51 @@ interface(`samba_run_net',` +@@ -103,6 +145,51 @@ interface(`samba_run_net',` role $2 types samba_net_t; ') @@ -53675,7 +53941,7 @@ index 82cb169..87d1eec 100644 ######################################## ## ## Execute smbmount in the smbmount domain. -@@ -327,7 +415,6 @@ interface(`samba_search_var',` +@@ -327,7 +414,6 @@ interface(`samba_search_var',` type samba_var_t; ') @@ -53683,7 +53949,7 @@ index 82cb169..87d1eec 100644 files_search_var_lib($1) allow $1 samba_var_t:dir search_dir_perms; ') -@@ -348,7 +435,6 @@ interface(`samba_read_var_files',` +@@ -348,7 +434,6 @@ interface(`samba_read_var_files',` type samba_var_t; ') @@ -53691,7 +53957,7 @@ index 82cb169..87d1eec 100644 files_search_var_lib($1) read_files_pattern($1, samba_var_t, samba_var_t) ') -@@ -388,7 +474,6 @@ interface(`samba_rw_var_files',` +@@ -388,7 +473,6 @@ interface(`samba_rw_var_files',` type samba_var_t; ') @@ -53699,7 +53965,7 @@ index 82cb169..87d1eec 100644 files_search_var_lib($1) rw_files_pattern($1, samba_var_t, samba_var_t) ') -@@ -409,9 +494,9 @@ interface(`samba_manage_var_files',` +@@ -409,9 +493,9 @@ interface(`samba_manage_var_files',` type samba_var_t; ') @@ -53710,7 +53976,7 @@ index 82cb169..87d1eec 100644 ') ######################################## -@@ -419,15 +504,14 @@ interface(`samba_manage_var_files',` +@@ -419,15 +503,14 @@ interface(`samba_manage_var_files',` ## Execute a domain transition to run smbcontrol. ## ## @@ -53729,7 +53995,7 @@ index 82cb169..87d1eec 100644 ') domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) -@@ -564,6 +648,7 @@ interface(`samba_domtrans_winbind_helper',` +@@ -564,6 +647,7 @@ interface(`samba_domtrans_winbind_helper',` ') domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) @@ -53737,7 +54003,7 @@ index 82cb169..87d1eec 100644 ') ######################################## -@@ -644,6 +729,37 @@ interface(`samba_stream_connect_winbind',` +@@ -644,6 +728,37 @@ interface(`samba_stream_connect_winbind',` ######################################## ## @@ -53775,7 +54041,7 @@ index 82cb169..87d1eec 100644 ## All of the rules required to administrate ## an samba environment ## -@@ -661,21 +777,12 @@ interface(`samba_stream_connect_winbind',` +@@ -661,21 +776,12 @@ interface(`samba_stream_connect_winbind',` # interface(`samba_admin',` gen_require(` @@ -53803,7 +54069,7 @@ index 82cb169..87d1eec 100644 ') allow $1 smbd_t:process { ptrace signal_perms }; -@@ -684,6 +791,9 @@ interface(`samba_admin',` +@@ -684,6 +790,9 @@ interface(`samba_admin',` allow $1 nmbd_t:process { ptrace signal_perms }; ps_process_pattern($1, nmbd_t) @@ -53813,7 +54079,7 @@ index 82cb169..87d1eec 100644 samba_run_smbcontrol($1, $2, $3) samba_run_winbind_helper($1, $2, $3) samba_run_smbmount($1, $2, $3) -@@ -709,9 +819,6 @@ interface(`samba_admin',` +@@ -709,9 +818,6 @@ interface(`samba_admin',` admin_pattern($1, samba_var_t) files_list_var($1) @@ -53823,7 +54089,7 @@ index 82cb169..87d1eec 100644 admin_pattern($1, smbd_var_run_t) files_list_pids($1) -@@ -727,4 +834,7 @@ interface(`samba_admin',` +@@ -727,4 +833,7 @@ interface(`samba_admin',` admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) @@ -55617,7 +55883,7 @@ index c954f31..c7cadcb 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te -index ec1eb1e..f056f5f 100644 +index ec1eb1e..a370364 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0) @@ -56022,7 +56288,7 @@ index ec1eb1e..f056f5f 100644 ') optional_policy(` -@@ -451,3 +558,44 @@ optional_policy(` +@@ -451,3 +558,51 @@ optional_policy(` optional_policy(` udev_read_db(spamd_t) ') @@ -56044,6 +56310,13 @@ index ec1eb1e..f056f5f 100644 +manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) +manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t) + ++allow spamd_update_t spamd_tmp_t:file read_file_perms; ++ ++kernel_read_system_state(spamd_update_t) ++ ++# for updating rules ++corenet_tcp_connect_http_port(spamd_update_t) ++ +corecmd_exec_bin(spamd_update_t) +corecmd_exec_shell(spamd_update_t) + @@ -56652,7 +56925,7 @@ index 22adaca..8e3e9de 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..d81a09f 100644 +index 2dad3c8..02e70c9 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0) @@ -57051,7 +57324,7 @@ index 2dad3c8..d81a09f 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -351,15 +422,83 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -351,15 +422,91 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -57125,6 +57398,10 @@ index 2dad3c8..d81a09f 100644 + fs_manage_cifs_symlinks(chroot_user_t) +') + ++tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',` ++ fs_manage_fusefs_files(chroot_user_t) ++') ++ +tunable_policy(`use_samba_home_dirs',` + fs_read_cifs_files(chroot_user_t) + fs_read_cifs_symlinks(chroot_user_t) @@ -57135,6 +57412,10 @@ index 2dad3c8..d81a09f 100644 + fs_read_nfs_symlinks(chroot_user_t) +') + ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_read_fusefs_files(chroot_user_t) ++') ++ +optional_policy(` + ssh_rw_dgram_sockets(chroot_user_t) ') @@ -59218,7 +59499,7 @@ index 7c5d8d8..d711fd5 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..812f226 100644 +index 3eca020..75d8556 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,74 @@ policy_module(virt, 1.4.0) @@ -59600,9 +59881,9 @@ index 3eca020..812f226 100644 logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) - -+selinux_validate_context(virtd_t) + ++selinux_validate_context(virtd_t) + +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -59746,12 +60027,12 @@ index 3eca020..812f226 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) -+ + +-term_use_all_terms(virt_domain) +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) - --term_use_all_terms(virt_domain) ++ +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -59762,7 +60043,7 @@ index 3eca020..812f226 100644 logging_send_syslog_msg(virt_domain) miscfiles_read_localization(virt_domain) -@@ -457,8 +635,320 @@ optional_policy(` +@@ -457,8 +635,324 @@ optional_policy(` ') optional_policy(` @@ -59955,6 +60236,10 @@ index 3eca020..812f226 100644 + +sysnet_domtrans_ifconfig(virtd_lxc_t) + ++optional_policy(` ++ execmem_exec(virtd_lxc_t) ++') ++ +#optional_policy(` +# unconfined_shell_domtrans(virtd_lxc_t) +# unconfined_signal(virtd_t) @@ -65151,7 +65436,7 @@ index 94fd8dd..b5e5c70 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..53f3bfe 100644 +index 29a9565..f69ea00 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -65304,7 +65589,7 @@ index 29a9565..53f3bfe 100644 # Run init scripts. init_domtrans_script(init_t) -@@ -162,12 +219,16 @@ init_domtrans_script(init_t) +@@ -162,23 +219,29 @@ init_domtrans_script(init_t) libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) @@ -65321,7 +65606,12 @@ index 29a9565..53f3bfe 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -178,7 +239,7 @@ ifdef(`distro_redhat',` + + ifdef(`distro_redhat',` ++ fs_manage_tmpfs_files(init_t) ++ fs_exec_tmpfs_files(init_t) + fs_read_tmpfs_symlinks(init_t) + fs_rw_tmpfs_chr_files(init_t) fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -65330,7 +65620,7 @@ index 29a9565..53f3bfe 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,16 +247,138 @@ tunable_policy(`init_upstart',` +@@ -186,16 +249,138 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -65471,7 +65761,7 @@ index 29a9565..53f3bfe 100644 ') optional_policy(` -@@ -203,6 +386,17 @@ optional_policy(` +@@ -203,6 +388,17 @@ optional_policy(` ') optional_policy(` @@ -65489,7 +65779,7 @@ index 29a9565..53f3bfe 100644 unconfined_domain(init_t) ') -@@ -212,7 +406,7 @@ optional_policy(` +@@ -212,7 +408,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -65498,7 +65788,7 @@ index 29a9565..53f3bfe 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +435,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +437,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -65514,7 +65804,7 @@ index 29a9565..53f3bfe 100644 init_write_initctl(initrc_t) -@@ -258,20 +455,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +457,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -65551,7 +65841,7 @@ index 29a9565..53f3bfe 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +488,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +490,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -65559,7 +65849,7 @@ index 29a9565..53f3bfe 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +499,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +501,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -65570,7 +65860,7 @@ index 29a9565..53f3bfe 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +510,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +512,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -65587,7 +65877,7 @@ index 29a9565..53f3bfe 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +529,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +531,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -65595,7 +65885,7 @@ index 29a9565..53f3bfe 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +537,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +539,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -65607,7 +65897,7 @@ index 29a9565..53f3bfe 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +556,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +558,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -65621,7 +65911,7 @@ index 29a9565..53f3bfe 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +571,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +573,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -65630,7 +65920,7 @@ index 29a9565..53f3bfe 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +585,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +587,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -65638,7 +65928,7 @@ index 29a9565..53f3bfe 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +597,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +599,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -65646,7 +65936,7 @@ index 29a9565..53f3bfe 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +618,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +620,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -65668,7 +65958,7 @@ index 29a9565..53f3bfe 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +681,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +683,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -65679,7 +65969,7 @@ index 29a9565..53f3bfe 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +705,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +707,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -65688,7 +65978,7 @@ index 29a9565..53f3bfe 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +720,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +722,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -65696,7 +65986,7 @@ index 29a9565..53f3bfe 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +750,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +752,33 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -65730,7 +66020,7 @@ index 29a9565..53f3bfe 100644 ') optional_policy(` -@@ -531,10 +784,22 @@ ifdef(`distro_redhat',` +@@ -531,10 +786,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -65753,7 +66043,7 @@ index 29a9565..53f3bfe 100644 ') optional_policy(` -@@ -549,6 +814,39 @@ ifdef(`distro_suse',` +@@ -549,6 +816,39 @@ ifdef(`distro_suse',` ') ') @@ -65793,7 +66083,7 @@ index 29a9565..53f3bfe 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +859,8 @@ optional_policy(` +@@ -561,6 +861,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -65802,7 +66092,7 @@ index 29a9565..53f3bfe 100644 ') optional_policy(` -@@ -577,6 +877,7 @@ optional_policy(` +@@ -577,6 +879,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -65810,7 +66100,7 @@ index 29a9565..53f3bfe 100644 ') optional_policy(` -@@ -589,6 +890,17 @@ optional_policy(` +@@ -589,6 +892,17 @@ optional_policy(` ') optional_policy(` @@ -65828,7 +66118,7 @@ index 29a9565..53f3bfe 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +917,13 @@ optional_policy(` +@@ -605,9 +919,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -65842,7 +66132,7 @@ index 29a9565..53f3bfe 100644 ') optional_policy(` -@@ -632,6 +948,10 @@ optional_policy(` +@@ -632,6 +950,10 @@ optional_policy(` ') optional_policy(` @@ -65853,7 +66143,7 @@ index 29a9565..53f3bfe 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -649,6 +969,11 @@ optional_policy(` +@@ -649,6 +971,11 @@ optional_policy(` ') optional_policy(` @@ -65865,7 +66155,7 @@ index 29a9565..53f3bfe 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1014,7 @@ optional_policy(` +@@ -689,6 +1016,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -65873,7 +66163,7 @@ index 29a9565..53f3bfe 100644 ') optional_policy(` -@@ -706,7 +1032,13 @@ optional_policy(` +@@ -706,7 +1034,13 @@ optional_policy(` ') optional_policy(` @@ -65887,7 +66177,7 @@ index 29a9565..53f3bfe 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1061,10 @@ optional_policy(` +@@ -729,6 +1063,10 @@ optional_policy(` ') optional_policy(` @@ -65898,7 +66188,7 @@ index 29a9565..53f3bfe 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1074,20 @@ optional_policy(` +@@ -738,10 +1076,20 @@ optional_policy(` ') optional_policy(` @@ -65919,7 +66209,7 @@ index 29a9565..53f3bfe 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1096,10 @@ optional_policy(` +@@ -750,6 +1098,10 @@ optional_policy(` ') optional_policy(` @@ -65930,7 +66220,7 @@ index 29a9565..53f3bfe 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1121,6 @@ optional_policy(` +@@ -771,8 +1123,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -65939,7 +66229,7 @@ index 29a9565..53f3bfe 100644 ') optional_policy(` -@@ -790,10 +1138,12 @@ optional_policy(` +@@ -790,10 +1140,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -65952,7 +66242,7 @@ index 29a9565..53f3bfe 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1155,6 @@ optional_policy(` +@@ -805,7 +1157,6 @@ optional_policy(` ') optional_policy(` @@ -65960,7 +66250,7 @@ index 29a9565..53f3bfe 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1164,26 @@ optional_policy(` +@@ -815,11 +1166,26 @@ optional_policy(` ') optional_policy(` @@ -65988,7 +66278,7 @@ index 29a9565..53f3bfe 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1193,25 @@ optional_policy(` +@@ -829,6 +1195,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -66014,7 +66304,7 @@ index 29a9565..53f3bfe 100644 ') optional_policy(` -@@ -844,6 +1227,10 @@ optional_policy(` +@@ -844,6 +1229,10 @@ optional_policy(` ') optional_policy(` @@ -66025,7 +66315,7 @@ index 29a9565..53f3bfe 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1241,160 @@ optional_policy(` +@@ -854,3 +1243,160 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -66261,7 +66551,7 @@ index 0d4c8d3..9d66bf7 100644 ######################################## diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 55a6cd8..fa17b89 100644 +index 55a6cd8..2af2952 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -80,6 +80,8 @@ allow ipsec_t self:udp_socket create_socket_perms; @@ -66311,7 +66601,7 @@ index 55a6cd8..fa17b89 100644 userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -245,6 +251,17 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -245,6 +251,19 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -66324,12 +66614,14 @@ index 55a6cd8..fa17b89 100644 +dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t) +dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t) + ++dev_read_sysfs(ipsec_mgmt_t) ++ +files_dontaudit_getattr_all_files(ipsec_mgmt_t) +files_dontaudit_getattr_all_sockets(ipsec_mgmt_t) files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -277,9 +294,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -277,9 +296,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -66341,7 +66633,7 @@ index 55a6cd8..fa17b89 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -297,7 +315,7 @@ sysnet_manage_config(ipsec_mgmt_t) +@@ -297,7 +317,7 @@ sysnet_manage_config(ipsec_mgmt_t) sysnet_domtrans_ifconfig(ipsec_mgmt_t) sysnet_etc_filetrans_config(ipsec_mgmt_t) @@ -66350,7 +66642,7 @@ index 55a6cd8..fa17b89 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -324,10 +342,6 @@ optional_policy(` +@@ -324,10 +344,6 @@ optional_policy(` modutils_domtrans_insmod(ipsec_mgmt_t) ') @@ -66361,7 +66653,7 @@ index 55a6cd8..fa17b89 100644 ifdef(`TODO',` # ideally it would not need this. It wants to write to /root/.rnd file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file) -@@ -377,12 +391,12 @@ corecmd_exec_shell(racoon_t) +@@ -377,12 +393,12 @@ corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) corenet_all_recvfrom_unlabeled(racoon_t) @@ -66380,7 +66672,7 @@ index 55a6cd8..fa17b89 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -411,6 +425,8 @@ miscfiles_read_localization(racoon_t) +@@ -411,6 +427,8 @@ miscfiles_read_localization(racoon_t) sysnet_exec_ifconfig(racoon_t) @@ -66389,7 +66681,7 @@ index 55a6cd8..fa17b89 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -448,5 +464,6 @@ miscfiles_read_localization(setkey_t) +@@ -448,5 +466,6 @@ miscfiles_read_localization(setkey_t) seutil_read_config(setkey_t) @@ -66423,7 +66715,7 @@ index 05fb364..c054118 100644 -/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if -index 7ba53db..227887f 100644 +index 7ba53db..db118e3 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -17,10 +17,6 @@ interface(`iptables_domtrans',` @@ -66437,7 +66729,7 @@ index 7ba53db..227887f 100644 ') ######################################## -@@ -92,6 +88,30 @@ interface(`iptables_initrc_domtrans',` +@@ -92,6 +88,29 @@ interface(`iptables_initrc_domtrans',` init_labeled_script_domtrans($1, iptables_initrc_exec_t) ') @@ -66458,7 +66750,6 @@ index 7ba53db..227887f 100644 + ') + + systemd_exec_systemctl($1) -+ systemd_search_unit_dirs($1) + allow $1 iptables_unit_file_t:file read_file_perms; + allow $1 iptables_unit_file_t:service all_service_perms; + @@ -66599,7 +66890,7 @@ index ddbd8be..ac8e814 100644 domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 560dc48..6673319 100644 +index 560dc48..5447ff6 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -37,17 +37,12 @@ ifdef(`distro_redhat',` @@ -66890,7 +67181,7 @@ index 560dc48..6673319 100644 ') dnl end distro_redhat # -@@ -312,17 +303,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -312,17 +303,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -66984,6 +67275,10 @@ index 560dc48..6673319 100644 +/usr/lib/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ +ifdef(`fixed',` +/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -67001,9 +67296,6 @@ index 560dc48..6673319 100644 +/usr/lib/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +# Flash plugin, Macromedia -+HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -70896,10 +71188,10 @@ index 0000000..9eaa38e +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..46a3ec0 +index 0000000..764084e --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,456 @@ +@@ -0,0 +1,477 @@ +## SELinux policy for systemd components + +####################################### @@ -70944,10 +71236,12 @@ index 0000000..46a3ec0 + type systemd_systemctl_exec_t; + ') + -+ corecmd_search_bin($1) -+ can_exec($1, systemd_systemctl_exec_t) ++ corecmd_search_bin($1) ++ can_exec($1, systemd_systemctl_exec_t) + ++ systemd_list_unit_dirs($1) + init_read_state($1) ++ init_stream_send($1) +') + +####################################### @@ -70990,6 +71284,25 @@ index 0000000..46a3ec0 + +###################################### +## ++## Allow domain to list systemd unit dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_list_unit_dirs',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 systemd_unit_file_type:dir list_dir_perms; ++') ++ ++###################################### ++## +## Allow domain to read all systemd unit files. +## +## @@ -72937,7 +73250,7 @@ index db75976..494ec08 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..e7a65ae 100644 +index 4b2878a..34d01ef 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -74844,50 +75157,83 @@ index 4b2878a..e7a65ae 100644 files_search_tmp($1) ') -@@ -2435,13 +3019,14 @@ interface(`userdom_read_user_tmpfs_files',` - ') - - read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) -+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) +@@ -2419,24 +3003,23 @@ interface(`userdom_tmp_filetrans_user_tmp',` + files_tmp_filetrans($1, user_tmp_t, $2) ') - ######################################## +-######################################## ++####################################### ## -## Read user tmpfs files. -+## Read/Write user tmpfs files. ++## Getattr user tmpfs files. ## ## - ## -@@ -2462,26 +3047,6 @@ interface(`userdom_rw_user_tmpfs_files',` - - ######################################## - ## --## Create, read, write, and delete user tmpfs files. --## --## -## -## Domain allowed access. -## --## --# --interface(`userdom_manage_user_tmpfs_files',` ++## ++## Domain allowed access. ++## + ## + # +-interface(`userdom_read_user_tmpfs_files',` - gen_require(` - type user_tmpfs_t; - ') -- -- manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++interface(`userdom_getattr_user_tmpfs_files',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') + +- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) --') -- --######################################## --## - ## Get the attributes of a user domain tty. ++ getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ fs_search_tmpfs($1) + ') + + ######################################## +@@ -2449,12 +3032,12 @@ interface(`userdom_read_user_tmpfs_files',` + ## + ## + # +-interface(`userdom_rw_user_tmpfs_files',` ++interface(`userdom_read_user_tmpfs_files',` + gen_require(` + type user_tmpfs_t; + ') + +- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + allow $1 user_tmpfs_t:dir list_dir_perms; + fs_search_tmpfs($1) +@@ -2462,7 +3045,7 @@ interface(`userdom_rw_user_tmpfs_files',` + + ######################################## + ## +-## Create, read, write, and delete user tmpfs files. ++## Read/Write user tmpfs files. ## ## -@@ -2572,7 +3137,7 @@ interface(`userdom_use_user_ttys',` + ## +@@ -2470,12 +3053,13 @@ interface(`userdom_rw_user_tmpfs_files',` + ## + ## + # +-interface(`userdom_manage_user_tmpfs_files',` ++interface(`userdom_rw_user_tmpfs_files',` + gen_require(` + type user_tmpfs_t; + ') + +- manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + allow $1 user_tmpfs_t:dir list_dir_perms; + fs_search_tmpfs($1) + ') +@@ -2572,7 +3156,7 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -74896,7 +75242,7 @@ index 4b2878a..e7a65ae 100644 ## ## ## -@@ -2580,70 +3145,138 @@ interface(`userdom_use_user_ttys',` +@@ -2580,70 +3164,138 @@ interface(`userdom_use_user_ttys',` ## ## # @@ -75064,7 +75410,7 @@ index 4b2878a..e7a65ae 100644 ######################################## ## ## Execute a shell in all user domains. This -@@ -2713,6 +3346,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2713,6 +3365,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -75089,7 +75435,7 @@ index 4b2878a..e7a65ae 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2736,24 +3387,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2736,24 +3406,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -75114,7 +75460,7 @@ index 4b2878a..e7a65ae 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -2772,25 +3405,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3424,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -75140,7 +75486,7 @@ index 4b2878a..e7a65ae 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3466,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3485,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -75149,7 +75495,7 @@ index 4b2878a..e7a65ae 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3482,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3501,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -75183,7 +75529,7 @@ index 4b2878a..e7a65ae 100644 ') ######################################## -@@ -2972,7 +3570,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3589,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -75192,7 +75538,7 @@ index 4b2878a..e7a65ae 100644 ') ######################################## -@@ -3027,7 +3625,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3644,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -75239,7 +75585,7 @@ index 4b2878a..e7a65ae 100644 ') ######################################## -@@ -3064,6 +3700,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3719,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -75247,7 +75593,7 @@ index 4b2878a..e7a65ae 100644 kernel_search_proc($1) ') -@@ -3142,6 +3779,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3798,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -75272,7 +75618,7 @@ index 4b2878a..e7a65ae 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3160,6 +3815,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3160,6 +3834,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -75297,7 +75643,7 @@ index 4b2878a..e7a65ae 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3867,1076 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3886,1076 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/ptrace.patch b/ptrace.patch index 219b5be..a78dd8c 100644 --- a/ptrace.patch +++ b/ptrace.patch @@ -1,6 +1,6 @@ diff -up serefpolicy-3.10.0/policy/global_tunables.ptrace serefpolicy-3.10.0/policy/global_tunables ---- serefpolicy-3.10.0/policy/global_tunables.ptrace 2011-10-05 14:34:03.252103292 -0400 -+++ serefpolicy-3.10.0/policy/global_tunables 2011-10-05 14:34:03.751103821 -0400 +--- serefpolicy-3.10.0/policy/global_tunables.ptrace 2011-10-11 16:42:15.566761738 -0400 ++++ serefpolicy-3.10.0/policy/global_tunables 2011-10-11 16:42:16.082761591 -0400 @@ -6,6 +6,13 @@ ## @@ -8,7 +8,7 @@ diff -up serefpolicy-3.10.0/policy/global_tunables.ptrace serefpolicy-3.10.0/pol +## Allow sysadm to debug or ptrace all processes. +##

+## -+gen_tunable(allow_ptrace, false) ++gen_tunable(deny_ptrace, false) + +## +##

@@ -16,8 +16,8 @@ diff -up serefpolicy-3.10.0/policy/global_tunables.ptrace serefpolicy-3.10.0/pol ##

## diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kdump.if ---- serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace 2011-10-05 14:34:03.265103305 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/kdump.if 2011-10-05 14:34:03.752103823 -0400 +--- serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace 2011-10-11 16:42:15.581761733 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/kdump.if 2011-10-11 16:42:16.083761591 -0400 @@ -140,8 +140,11 @@ interface(`kdump_admin',` type kdump_initrc_exec_t; ') @@ -25,7 +25,7 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.1 - allow $1 kdump_t:process { ptrace signal_perms }; + allow $1 kdump_t:process signal_perms; ps_process_pattern($1, kdump_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 kdump_t:process ptrace; + ') @@ -33,22 +33,22 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.1 domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kismet.if --- serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/kismet.if 2011-10-05 14:34:03.753103824 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/kismet.if 2011-10-11 16:42:16.083761591 -0400 @@ -239,7 +239,10 @@ interface(`kismet_admin',` ') ps_process_pattern($1, kismet_t) - allow $1 kismet_t:process { ptrace signal_perms }; + allow $1 kismet_t:process signal_perms; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 kismet_t:process ptrace; + ') kismet_manage_pid_files($1) kismet_manage_lib($1) diff -up serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace serefpolicy-3.10.0/policy/modules/admin/kudzu.te ---- serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace 2011-10-05 14:34:03.267103307 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/kudzu.te 2011-10-05 14:34:03.753103824 -0400 +--- serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace 2011-10-11 16:42:15.582761733 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/kudzu.te 2011-10-11 16:42:16.084761591 -0400 @@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t) # Local policy # @@ -59,68 +59,72 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace serefpolicy-3.1 allow kudzu_t self:process { signal_perms execmem }; allow kudzu_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace serefpolicy-3.10.0/policy/modules/admin/logrotate.te ---- serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace 2011-10-05 14:34:03.268103309 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/logrotate.te 2011-10-05 14:34:03.754103825 -0400 -@@ -31,7 +31,7 @@ files_type(logrotate_var_lib_t) +--- serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace 2011-10-11 16:42:15.583761733 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/logrotate.te 2011-10-11 16:42:16.084761591 -0400 +@@ -30,8 +30,6 @@ files_type(logrotate_var_lib_t) + # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice }; - # for mailx +-# for mailx -dontaudit logrotate_t self:capability { sys_ptrace }; -+dontaudit logrotate_t self:capability sys_ptrace; allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; diff -up serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace serefpolicy-3.10.0/policy/modules/admin/ncftool.te ---- serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace 2011-10-05 14:34:03.273103314 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/ncftool.te 2011-10-05 14:34:03.754103825 -0400 -@@ -17,7 +17,11 @@ role system_r types ncftool_t; +--- serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace 2011-10-11 16:42:15.586761731 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/ncftool.te 2011-10-11 16:42:16.085761591 -0400 +@@ -17,8 +17,7 @@ role system_r types ncftool_t; # ncftool local policy # -allow ncftool_t self:capability { net_admin sys_ptrace }; +- +allow ncftool_t self:capability net_admin; -+tunable_policy(`allow_ptrace',` -+ allow ncftool_t self:capability sys_ptrace; -+') -+ - allow ncftool_t self:process signal; + allow ncftool_t self:fifo_file manage_fifo_file_perms; +diff -up serefpolicy-3.10.0/policy/modules/admin/permissivedomains.te.ptrace serefpolicy-3.10.0/policy/modules/admin/permissivedomains.te +--- serefpolicy-3.10.0/policy/modules/admin/permissivedomains.te.ptrace 2011-10-11 16:42:15.590761731 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/permissivedomains.te 2011-10-11 16:43:18.809744020 -0400 +@@ -266,3 +266,10 @@ optional_policy(` + permissive virt_qmf_t; + ') + ++optional_policy(` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ dontaudit domain self:capability sys_ptrace; ++') diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/rpm.te ---- serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace 2011-10-05 14:34:03.700103767 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-10-05 14:34:03.755103826 -0400 -@@ -248,7 +248,11 @@ optional_policy(` +--- serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace 2011-10-11 16:42:16.020761610 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-10-11 16:42:16.085761591 -0400 +@@ -248,7 +248,8 @@ optional_policy(` # rpm-script Local policy # -allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin }; +allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin }; -+tunable_policy(`allow_ptrace',` -+ allow rpm_script_t self:capability sys_ptrace; -+') + allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sectoolm.te ---- serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace 2011-10-05 14:34:03.288103330 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/sectoolm.te 2011-10-05 14:34:03.755103826 -0400 -@@ -23,7 +23,11 @@ files_tmp_file(sectool_tmp_t) +--- serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace 2011-10-11 16:42:15.598761729 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/sectoolm.te 2011-10-11 16:42:16.086761591 -0400 +@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t) # sectool local policy # -allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace }; +allow sectoolm_t self:capability { dac_override net_admin sys_nice }; -+tunable_policy(`allow_ptrace',` -+ allow sectoolm_t self:capability sys_ptrace; -+') -+ allow sectoolm_t self:process { getcap getsched signull setsched }; dontaudit sectoolm_t self:process { execstack execmem }; allow sectoolm_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.if ---- serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace 2011-10-05 14:34:03.288103330 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.if 2011-10-05 14:34:03.756103827 -0400 +--- serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace 2011-10-11 16:42:15.598761729 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/shorewall.if 2011-10-11 16:42:16.087761591 -0400 @@ -139,8 +139,11 @@ interface(`shorewall_admin',` type shorewall_tmp_t, shorewall_etc_t; ') @@ -128,91 +132,64 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace serefpolicy - allow $1 shorewall_t:process { ptrace signal_perms }; + allow $1 shorewall_t:process signal_perms; ps_process_pattern($1, shorewall_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 shorewall_t:process ptrace; + ') init_labeled_script_domtrans($1, shorewall_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.te ---- serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace 2011-10-05 14:34:03.289103331 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.te 2011-10-05 14:34:03.757103828 -0400 -@@ -37,8 +37,8 @@ logging_log_file(shorewall_log_t) +--- serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace 2011-10-11 16:42:15.599761728 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/shorewall.te 2011-10-11 16:42:16.087761591 -0400 +@@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t) # shorewall local policy # -allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace }; --dontaudit shorewall_t self:capability sys_tty_config; +allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice }; -+dontaudit shorewall_t self:capability { sys_tty_config sys_ptrace }; + dontaudit shorewall_t self:capability sys_tty_config; allow shorewall_t self:fifo_file rw_fifo_file_perms; - read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) diff -up serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sosreport.te ---- serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace 2011-10-05 14:34:03.291103333 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/sosreport.te 2011-10-05 14:34:03.757103828 -0400 -@@ -21,7 +21,11 @@ files_tmpfs_file(sosreport_tmpfs_t) +--- serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace 2011-10-11 16:42:15.602761727 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/sosreport.te 2011-10-11 16:42:16.088761590 -0400 +@@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t) # sosreport local policy # -allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override }; +allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; -+tunable_policy(`allow_ptrace',` -+ allow sosreport_t self:capability sys_ptrace; -+') -+ allow sosreport_t self:process { setsched signull }; allow sosreport_t self:fifo_file rw_fifo_file_perms; allow sosreport_t self:tcp_socket create_stream_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace serefpolicy-3.10.0/policy/modules/admin/usermanage.te ---- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace 2011-10-05 14:34:03.722103791 -0400 -+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-10-05 14:34:03.758103829 -0400 -@@ -433,7 +433,11 @@ optional_policy(` +--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace 2011-10-11 16:42:16.044761602 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-10-11 16:42:16.088761590 -0400 +@@ -435,7 +435,8 @@ optional_policy(` # Useradd local policy # -allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace }; +allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; -+tunable_policy(`allow_ptrace',` -+ allow useradd_t self:capability sys_ptrace; -+') + dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; diff -up serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/chrome.te ---- serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace 2011-10-05 14:34:03.302103345 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/chrome.te 2011-10-05 14:34:03.758103829 -0400 -@@ -21,7 +21,9 @@ ubac_constrained(chrome_sandbox_tmpfs_t) +--- serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace 2011-10-11 16:42:15.612761725 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/chrome.te 2011-10-11 16:42:16.089761589 -0400 +@@ -21,7 +21,7 @@ ubac_constrained(chrome_sandbox_tmpfs_t) # # chrome_sandbox local policy # -allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; +allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot }; -+dontaudit chrome_sandbox_t self:capability sys_ptrace; -+ allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; allow chrome_sandbox_t self:process setsched; allow chrome_sandbox_t self:fifo_file manage_file_perms; -diff -up serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te.ptrace serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te ---- serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te.ptrace 2011-10-05 14:34:03.302103345 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te 2011-10-05 14:34:03.759103830 -0400 -@@ -14,7 +14,11 @@ application_domain(cpufreqselector_t, cp - # cpufreq-selector local policy - # - --allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; -+allow cpufreqselector_t self:capability sys_nice; -+tunable_policy(`allow_ptrace',` -+ allow cpufreqselector_t self:capability sys_ptrace; -+') -+ - allow cpufreqselector_t self:process getsched; - allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; - allow cpufreqselector_t self:process getsched; diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace serefpolicy-3.10.0/policy/modules/apps/execmem.if ---- serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace 2011-10-05 14:34:03.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-10-05 14:35:10.651174871 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace 2011-10-11 16:42:16.044761602 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-10-11 16:42:16.089761589 -0400 @@ -59,7 +59,7 @@ template(`execmem_role_template',` userdom_unpriv_usertype($1, $1_execmem_t) @@ -223,8 +200,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace serefpolicy-3. files_execmod_tmp($1_execmem_t) diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.if ---- serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace 2011-10-05 14:34:03.307103350 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/gnome.if 2011-10-05 14:34:03.760103831 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace 2011-10-11 16:42:15.617761723 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/gnome.if 2011-10-11 16:42:16.090761589 -0400 @@ -91,8 +91,7 @@ interface(`gnome_role_gkeyringd',` auth_use_nsswitch($1_gkeyringd_t) @@ -235,37 +212,9 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace serefpolicy-3.10 dontaudit $3 gkeyringd_exec_t:file entrypoint; stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) -diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.te ---- serefpolicy-3.10.0/policy/modules/apps/gnome.te.ptrace 2011-10-05 14:34:03.308103351 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/gnome.te 2011-10-05 14:34:03.761103832 -0400 -@@ -119,7 +119,11 @@ optional_policy(` - # gconf-defaults-mechanisms local policy - # - --allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace }; -+allow gconfdefaultsm_t self:capability { dac_override sys_nice }; -+tunable_policy(`allow_ptrace',` -+ allow gconfdefaultsm_t self:capability sys_ptrace; -+') -+ - allow gconfdefaultsm_t self:process getsched; - allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms; - -@@ -168,7 +172,10 @@ tunable_policy(`use_samba_home_dirs',` - # gnome-system-monitor-mechanisms local policy - # - --allow gnomesystemmm_t self:capability { sys_nice sys_ptrace }; -+allow gnomesystemmm_t self:capability sys_nice; -+tunable_policy(`allow_ptrace',` -+ allow gnomesystemmm_t self:capability sys_ptrace; -+') - allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms; - - kernel_read_system_state(gnomesystemmm_t) diff -up serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace serefpolicy-3.10.0/policy/modules/apps/irc.if ---- serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace 2011-10-05 14:34:03.311103354 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/irc.if 2011-10-05 14:34:03.761103832 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace 2011-10-11 16:42:15.620761723 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/irc.if 2011-10-11 16:42:16.091761589 -0400 @@ -33,7 +33,7 @@ interface(`irc_role',` domtrans_pattern($2, irssi_exec_t, irssi_t) @@ -276,8 +225,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace serefpolicy-3.10.0 manage_dirs_pattern($2, irssi_home_t, irssi_home_t) diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace serefpolicy-3.10.0/policy/modules/apps/java.if ---- serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace 2011-10-05 14:34:03.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-10-05 14:35:00.396163979 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace 2011-10-11 16:42:16.045761602 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-10-11 16:42:16.091761589 -0400 @@ -76,11 +76,11 @@ template(`java_role_template',` userdom_manage_tmpfs_role($2) userdom_manage_tmpfs($1_java_t) @@ -292,15 +241,28 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace serefpolicy-3.10. domtrans_pattern($3, java_exec_t, $1_java_t) +diff -up serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace serefpolicy-3.10.0/policy/modules/apps/kde.te +--- serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace 2011-10-11 16:42:15.624761721 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/kde.te 2011-10-11 16:42:16.092761589 -0400 +@@ -13,9 +13,6 @@ dbus_system_domain(kdebacklighthelper_t, + # + # backlighthelper local policy + # +- +-dontaudit kdebacklighthelper_t self:capability sys_ptrace; +- + allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms; + + kernel_read_system_state(kdebacklighthelper_t) diff -up serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace serefpolicy-3.10.0/policy/modules/apps/livecd.te ---- serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace 2011-10-05 14:34:03.315103358 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/livecd.te 2011-10-05 14:34:03.763103834 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace 2011-10-11 16:42:15.626761720 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/livecd.te 2011-10-11 16:42:16.092761589 -0400 @@ -20,7 +20,10 @@ files_tmp_file(livecd_tmp_t) dontaudit livecd_t self:capability2 mac_admin; -domain_ptrace_all_domains(livecd_t) -+tunable_policy(`allow_ptrace',` ++tunable_policy(`deny_ptrace',`',` + domain_ptrace_all_domains(livecd_t) +') + @@ -308,8 +270,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace serefpolicy-3.1 manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.if ---- serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace 2011-10-05 14:34:03.724103793 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-10-05 14:34:03.764103835 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace 2011-10-11 16:42:16.045761602 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-10-11 16:42:16.093761589 -0400 @@ -40,8 +40,8 @@ template(`mono_role_template',` domain_interactive_fd($1_mono_t) application_type($1_mono_t) @@ -323,7 +285,7 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace serefpolicy-3.10. diff -up serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.te --- serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/mono.te 2011-10-05 14:34:03.765103836 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/mono.te 2011-10-11 16:42:16.093761589 -0400 @@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t) # Local policy # @@ -334,8 +296,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace serefpolicy-3.10. init_dbus_chat_script(mono_t) diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.if ---- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace 2011-10-05 14:34:03.724103793 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-10-05 14:34:03.765103836 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace 2011-10-11 16:42:16.046761602 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-10-11 16:42:16.094761589 -0400 @@ -221,7 +221,7 @@ interface(`mozilla_domtrans_plugin',` allow mozilla_plugin_t $1:sem create_sem_perms; @@ -345,9 +307,22 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace serefpolicy-3. ') ######################################## +diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.te +--- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace 2011-10-11 16:42:16.023761608 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te 2011-10-11 16:42:16.094761589 -0400 +@@ -300,9 +300,6 @@ optional_policy(` + # + # mozilla_plugin local policy + # +- +-dontaudit mozilla_plugin_t self:capability { sys_ptrace }; +- + allow mozilla_plugin_t self:process { setsched signal_perms execmem }; + allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; + allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.if ---- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace 2011-10-05 14:34:03.726103795 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-10-05 14:34:03.766103837 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace 2011-10-11 16:42:16.047761602 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-10-11 16:42:16.095761589 -0400 @@ -93,7 +93,7 @@ ifdef(`hide_broken_symptoms', ` dontaudit nsplugin_t $2:shm destroy; allow $2 nsplugin_t:sem rw_sem_perms; @@ -358,8 +333,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace serefpolicy-3 # Connect to pulseaudit server diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.te ---- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace 2011-10-05 14:34:03.726103795 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-10-05 14:34:03.766103837 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace 2011-10-11 16:42:16.047761602 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-10-11 16:42:16.096761589 -0400 @@ -54,7 +54,7 @@ application_executable_file(nsplugin_con # dontaudit nsplugin_t self:capability { sys_nice sys_tty_config }; @@ -370,8 +345,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace serefpolicy-3 allow nsplugin_t self:sem create_sem_perms; allow nsplugin_t self:shm create_shm_perms; diff -up serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace serefpolicy-3.10.0/policy/modules/apps/openoffice.if ---- serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace 2011-10-05 14:34:03.323103367 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/openoffice.if 2011-10-05 14:34:03.767103838 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace 2011-10-11 16:42:15.634761718 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/openoffice.if 2011-10-11 16:42:16.096761589 -0400 @@ -69,7 +69,7 @@ interface(`openoffice_role_template',` allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack }; @@ -382,8 +357,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace serefpolicy domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t) diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace serefpolicy-3.10.0/policy/modules/apps/podsleuth.te ---- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace 2011-10-05 14:34:03.705103773 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te 2011-10-05 14:34:03.768103840 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace 2011-10-11 16:42:16.023761608 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te 2011-10-11 16:42:16.097761589 -0400 @@ -27,7 +27,8 @@ ubac_constrained(podsleuth_tmpfs_t) # podsleuth local policy # @@ -396,7 +371,7 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace serefpolicy- allow podsleuth_t self:sem create_sem_perms; diff -up serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.if --- serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/uml.if 2011-10-05 14:34:03.768103840 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/uml.if 2011-10-11 16:42:16.098761588 -0400 @@ -31,9 +31,9 @@ interface(`uml_role',` allow $2 uml_t:unix_dgram_socket sendto; allow uml_t $2:unix_dgram_socket sendto; @@ -410,8 +385,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace serefpolicy-3.10.0 allow $2 uml_ro_t:dir list_dir_perms; read_files_pattern($2, uml_ro_t, uml_ro_t) diff -up serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.te ---- serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace 2011-10-05 14:34:03.335103380 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/uml.te 2011-10-05 14:34:03.769103841 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace 2011-10-11 16:42:15.645761715 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/uml.te 2011-10-11 16:42:16.098761588 -0400 @@ -53,7 +53,7 @@ files_pid_file(uml_switch_var_run_t) # @@ -421,25 +396,9 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace serefpolicy-3.10.0 allow uml_t self:unix_stream_socket create_stream_socket_perms; allow uml_t self:unix_dgram_socket create_socket_perms; # Use the network. -diff -up serefpolicy-3.10.0/policy/modules/apps/vmware.te.ptrace serefpolicy-3.10.0/policy/modules/apps/vmware.te ---- serefpolicy-3.10.0/policy/modules/apps/vmware.te.ptrace 2011-10-05 14:34:03.338103383 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/vmware.te 2011-10-05 14:34:03.770103842 -0400 -@@ -72,7 +72,11 @@ ifdef(`enable_mcs',` - # VMWare host local policy - # - --allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override }; -+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override }; -+tunable_policy(`allow_ptrace',` -+ allow vmware_host_t self:capability sys_ptrace; -+') -+ - dontaudit vmware_host_t self:capability sys_tty_config; - allow vmware_host_t self:process { execstack execmem signal_perms }; - allow vmware_host_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace serefpolicy-3.10.0/policy/modules/apps/wine.if ---- serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace 2011-10-05 14:34:03.729103798 -0400 -+++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-10-05 14:34:03.771103843 -0400 +--- serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace 2011-10-11 16:42:16.050761600 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-10-11 16:42:16.099761587 -0400 @@ -100,7 +100,7 @@ template(`wine_role_template',` role $2 types $1_wine_t; @@ -450,30 +409,36 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace serefpolicy-3.10. corecmd_bin_domtrans($1_wine_t, $1_t) diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/domain.te ---- serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace 2011-10-05 14:34:03.352103398 -0400 -+++ serefpolicy-3.10.0/policy/modules/kernel/domain.te 2011-10-05 14:34:03.771103843 -0400 +--- serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace 2011-10-11 16:42:15.662761711 -0400 ++++ serefpolicy-3.10.0/policy/modules/kernel/domain.te 2011-10-11 16:42:16.225761551 -0400 @@ -181,7 +181,10 @@ allow unconfined_domain_type domain:fifo allow unconfined_domain_type unconfined_domain_type:dbus send_msg; # Act upon any other process. -allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; +allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap }; -+tunable_policy(`allow_ptrace',` ++tunable_policy(`deny_ptrace',`',` + allow unconfined_domain_type domain:process ptrace; +') # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; +@@ -312,3 +315,5 @@ optional_policy(` + optional_policy(` + seutil_dontaudit_read_config(domain) + ') ++ ++dontaudit domain domain:process { noatsecure siginh rlimitinh } ; diff -up serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/kernel.te ---- serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace 2011-10-05 14:34:03.360103406 -0400 -+++ serefpolicy-3.10.0/policy/modules/kernel/kernel.te 2011-10-05 14:34:03.772103844 -0400 +--- serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace 2011-10-11 16:42:15.670761708 -0400 ++++ serefpolicy-3.10.0/policy/modules/kernel/kernel.te 2011-10-11 16:42:16.101761586 -0400 @@ -191,7 +191,11 @@ sid tcp_socket gen_context(system_u:obj # kernel local policy # -allow kernel_t self:capability *; +allow kernel_t self:capability ~{ sys_ptrace }; -+tunable_policy(`allow_ptrace',` ++tunable_policy(`deny_ptrace',`',` + allow kernel_t self:capability sys_ptrace; +') + @@ -490,8 +455,8 @@ diff -up serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace serefpolicy-3 gen_require(` bool secure_mode_insmod; diff -up serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/dbadm.te ---- serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace 2011-10-05 14:34:03.367103414 -0400 -+++ serefpolicy-3.10.0/policy/modules/roles/dbadm.te 2011-10-05 14:34:03.772103844 -0400 +--- serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace 2011-10-11 16:42:15.678761705 -0400 ++++ serefpolicy-3.10.0/policy/modules/roles/dbadm.te 2011-10-11 16:42:16.102761586 -0400 @@ -28,7 +28,7 @@ userdom_base_user_template(dbadm) # database admin local policy # @@ -503,7 +468,7 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace serefpolicy-3.1 files_delete_generic_locks(dbadm_t) diff -up serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/logadm.te --- serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/roles/logadm.te 2011-10-05 14:34:03.773103845 -0400 ++++ serefpolicy-3.10.0/policy/modules/roles/logadm.te 2011-10-11 16:42:16.103761586 -0400 @@ -14,6 +14,5 @@ userdom_base_user_template(logadm) # logadmin local policy # @@ -513,8 +478,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace serefpolicy-3. +allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; logging_admin(logadm_t, logadm_r) diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/sysadm.te ---- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace 2011-10-05 14:34:03.706103774 -0400 -+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-10-05 14:34:03.774103846 -0400 +--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace 2011-10-11 16:42:16.051761600 -0400 ++++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-10-11 16:42:16.104761586 -0400 @@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1) # Declarations # @@ -529,9 +494,18 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3. role sysadm_r; userdom_admin_user_template(sysadm) +@@ -86,7 +79,7 @@ ifndef(`enable_mls',` + logging_stream_connect_syslog(sysadm_t) + ') + +-tunable_policy(`allow_ptrace',` ++tunable_policy(`deny_ptrace',`',` + domain_ptrace_all_domains(sysadm_t) + ') + diff -up serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/webadm.te ---- serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace 2011-10-05 14:34:03.372103419 -0400 -+++ serefpolicy-3.10.0/policy/modules/roles/webadm.te 2011-10-05 14:34:03.774103846 -0400 +--- serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace 2011-10-11 16:42:15.683761705 -0400 ++++ serefpolicy-3.10.0/policy/modules/roles/webadm.te 2011-10-11 16:42:16.104761586 -0400 @@ -28,7 +28,7 @@ userdom_base_user_template(webadm) # webadmin local policy # @@ -542,8 +516,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace serefpolicy-3. files_dontaudit_search_all_dirs(webadm_t) files_manage_generic_locks(webadm_t) diff -up serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace serefpolicy-3.10.0/policy/modules/services/abrt.if ---- serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace 2011-10-05 14:34:03.374103421 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/abrt.if 2011-10-05 14:34:03.775103847 -0400 +--- serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace 2011-10-11 16:42:15.684761704 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/abrt.if 2011-10-11 16:42:16.106761585 -0400 @@ -333,9 +333,13 @@ interface(`abrt_admin',` type abrt_initrc_exec_t; ') @@ -552,7 +526,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace serefpolicy-3 + allow $1 abrt_t:process { signal_perms }; ps_process_pattern($1, abrt_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 abrt_t:process ptrace; + ') + @@ -560,8 +534,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace serefpolicy-3 domain_system_change_exemption($1) role_transition $2 abrt_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.if ---- serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace 2011-10-05 14:34:03.375103422 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/accountsd.if 2011-10-05 14:34:03.775103847 -0400 +--- serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace 2011-10-11 16:42:15.686761703 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/accountsd.if 2011-10-11 16:42:16.106761585 -0400 @@ -138,8 +138,12 @@ interface(`accountsd_admin',` type accountsd_t; ') @@ -570,16 +544,16 @@ diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace serefpol + allow $1 accountsd_t:process signal_perms; ps_process_pattern($1, accountsd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 acountsd_t:process ptrace; + ') + accountsd_manage_lib_files($1) ') diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.te ---- serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace 2011-10-05 14:34:03.376103423 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/accountsd.te 2011-10-05 14:34:03.776103848 -0400 -@@ -19,10 +19,14 @@ files_type(accountsd_var_lib_t) +--- serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace 2011-10-11 16:42:15.686761703 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/accountsd.te 2011-10-11 16:42:16.107761584 -0400 +@@ -19,7 +19,7 @@ files_type(accountsd_var_lib_t) # accountsd local policy # @@ -588,16 +562,9 @@ diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace serefpol allow accountsd_t self:process signal; allow accountsd_t self:fifo_file rw_fifo_file_perms; -+tunable_policy(`allow_ptrace',` -+ allow accountsd_t self:capability sys_ptrace; -+') -+ - manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) - manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t) - files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir }) diff -up serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace serefpolicy-3.10.0/policy/modules/services/afs.if ---- serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace 2011-10-05 14:34:03.376103423 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/afs.if 2011-10-05 14:34:03.776103848 -0400 +--- serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace 2011-10-11 16:42:15.686761703 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/afs.if 2011-10-11 16:42:16.107761584 -0400 @@ -97,9 +97,13 @@ interface(`afs_admin',` type afs_t, afs_initrc_exec_t; ') @@ -606,7 +573,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace serefpolicy-3. + allow $1 afs_t:process signal_perms; ps_process_pattern($1, afs_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 afs_t:process ptrace; + ') + @@ -615,7 +582,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace serefpolicy-3. domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace serefpolicy-3.10.0/policy/modules/services/aiccu.if --- serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/aiccu.if 2011-10-05 14:34:03.777103849 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/aiccu.if 2011-10-11 16:42:16.108761584 -0400 @@ -79,9 +79,13 @@ interface(`aiccu_admin',` type aiccu_var_run_t; ') @@ -624,7 +591,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace serefpolicy- + allow $1 aiccu_t:process signal_perms; ps_process_pattern($1, aiccu_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 aiccu_t:process ptrace; + ') + @@ -632,8 +599,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace serefpolicy- domain_system_change_exemption($1) role_transition $2 aiccu_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace serefpolicy-3.10.0/policy/modules/services/aide.if ---- serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace 2011-10-05 14:34:03.378103425 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/aide.if 2011-10-05 14:34:03.778103850 -0400 +--- serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace 2011-10-11 16:42:15.689761703 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/aide.if 2011-10-11 16:42:16.108761584 -0400 @@ -61,9 +61,13 @@ interface(`aide_admin',` type aide_t, aide_db_t, aide_log_t; ') @@ -642,7 +609,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace serefpolicy-3 + allow $1 aide_t:process signal_perms; ps_process_pattern($1, aide_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 aide_t:process ptrace; + ') + @@ -650,8 +617,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace serefpolicy-3 admin_pattern($1, aide_db_t) diff -up serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace serefpolicy-3.10.0/policy/modules/services/aisexec.if ---- serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace 2011-10-05 14:34:03.379103426 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/aisexec.if 2011-10-05 14:34:03.778103850 -0400 +--- serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace 2011-10-11 16:42:15.690761703 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/aisexec.if 2011-10-11 16:42:16.109761584 -0400 @@ -82,9 +82,13 @@ interface(`aisexecd_admin',` type aisexec_initrc_exec_t; ') @@ -660,7 +627,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace serefpolic + allow $1 aisexec_t:process signal_perms; ps_process_pattern($1, aisexec_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 aisexec_t:process ptrace; + ') + @@ -668,8 +635,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace serefpolic domain_system_change_exemption($1) role_transition $2 aisexec_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace serefpolicy-3.10.0/policy/modules/services/ajaxterm.if ---- serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace 2011-10-05 14:34:03.381103429 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ajaxterm.if 2011-10-05 14:34:03.779103851 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace 2011-10-11 16:42:15.691761702 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ajaxterm.if 2011-10-11 16:42:16.109761584 -0400 @@ -76,9 +76,13 @@ interface(`ajaxterm_admin',` type ajaxterm_t, ajaxterm_initrc_exec_t; ') @@ -678,7 +645,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace serefpoli + allow $1 ajaxterm_t:process signal_perms; ps_process_pattern($1, ajaxterm_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 ajaxterm_t:process ptrace; + ') + @@ -687,7 +654,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace serefpoli role_transition $2 ajaxterm_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace serefpolicy-3.10.0/policy/modules/services/amavis.if --- serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/amavis.if 2011-10-05 14:34:03.779103851 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/amavis.if 2011-10-11 16:42:16.110761584 -0400 @@ -231,9 +231,13 @@ interface(`amavis_admin',` type amavis_initrc_exec_t; ') @@ -696,7 +663,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace serefpolicy + allow $1 amavis_t:process signal_perms; ps_process_pattern($1, amavis_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 amavis_t:process ptrace; + ') + @@ -704,9 +671,9 @@ diff -up serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace serefpolicy domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace serefpolicy-3.10.0/policy/modules/services/apache.if ---- serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace 2011-10-05 14:34:03.744103814 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/apache.if 2011-10-05 14:34:03.780103852 -0400 -@@ -1301,9 +1301,13 @@ interface(`apache_admin',` +--- serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace 2011-10-11 16:42:16.076761593 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/apache.if 2011-10-11 16:42:16.111761584 -0400 +@@ -1297,9 +1297,13 @@ interface(`apache_admin',` type httpd_unit_file_t; ') @@ -714,7 +681,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace serefpolicy + allow $1 httpd_t:process signal_perms; ps_process_pattern($1, httpd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 httpd_t:process ptrace; + ') + @@ -723,7 +690,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace serefpolicy role_transition $2 httpd_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/apcupsd.if --- serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/apcupsd.if 2011-10-05 14:34:03.781103853 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/apcupsd.if 2011-10-11 16:42:16.111761584 -0400 @@ -146,9 +146,13 @@ interface(`apcupsd_admin',` type apcupsd_initrc_exec_t; ') @@ -732,16 +699,28 @@ diff -up serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace serefpolic + allow $1 apcupsd_t:process signal_perms; ps_process_pattern($1, apcupsd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 apcupsd_t:process ptrace; + ') + apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 apcupsd_initrc_exec_t system_r; +diff -up serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace serefpolicy-3.10.0/policy/modules/services/apm.te +--- serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace 2011-10-11 16:42:15.697761701 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/apm.te 2011-10-11 16:42:16.112761584 -0400 +@@ -60,7 +60,7 @@ logging_send_syslog_msg(apm_t) + # mknod: controlling an orderly resume of PCMCIA requires creating device + # nodes 254,{0,1,2} for some reason. + allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod }; +-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; ++dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config }; + allow apmd_t self:process { signal_perms getsession }; + allow apmd_t self:fifo_file rw_fifo_file_perms; + allow apmd_t self:netlink_socket create_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace serefpolicy-3.10.0/policy/modules/services/arpwatch.if ---- serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace 2011-10-05 14:34:03.387103435 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/arpwatch.if 2011-10-05 14:34:03.781103853 -0400 +--- serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace 2011-10-11 16:42:15.698761701 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/arpwatch.if 2011-10-11 16:42:16.113761583 -0400 @@ -137,9 +137,13 @@ interface(`arpwatch_admin',` type arpwatch_initrc_exec_t; ') @@ -750,7 +729,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace serefpoli + allow $1 arpwatch_t:process signal_perms; ps_process_pattern($1, arpwatch_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 arpwatch_t:process ptrace; + ') + @@ -758,8 +737,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace serefpoli domain_system_change_exemption($1) role_transition $2 arpwatch_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace serefpolicy-3.10.0/policy/modules/services/asterisk.if ---- serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace 2011-10-05 14:34:03.389103437 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/asterisk.if 2011-10-05 14:34:03.782103854 -0400 +--- serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace 2011-10-11 16:42:15.699761701 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/asterisk.if 2011-10-11 16:42:16.113761583 -0400 @@ -64,9 +64,13 @@ interface(`asterisk_admin',` type asterisk_initrc_exec_t; ') @@ -768,7 +747,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace serefpoli + allow $1 asterisk_t:process signal_perms; ps_process_pattern($1, asterisk_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 asterisk_t:process ptrace; + ') + @@ -776,8 +755,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace serefpoli domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace serefpolicy-3.10.0/policy/modules/services/automount.if ---- serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace 2011-10-05 14:34:03.390103438 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/automount.if 2011-10-05 14:34:03.783103855 -0400 +--- serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace 2011-10-11 16:42:15.700761701 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/automount.if 2011-10-11 16:42:16.114761582 -0400 @@ -150,9 +150,13 @@ interface(`automount_admin',` type automount_var_run_t, automount_initrc_exec_t; ') @@ -786,7 +765,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace serefpol + allow $1 automount_t:process signal_perms; ps_process_pattern($1, automount_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 automount_t:process ptrace; + ') + @@ -794,8 +773,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace serefpol domain_system_change_exemption($1) role_transition $2 automount_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace serefpolicy-3.10.0/policy/modules/services/avahi.if ---- serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace 2011-10-05 14:34:03.391103439 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/avahi.if 2011-10-05 14:34:03.783103855 -0400 +--- serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace 2011-10-11 16:42:15.701761700 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/avahi.if 2011-10-11 16:42:16.114761582 -0400 @@ -154,9 +154,13 @@ interface(`avahi_admin',` type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; ') @@ -804,7 +783,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace serefpolicy- + allow $1 avahi_t:process signal_perms; ps_process_pattern($1, avahi_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 avahi_t:process ptrace; + ') + @@ -812,9 +791,9 @@ diff -up serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace serefpolicy- domain_system_change_exemption($1) role_transition $2 avahi_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace serefpolicy-3.10.0/policy/modules/services/bind.if ---- serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace 2011-10-05 14:34:03.393103441 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/bind.if 2011-10-05 14:34:03.784103857 -0400 -@@ -409,12 +409,20 @@ interface(`bind_admin',` +--- serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace 2011-10-11 16:42:15.702761699 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/bind.if 2011-10-11 16:42:16.115761582 -0400 +@@ -408,12 +408,20 @@ interface(`bind_admin',` type dnssec_t, ndc_t, named_keytab_t; ') @@ -823,14 +802,14 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace serefpolicy-3 ps_process_pattern($1, named_t) - allow $1 ndc_t:process { ptrace signal_perms }; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 named_t:process ptrace; + ') + + allow $1 ndc_t:process signal_perms; ps_process_pattern($1, ndc_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 ndc_t:process ptrace; + ') + @@ -839,7 +818,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace serefpolicy-3 init_labeled_script_domtrans($1, named_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace serefpolicy-3.10.0/policy/modules/services/bitlbee.if --- serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/bitlbee.if 2011-10-05 14:34:03.784103857 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/bitlbee.if 2011-10-11 16:42:16.116761582 -0400 @@ -43,9 +43,13 @@ interface(`bitlbee_admin',` type bitlbee_initrc_exec_t; ') @@ -848,7 +827,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace serefpolic + allow $1 bitlbee_t:process signal_perms; ps_process_pattern($1, bitlbee_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 bitlbee_t:process ptrace; + ') + @@ -856,8 +835,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace serefpolic domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpolicy-3.10.0/policy/modules/services/bluetooth.if ---- serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace 2011-10-05 14:34:03.395103443 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/bluetooth.if 2011-10-05 14:34:03.785103858 -0400 +--- serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace 2011-10-11 16:42:15.705761698 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/bluetooth.if 2011-10-11 16:42:16.116761582 -0400 @@ -28,7 +28,11 @@ interface(`bluetooth_role',` # allow ps to show cdrecord and allow the user to kill it @@ -865,7 +844,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpol - allow $2 bluetooth_helper_t:process { ptrace signal_perms }; + allow $2 bluetooth_helper_t:process signal_perms; + -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $2 bluetooth_helper_t:process ptrace; + ') @@ -879,7 +858,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpol + allow $1 bluetooth_t:process signal_perms; ps_process_pattern($1, bluetooth_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 bluetooth_t:process ptrace; + ') + @@ -887,8 +866,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpol domain_system_change_exemption($1) role_transition $2 bluetooth_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.if ---- serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace 2011-10-05 14:34:03.396103444 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/boinc.if 2011-10-05 14:34:03.785103858 -0400 +--- serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace 2011-10-11 16:42:15.706761698 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/boinc.if 2011-10-11 16:42:16.117761582 -0400 @@ -137,9 +137,13 @@ interface(`boinc_admin',` type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t; ') @@ -897,7 +876,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace serefpolicy- + allow $1 boinc_t:process signal_perms; ps_process_pattern($1, boinc_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 boic_t:process ptrace; + ') + @@ -905,8 +884,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace serefpolicy- domain_system_change_exemption($1) role_transition $2 boinc_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.te ---- serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace 2011-10-05 14:34:03.709103777 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/boinc.te 2011-10-05 14:34:03.786103859 -0400 +--- serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace 2011-10-11 16:42:16.027761608 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/boinc.te 2011-10-11 16:42:16.117761582 -0400 @@ -121,9 +121,13 @@ mta_send_mail(boinc_t) domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) allow boinc_t boinc_project_t:process sigkill; @@ -915,7 +894,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace serefpolicy- +allow boinc_project_t self:process { setpgid setsched signal signull sigkill sigstop }; allow boinc_project_t self:process { execmem execstack }; -+tunable_policy(`allow_ptrace',` ++tunable_policy(`deny_ptrace',`',` + allow boinc_project_t self:process ptrace; +') + @@ -923,8 +902,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace serefpolicy- allow boinc_project_t self:sem create_sem_perms; diff -up serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace serefpolicy-3.10.0/policy/modules/services/bugzilla.if ---- serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace 2011-10-05 14:34:03.398103447 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/bugzilla.if 2011-10-05 14:34:03.787103860 -0400 +--- serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace 2011-10-11 16:42:15.707761698 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/bugzilla.if 2011-10-11 16:42:16.118761582 -0400 @@ -62,9 +62,13 @@ interface(`bugzilla_admin',` type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t; ') @@ -933,7 +912,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace serefpoli + allow $1 httpd_bugzilla_script_t:process signal_perms; ps_process_pattern($1, httpd_bugzilla_script_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 httpd_bugzilla_script_t:process ptrace; + ') + @@ -941,8 +920,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace serefpoli admin_pattern($1, httpd_bugzilla_tmp_t) diff -up serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace serefpolicy-3.10.0/policy/modules/services/callweaver.if ---- serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace 2011-10-05 14:34:03.400103449 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/callweaver.if 2011-10-05 14:34:03.787103860 -0400 +--- serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace 2011-10-11 16:42:15.710761696 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/callweaver.if 2011-10-11 16:42:16.119761582 -0400 @@ -336,9 +336,13 @@ interface(`callweaver_admin',` type callweaver_spool_t; ') @@ -951,7 +930,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace serefpo + allow $1 callweaver_t:process signal_perms; ps_process_pattern($1, callweaver_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 callweaver_t:process ptrace; + ') + @@ -960,7 +939,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace serefpo role_transition $2 callweaver_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace serefpolicy-3.10.0/policy/modules/services/canna.if --- serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/canna.if 2011-10-05 14:34:03.788103861 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/canna.if 2011-10-11 16:42:16.119761582 -0400 @@ -42,9 +42,13 @@ interface(`canna_admin',` type canna_var_run_t, canna_initrc_exec_t; ') @@ -969,7 +948,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace serefpolicy- + allow $1 canna_t:process signal_perms; ps_process_pattern($1, canna_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 canna_t:process ptrace; + ') + @@ -977,8 +956,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace serefpolicy- domain_system_change_exemption($1) role_transition $2 canna_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmaster.if ---- serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace 2011-10-05 14:34:03.403103452 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/certmaster.if 2011-10-05 14:34:03.788103861 -0400 +--- serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace 2011-10-11 16:42:15.713761696 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/certmaster.if 2011-10-11 16:42:16.120761581 -0400 @@ -119,9 +119,13 @@ interface(`certmaster_admin',` type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t; ') @@ -987,7 +966,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace serefpo + allow $1 certmaster_t:process signal_perms; ps_process_pattern($1, certmaster_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 certmaster_t:process ptrace; + ') + @@ -995,8 +974,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace serefpo domain_system_change_exemption($1) role_transition $2 certmaster_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmonger.if ---- serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace 2011-10-05 14:34:03.405103454 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/certmonger.if 2011-10-05 14:34:03.790103863 -0400 +--- serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace 2011-10-11 16:42:15.714761696 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/certmonger.if 2011-10-11 16:42:16.120761581 -0400 @@ -158,7 +158,11 @@ interface(`certmonger_admin',` ') @@ -1004,15 +983,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace serefpo - allow $1 certmonger_t:process { ptrace signal_perms }; + allow $1 certmonger_t:process signal_perms; + -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 certmonger_t:process ptrace; + ') # Allow certmonger_t to restart the apache service certmonger_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.if ---- serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace 2011-10-05 14:34:03.407103456 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cgroup.if 2011-10-05 14:34:03.790103863 -0400 +--- serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace 2011-10-11 16:42:15.716761695 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cgroup.if 2011-10-11 16:42:16.121761580 -0400 @@ -171,15 +171,27 @@ interface(`cgroup_admin',` type cgrules_etc_t, cgclear_t; ') @@ -1022,7 +1001,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy ps_process_pattern($1, cgclear_t) - allow $1 cgconfig_t:process { ptrace signal_perms }; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 cglear_t:process ptrace; + ') + @@ -1030,14 +1009,14 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy ps_process_pattern($1, cgconfig_t) - allow $1 cgred_t:process { ptrace signal_perms }; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 cgconfig_t:process ptrace; + ') + + allow $1 cgred_t:process signal_perms; ps_process_pattern($1, cgred_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 cgred_t:process ptrace; + ') + @@ -1045,25 +1024,22 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy admin_pattern($1, cgrules_etc_t) files_list_etc($1) diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.te ---- serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace 2011-10-05 14:34:03.407103456 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cgroup.te 2011-10-05 14:34:03.791103864 -0400 -@@ -76,7 +76,11 @@ fs_unmount_cgroup(cgconfig_t) +--- serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace 2011-10-11 16:42:15.717761694 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cgroup.te 2011-10-11 16:42:16.121761580 -0400 +@@ -76,7 +76,8 @@ fs_unmount_cgroup(cgconfig_t) # cgred personal policy. # -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; +allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override }; -+tunable_policy(`allow_ptrace',` -+ allow cgred_t self:capability sys_ptrace; -+') + allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; diff -up serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/chronyd.if ---- serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace 2011-10-05 14:34:03.408103457 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/chronyd.if 2011-10-05 14:34:03.791103864 -0400 -@@ -218,9 +218,13 @@ interface(`chronyd_admin',` +--- serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace 2011-10-11 16:42:15.718761694 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/chronyd.if 2011-10-11 16:42:16.122761580 -0400 +@@ -217,9 +217,13 @@ interface(`chronyd_admin',` type chronyd_keys_t; ') @@ -1071,7 +1047,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace serefpolic + allow $1 chronyd_t:process signal_perms; ps_process_pattern($1, chronyd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 chronyd_t:process ptrace; + ') + @@ -1079,8 +1055,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace serefpolic domain_system_change_exemption($1) role_transition $2 chronyd_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace serefpolicy-3.10.0/policy/modules/services/clamav.if ---- serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace 2011-10-05 14:34:03.410103459 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/clamav.if 2011-10-05 14:34:03.792103865 -0400 +--- serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace 2011-10-11 16:42:15.720761694 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/clamav.if 2011-10-11 16:42:16.123761580 -0400 @@ -176,13 +176,19 @@ interface(`clamav_admin',` type freshclam_t, freshclam_var_log_t; ') @@ -1090,7 +1066,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace serefpolicy ps_process_pattern($1, clamd_t) - allow $1 clamscan_t:process { ptrace signal_perms }; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 clamd_t:process ptrace; + allow $1 clamscan_t:process ptrace; + allow $1 freshclam_t:process ptrace; @@ -1105,8 +1081,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace serefpolicy init_labeled_script_domtrans($1, clamd_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace serefpolicy-3.10.0/policy/modules/services/cmirrord.if ---- serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace 2011-10-05 14:34:03.413103463 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cmirrord.if 2011-10-05 14:34:03.792103865 -0400 +--- serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace 2011-10-11 16:42:15.723761693 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cmirrord.if 2011-10-11 16:42:16.123761580 -0400 @@ -101,9 +101,13 @@ interface(`cmirrord_admin',` type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; ') @@ -1115,7 +1091,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace serefpoli + allow $1 cmirrord_t:process signal_perms; ps_process_pattern($1, cmirrord_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 cmorrord_t:process ptrace; + ') + @@ -1123,8 +1099,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace serefpoli domain_system_change_exemption($1) role_transition $2 cmirrord_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.if ---- serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace 2011-10-05 14:34:03.414103464 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cobbler.if 2011-10-05 14:34:03.793103866 -0400 +--- serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace 2011-10-11 16:42:15.724761692 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cobbler.if 2011-10-11 16:42:16.124761580 -0400 @@ -189,9 +189,13 @@ interface(`cobblerd_admin',` type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t; ') @@ -1133,16 +1109,28 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace serefpolic + allow $1 cobblerd_t:process signal_perms; ps_process_pattern($1, cobblerd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 cobblerd_t:process ptrace; + ') + files_list_etc($1) admin_pattern($1, cobbler_etc_t) +diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.te +--- serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace 2011-10-11 16:42:15.724761692 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cobbler.te 2011-10-11 16:42:16.124761580 -0400 +@@ -60,7 +60,7 @@ files_tmp_file(cobbler_tmp_t) + # + + allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice }; +-dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config }; ++dontaudit cobblerd_t self:capability sys_tty_config; + + allow cobblerd_t self:process { getsched setsched signal }; + allow cobblerd_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace serefpolicy-3.10.0/policy/modules/services/collectd.if ---- serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace 2011-10-05 14:34:03.416103466 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/collectd.if 2011-10-05 14:34:03.794103867 -0400 +--- serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace 2011-10-11 16:42:15.725761692 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/collectd.if 2011-10-11 16:42:16.125761580 -0400 @@ -142,9 +142,13 @@ interface(`collectd_admin',` type collectd_var_lib_t; ') @@ -1151,7 +1139,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace serefpoli + allow $1 collectd_t:process signal_perms; ps_process_pattern($1, collectd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 collectd_t:process ptrace; + ') + @@ -1159,35 +1147,31 @@ diff -up serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace serefpoli domain_system_change_exemption($1) role_transition $2 collectd_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/consolekit.te ---- serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace 2011-10-05 14:34:03.418103468 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/consolekit.te 2011-10-05 14:34:03.794103867 -0400 -@@ -23,7 +23,12 @@ files_tmpfs_file(consolekit_tmpfs_t) +--- serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace 2011-10-11 16:42:15.727761692 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/consolekit.te 2011-10-11 16:42:16.125761580 -0400 +@@ -23,7 +23,8 @@ files_tmpfs_file(consolekit_tmpfs_t) # consolekit local policy # -allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; +allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice }; + -+tunable_policy(`allow_ptrace',` -+ allow consolekit_t self:capability sys_ptrace; -+') -+ allow consolekit_t self:process { getsched signal }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket create_stream_socket_perms; -@@ -144,6 +149,8 @@ optional_policy(` +@@ -144,6 +145,8 @@ optional_policy(` optional_policy(` #reading .Xauthity - unconfined_ptrace(consolekit_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + unconfined_ptrace(consolekit_t) + ') unconfined_stream_connect(consolekit_t) ') diff -up serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.if ---- serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace 2011-10-05 14:34:03.419103469 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/corosync.if 2011-10-05 14:34:03.795103868 -0400 +--- serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace 2011-10-11 16:42:15.728761692 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/corosync.if 2011-10-11 16:42:16.126761580 -0400 @@ -101,9 +101,13 @@ interface(`corosyncd_admin',` type corosync_initrc_exec_t; ') @@ -1196,7 +1180,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace serefpoli + allow $1 corosync_t:process signal_perms; ps_process_pattern($1, corosync_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 corosync_t:process ptrace; + ') + @@ -1204,9 +1188,9 @@ diff -up serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace serefpoli domain_system_change_exemption($1) role_transition $2 corosync_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.te ---- serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace 2011-10-05 14:34:03.419103469 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/corosync.te 2011-10-05 14:34:03.795103868 -0400 -@@ -32,9 +32,13 @@ files_pid_file(corosync_var_run_t) +--- serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace 2011-10-11 16:42:15.729761692 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/corosync.te 2011-10-11 16:42:16.126761580 -0400 +@@ -32,7 +32,7 @@ files_pid_file(corosync_var_run_t) # corosync local policy # @@ -1214,16 +1198,10 @@ diff -up serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace serefpoli +allow corosync_t self:capability { dac_override setuid sys_nice sys_resource ipc_lock }; allow corosync_t self:process { setpgid setrlimit setsched signal signull }; -+tunable_policy(`allow_ptrace',` -+ allow corosync_t self:capability sys_ptrace; -+') -+ allow corosync_t self:fifo_file rw_fifo_file_perms; - allow corosync_t self:sem create_sem_perms; - allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto }; diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3.10.0/policy/modules/services/cron.if ---- serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace 2011-10-05 14:34:03.423103473 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cron.if 2011-10-05 14:34:03.796103869 -0400 +--- serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace 2011-10-11 16:42:15.732761690 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cron.if 2011-10-11 16:42:16.127761579 -0400 @@ -140,7 +140,11 @@ interface(`cron_role',` # crontab shows up in user ps @@ -1231,7 +1209,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3 - allow $2 crontab_t:process { ptrace signal_perms }; + allow $2 crontab_t:process signal_perms; + -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $2 crontab_t:process ptrace; + ') @@ -1243,7 +1221,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3 ps_process_pattern($2, unconfined_cronjob_t) - allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; + allow $2 unconfined_cronjob_t:process signal_perms; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $2 unconfined_cronjob_t:process ptrace; + ') @@ -1255,15 +1233,26 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3 ps_process_pattern($2, admin_crontab_t) - allow $2 admin_crontab_t:process { ptrace signal_perms }; + allow $2 admin_crontab_t:process signal_perms; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $2 admin_crontab_t:process ptrace; + ') # Run helper programs as the user domain #corecmd_bin_domtrans(admin_crontab_t, $2) +diff -up serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace serefpolicy-3.10.0/policy/modules/services/cron.te +--- serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace 2011-10-11 16:42:16.027761608 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cron.te 2011-10-11 16:42:16.128761578 -0400 +@@ -350,7 +350,6 @@ optional_policy(` + # + + allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice }; +-dontaudit system_cronjob_t self:capability sys_ptrace; + + allow system_cronjob_t self:process { signal_perms getsched setsched }; + allow system_cronjob_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.if ---- serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace 2011-10-05 14:34:03.424103474 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ctdbd.if 2011-10-05 14:34:03.797103870 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace 2011-10-11 16:42:15.734761690 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ctdbd.if 2011-10-11 16:42:16.128761578 -0400 @@ -236,8 +236,11 @@ interface(`ctdbd_admin',` type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; ') @@ -1271,16 +1260,16 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace serefpolicy- - allow $1 ctdbd_t:process { ptrace signal_perms }; + allow $1 ctdbd_t:process signal_perms; ps_process_pattern($1, ctdbd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 ctdbd_t:process ptrace; + ') ctdbd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.te ---- serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace 2011-10-05 14:34:03.425103475 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ctdbd.te 2011-10-05 14:34:03.797103870 -0400 -@@ -33,9 +33,13 @@ files_pid_file(ctdbd_var_run_t) +--- serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace 2011-10-11 16:42:15.734761690 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ctdbd.te 2011-10-11 16:42:16.129761578 -0400 +@@ -33,7 +33,7 @@ files_pid_file(ctdbd_var_run_t) # ctdbd local policy # @@ -1288,16 +1277,10 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace serefpolicy- +allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice }; allow ctdbd_t self:process { setpgid signal_perms setsched }; -+tunable_policy(`allow_ptrace',` -+ allow ctdbd_t self:capability sys_ptrace; -+') -+ allow ctdbd_t self:fifo_file rw_fifo_file_perms; - allow ctdbd_t self:unix_stream_socket { connectto create_stream_socket_perms }; - allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace serefpolicy-3.10.0/policy/modules/services/cups.if ---- serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace 2011-10-05 14:34:03.426103476 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cups.if 2011-10-05 14:34:03.798103871 -0400 +--- serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace 2011-10-11 16:42:15.735761690 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cups.if 2011-10-11 16:42:16.130761578 -0400 @@ -327,9 +327,13 @@ interface(`cups_admin',` type ptal_var_run_t; ') @@ -1306,7 +1289,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace serefpolicy-3 + allow $1 cupsd_t:process signal_perms; ps_process_pattern($1, cupsd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 cupsd_t:process ptrace; + ') + @@ -1314,8 +1297,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace serefpolicy-3 domain_system_change_exemption($1) role_transition $2 cupsd_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace serefpolicy-3.10.0/policy/modules/services/cvs.if ---- serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace 2011-10-05 14:34:03.427103477 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cvs.if 2011-10-05 14:34:03.798103871 -0400 +--- serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace 2011-10-11 16:42:15.737761690 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cvs.if 2011-10-11 16:42:16.131761578 -0400 @@ -80,9 +80,13 @@ interface(`cvs_admin',` type cvs_data_t, cvs_var_run_t; ') @@ -1324,7 +1307,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace serefpolicy-3. + allow $1 cvs_t:process signal_perms; ps_process_pattern($1, cvs_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 cvs_t:process ptrace; + ') + @@ -1333,7 +1316,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace serefpolicy-3. domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace serefpolicy-3.10.0/policy/modules/services/cyrus.if --- serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/cyrus.if 2011-10-05 14:34:03.799103872 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/cyrus.if 2011-10-11 16:42:16.131761578 -0400 @@ -62,9 +62,13 @@ interface(`cyrus_admin',` type cyrus_var_run_t, cyrus_initrc_exec_t; ') @@ -1342,7 +1325,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace serefpolicy- + allow $1 cyrus_t:process signal_perms; ps_process_pattern($1, cyrus_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 cyrus_t:process ptrace; + ') + @@ -1350,8 +1333,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace serefpolicy- domain_system_change_exemption($1) role_transition $2 cyrus_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace serefpolicy-3.10.0/policy/modules/services/dbus.if ---- serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace 2011-10-05 14:34:03.431103482 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/dbus.if 2011-10-05 14:34:03.800103874 -0400 +--- serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace 2011-10-11 16:42:15.740761689 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/dbus.if 2011-10-11 16:42:16.132761578 -0400 @@ -71,7 +71,11 @@ template(`dbus_role_template',` domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) @@ -1359,15 +1342,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace serefpolicy-3 - allow $3 $1_dbusd_t:process { ptrace signal_perms }; + allow $3 $1_dbusd_t:process signal_perms; + -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $3 $1_dbusd_t:process ptrace; + ') # cjp: this seems very broken corecmd_bin_domtrans($1_dbusd_t, $1_t) diff -up serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace serefpolicy-3.10.0/policy/modules/services/ddclient.if ---- serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace 2011-10-05 14:34:03.433103484 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ddclient.if 2011-10-05 14:34:03.800103874 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace 2011-10-11 16:42:15.742761687 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ddclient.if 2011-10-11 16:42:16.132761578 -0400 @@ -68,9 +68,13 @@ interface(`ddclient_admin',` type ddclient_var_run_t; ') @@ -1376,7 +1359,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace serefpoli + allow $1 ddclient_t:process signal_perms; ps_process_pattern($1, ddclient_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 ddclient_t:process ptrace; + ') + @@ -1384,8 +1367,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace serefpoli domain_system_change_exemption($1) role_transition $2 ddclient_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace serefpolicy-3.10.0/policy/modules/services/denyhosts.if ---- serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace 2011-10-05 14:34:03.434103485 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/denyhosts.if 2011-10-05 14:34:03.801103875 -0400 +--- serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace 2011-10-11 16:42:15.744761687 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/denyhosts.if 2011-10-11 16:42:16.133761578 -0400 @@ -67,9 +67,13 @@ interface(`denyhosts_admin',` type denyhosts_var_log_t, denyhosts_initrc_exec_t; ') @@ -1394,7 +1377,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace serefpol + allow $1 denyhosts_t:process signal_perms; ps_process_pattern($1, denyhosts_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 denyhosts_t:process ptrace; + ') + @@ -1402,8 +1385,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace serefpol domain_system_change_exemption($1) role_transition $2 denyhosts_initrc_exec_t system_r; diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.if ---- serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace 2011-10-05 14:34:03.436103487 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/devicekit.if 2011-10-05 14:34:03.802103876 -0400 +--- serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace 2011-10-11 16:42:15.745761687 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/devicekit.if 2011-10-11 16:42:16.133761578 -0400 @@ -308,13 +308,18 @@ interface(`devicekit_admin',` type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') @@ -1411,7 +1394,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace serefpol - allow $1 devicekit_t:process { ptrace signal_perms }; + allow $1 devicekit_t:process signal_perms; ps_process_pattern($1, devicekit_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 devicekit_t:process ptrace; + allow $1 devicekit_disk_t:process ptrace; + allow $1 devicekit_power_t:process ptrace; @@ -1427,35 +1410,30 @@ diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace serefpol admin_pattern($1, devicekit_tmp_t) diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.te ---- serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace 2011-10-05 14:34:03.437103488 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/devicekit.te 2011-10-05 14:34:03.802103876 -0400 -@@ -65,7 +65,10 @@ optional_policy(` +--- serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace 2011-10-11 16:42:15.746761687 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/devicekit.te 2011-10-11 16:42:16.134761577 -0400 +@@ -65,7 +65,8 @@ optional_policy(` # DeviceKit disk local policy # -allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio }; -+tunable_policy(`allow_ptrace',` -+ allow devicekit_disk_t self:capability sys_ptrace; -+') ++ allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -199,7 +202,10 @@ optional_policy(` +@@ -199,7 +200,7 @@ optional_policy(` # DeviceKit-Power local policy # -allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace }; +allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice }; -+tunable_policy(`allow_ptrace',` -+ allow devicekit_power_t self:capability sys_ptrace; -+') allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace serefpolicy-3.10.0/policy/modules/services/dhcp.if ---- serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace 2011-10-05 14:34:03.438103489 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/dhcp.if 2011-10-05 14:34:03.803103877 -0400 +--- serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace 2011-10-11 16:42:15.747761687 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/dhcp.if 2011-10-11 16:42:16.135761576 -0400 @@ -105,8 +105,11 @@ interface(`dhcpd_admin',` type dhcpd_var_run_t, dhcpd_initrc_exec_t; ') @@ -1463,7 +1441,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace serefpolicy-3 - allow $1 dhcpd_t:process { ptrace signal_perms }; + allow $1 dhcpd_t:process signal_perms; ps_process_pattern($1, dhcpd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 dhcpd_t:process ptrace; + ') @@ -1471,7 +1449,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace serefpolicy-3 domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace serefpolicy-3.10.0/policy/modules/services/dictd.if --- serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/dictd.if 2011-10-05 14:34:03.803103877 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/dictd.if 2011-10-11 16:42:16.135761576 -0400 @@ -38,8 +38,11 @@ interface(`dictd_admin',` type dictd_var_run_t, dictd_initrc_exec_t; ') @@ -1479,31 +1457,31 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace serefpolicy- - allow $1 dictd_t:process { ptrace signal_perms }; + allow $1 dictd_t:process signal_perms; ps_process_pattern($1, dictd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 dictd_t:process ptrace; + ') init_labeled_script_domtrans($1, dictd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace serefpolicy-3.10.0/policy/modules/services/dnsmasq.if ---- serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace 2011-10-05 14:34:03.443103494 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/dnsmasq.if 2011-10-05 14:34:03.804103878 -0400 -@@ -282,8 +282,11 @@ interface(`dnsmasq_admin',` +--- serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace 2011-10-11 16:42:15.752761685 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/dnsmasq.if 2011-10-11 16:42:16.136761576 -0400 +@@ -281,8 +281,11 @@ interface(`dnsmasq_admin',` type dnsmasq_initrc_exec_t; ') - allow $1 dnsmasq_t:process { ptrace signal_perms }; + allow $1 dnsmasq_t:process signal_perms; ps_process_pattern($1, dnsmasq_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 dnsmasq_t:process ptrace; + ') init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace serefpolicy-3.10.0/policy/modules/services/dovecot.if ---- serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace 2011-10-05 14:34:03.445103496 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/dovecot.if 2011-10-05 14:34:03.805103879 -0400 +--- serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace 2011-10-11 16:42:15.754761685 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/dovecot.if 2011-10-11 16:42:16.136761576 -0400 @@ -119,8 +119,11 @@ interface(`dovecot_admin',` type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t; ') @@ -1511,15 +1489,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace serefpolic - allow $1 dovecot_t:process { ptrace signal_perms }; + allow $1 dovecot_t:process signal_perms; ps_process_pattern($1, dovecot_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 dovecot_t:process ptrace; + ') init_labeled_script_domtrans($1, dovecot_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/drbd.if ---- serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace 2011-10-05 14:34:03.446103498 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/drbd.if 2011-10-05 14:34:03.806103880 -0400 +--- serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace 2011-10-11 16:42:15.755761684 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/drbd.if 2011-10-11 16:42:16.137761576 -0400 @@ -120,8 +120,11 @@ interface(`drbd_admin',` type drbd_var_lib_t; ') @@ -1527,15 +1505,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace serefpolicy-3 - allow $1 drbd_t:process { ptrace signal_perms }; + allow $1 drbd_t:process signal_perms; ps_process_pattern($1, drbd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 drbd_t:process ptrace; + ') files_search_var_lib($1) admin_pattern($1, drbd_var_lib_t) diff -up serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace serefpolicy-3.10.0/policy/modules/services/dspam.if ---- serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace 2011-10-05 14:34:03.447103499 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/dspam.if 2011-10-05 14:34:03.806103880 -0400 +--- serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace 2011-10-11 16:42:15.756761683 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/dspam.if 2011-10-11 16:42:16.138761576 -0400 @@ -244,8 +244,11 @@ interface(`dspam_admin',` type dspam_var_run_t; ') @@ -1543,15 +1521,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace serefpolicy- - allow $1 dspam_t:process { ptrace signal_perms }; + allow $1 dspam_t:process signal_perms; ps_process_pattern($1, dspam_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 dspam_t:process ptrace; + ') dspam_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace serefpolicy-3.10.0/policy/modules/services/exim.if ---- serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace 2011-10-05 14:34:03.449103501 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/exim.if 2011-10-05 14:34:03.807103881 -0400 +--- serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace 2011-10-11 16:42:15.758761683 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/exim.if 2011-10-11 16:42:16.139761576 -0400 @@ -260,8 +260,11 @@ interface(`exim_admin',` type exim_tmp_t, exim_spool_t, exim_var_run_t; ') @@ -1559,15 +1537,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace serefpolicy-3 - allow $1 exim_t:process { ptrace signal_perms }; + allow $1 exim_t:process signal_perms; ps_process_pattern($1, exim_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 exim_t:process ptrace; + ') exim_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace serefpolicy-3.10.0/policy/modules/services/fail2ban.if ---- serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace 2011-10-05 14:34:03.450103502 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/fail2ban.if 2011-10-05 14:34:03.807103881 -0400 +--- serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace 2011-10-11 16:42:15.760761683 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/fail2ban.if 2011-10-11 16:42:16.139761576 -0400 @@ -199,8 +199,11 @@ interface(`fail2ban_admin',` type fail2ban_client_t; ') @@ -1575,15 +1553,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace serefpoli - allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms }; + allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms; ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 { fail2ban_t fail2ban_client_t }:process ptrace; + ') init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace serefpolicy-3.10.0/policy/modules/services/fcoemon.if ---- serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace 2011-10-05 14:34:03.452103504 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/fcoemon.if 2011-10-05 14:34:03.808103882 -0400 +--- serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace 2011-10-11 16:42:15.761761683 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/fcoemon.if 2011-10-11 16:42:16.140761576 -0400 @@ -81,8 +81,11 @@ interface(`fcoemon_admin',` type fcoemon_var_run_t; ') @@ -1591,15 +1569,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace serefpolic - allow $1 fcoemon_t:process { ptrace signal_perms }; + allow $1 fcoemon_t:process signal_perms; ps_process_pattern($1, fcoemon_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 fcoemon_t:process ptrace; + ') files_search_pids($1) admin_pattern($1, fcoemon_var_run_t) diff -up serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/fetchmail.if ---- serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace 2011-10-05 14:34:03.453103505 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/fetchmail.if 2011-10-05 14:34:03.809103883 -0400 +--- serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace 2011-10-11 16:42:15.762761682 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/fetchmail.if 2011-10-11 16:42:16.140761576 -0400 @@ -18,8 +18,11 @@ interface(`fetchmail_admin',` type fetchmail_var_run_t; ') @@ -1607,15 +1585,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace serefpol - allow $1 fetchmail_t:process { ptrace signal_perms }; + allow $1 fetchmail_t:process signal_perms; ps_process_pattern($1, fetchmail_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 fetchmail_t:process ptrace; + ') files_list_etc($1) admin_pattern($1, fetchmail_etc_t) diff -up serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace serefpolicy-3.10.0/policy/modules/services/firewalld.if ---- serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace 2011-10-05 14:34:03.454103506 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/firewalld.if 2011-10-05 14:34:03.809103883 -0400 +--- serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace 2011-10-11 16:42:15.763761681 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/firewalld.if 2011-10-11 16:42:16.141761575 -0400 @@ -62,8 +62,11 @@ interface(`firewalld_admin',` type firewalld_initrc_exec_t; ') @@ -1623,47 +1601,44 @@ diff -up serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace serefpol - allow $1 firewalld_t:process { ptrace signal_perms }; + allow $1 firewalld_t:process signal_perms; ps_process_pattern($1, firewalld_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 firewalld_t:process ptrace; + ') firewalld_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace serefpolicy-3.10.0/policy/modules/services/fprintd.te ---- serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace 2011-10-05 14:34:03.456103508 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/fprintd.te 2011-10-05 14:34:03.810103884 -0400 -@@ -17,7 +17,11 @@ files_type(fprintd_var_lib_t) +--- serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace 2011-10-11 16:42:15.765761681 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/fprintd.te 2011-10-11 16:42:16.141761575 -0400 +@@ -17,7 +17,8 @@ files_type(fprintd_var_lib_t) # Local policy # -allow fprintd_t self:capability { sys_nice sys_ptrace }; +allow fprintd_t self:capability sys_nice; -+tunable_policy(`allow_ptrace',` -+ allow fprintd_t self:capability sys_ptrace; -+') + allow fprintd_t self:fifo_file rw_fifo_file_perms; allow fprintd_t self:process { getsched setsched signal }; diff -up serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ftp.if ---- serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace 2011-10-05 14:34:03.457103509 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ftp.if 2011-10-05 14:34:03.810103884 -0400 -@@ -238,8 +238,11 @@ interface(`ftp_admin',` +--- serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace 2011-10-11 16:42:15.766761681 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ftp.if 2011-10-11 16:42:16.142761574 -0400 +@@ -237,8 +237,11 @@ interface(`ftp_admin',` type ftpd_initrc_exec_t; ') - allow $1 ftpd_t:process { ptrace signal_perms }; + allow $1 ftpd_t:process signal_perms; ps_process_pattern($1, ftpd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 ftpd_t:process ptrace; + ') init_labeled_script_domtrans($1, ftpd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/git.if.ptrace serefpolicy-3.10.0/policy/modules/services/git.if ---- serefpolicy-3.10.0/policy/modules/services/git.if.ptrace 2011-10-05 14:34:03.459103511 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/git.if 2011-10-05 14:34:03.811103885 -0400 +--- serefpolicy-3.10.0/policy/modules/services/git.if.ptrace 2011-10-11 16:42:15.768761681 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/git.if 2011-10-11 16:42:16.142761574 -0400 @@ -42,8 +42,11 @@ interface(`git_session_role',` domtrans_pattern($2, gitd_exec_t, git_session_t) @@ -1671,15 +1646,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/git.if.ptrace serefpolicy-3. - allow $2 git_session_t:process { ptrace signal_perms }; + allow $2 git_session_t:process signal_perms; ps_process_pattern($2, git_session_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $2 git_session_t:process ptrace; + ') ') ######################################## diff -up serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace serefpolicy-3.10.0/policy/modules/services/glance.if ---- serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace 2011-10-05 14:34:03.461103513 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/glance.if 2011-10-05 14:34:03.811103885 -0400 +--- serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace 2011-10-11 16:42:15.770761679 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/glance.if 2011-10-11 16:42:16.143761574 -0400 @@ -245,10 +245,14 @@ interface(`glance_admin',` type glance_api_initrc_exec_t; ') @@ -1687,7 +1662,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace serefpolicy - allow $1 glance_registry_t:process { ptrace signal_perms }; + allow $1 glance_registry_t:process signal_perms; ps_process_pattern($1, glance_registry_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 glance_registry_t:process ptrace; + allow $1 glance_api_t:process ptrace; + ') @@ -1698,23 +1673,32 @@ diff -up serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace serefpolicy init_labeled_script_domtrans($1, glance_registry_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace serefpolicy-3.10.0/policy/modules/services/gnomeclock.te ---- serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace 2011-10-05 14:34:03.463103516 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/gnomeclock.te 2011-10-05 14:34:03.812103886 -0400 -@@ -16,7 +16,10 @@ systemd_systemctl_domain(gnomeclock) +--- serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace 2011-10-11 16:42:15.771761679 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/gnomeclock.te 2011-10-11 16:42:16.144761574 -0400 +@@ -14,7 +14,7 @@ dbus_system_domain(gnomeclock_t, gnomecl # gnomeclock local policy # -allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; +allow gnomeclock_t self:capability { sys_nice sys_time }; -+tunable_policy(`allow_ptrace',` -+ allow gnomeclock_t self:capability sys_ptrace; -+') allow gnomeclock_t self:process { getattr getsched signal }; allow gnomeclock_t self:fifo_file rw_fifo_file_perms; allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; +diff -up serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/gpsd.te +--- serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace 2011-10-11 16:42:15.773761679 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/gpsd.te 2011-10-11 16:42:16.144761574 -0400 +@@ -25,7 +25,7 @@ files_pid_file(gpsd_var_run_t) + # + + allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config }; +-dontaudit gpsd_t self:capability { dac_read_search dac_override sys_ptrace }; ++dontaudit gpsd_t self:capability { dac_read_search dac_override }; + allow gpsd_t self:process { setsched signal_perms }; + allow gpsd_t self:shm create_shm_perms; + allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy-3.10.0/policy/modules/services/hadoop.if ---- serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace 2011-10-05 14:34:03.711103779 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/hadoop.if 2011-10-05 14:34:03.813103887 -0400 +--- serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace 2011-10-11 16:42:16.028761607 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/hadoop.if 2011-10-11 16:42:16.145761574 -0400 @@ -222,14 +222,21 @@ interface(`hadoop_role',` hadoop_domtrans($2) role $1 types hadoop_t; @@ -1722,7 +1706,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy - allow $2 hadoop_t:process { ptrace signal_perms }; + allow $2 hadoop_t:process signal_perms; ps_process_pattern($2, hadoop_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $2 hadoop_t:process ptrace; + ') @@ -1732,7 +1716,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy - allow $2 zookeeper_t:process { ptrace signal_perms }; + allow $2 zookeeper_t:process signal_perms; ps_process_pattern($2, zookeeper_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $2 zookeeper_t:process ptrace; + ') + @@ -1740,22 +1724,34 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy ######################################## diff -up serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace serefpolicy-3.10.0/policy/modules/services/hal.if ---- serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace 2011-10-05 14:34:03.466103519 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/hal.if 2011-10-05 14:34:03.814103888 -0400 +--- serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace 2011-10-11 16:42:15.776761679 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/hal.if 2011-10-11 16:42:16.146761574 -0400 @@ -70,7 +70,9 @@ interface(`hal_ptrace',` type hald_t; ') - allow $1 hald_t:process ptrace; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 hald_t:process ptrace; + ') ') ######################################## +diff -up serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace serefpolicy-3.10.0/policy/modules/services/hal.te +--- serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace 2011-10-11 16:42:15.776761679 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/hal.te 2011-10-11 16:42:16.146761574 -0400 +@@ -64,7 +64,7 @@ typealias hald_var_run_t alias pmtools_v + + # execute openvt which needs setuid + allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config }; +-dontaudit hald_t self:capability {sys_ptrace sys_tty_config }; ++dontaudit hald_t self:capability sys_tty_config; + allow hald_t self:process { getsched getattr signal_perms }; + allow hald_t self:fifo_file rw_fifo_file_perms; + allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; diff -up serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace serefpolicy-3.10.0/policy/modules/services/hddtemp.if ---- serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace 2011-10-05 14:34:03.467103520 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/hddtemp.if 2011-10-05 14:34:03.814103888 -0400 +--- serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace 2011-10-11 16:42:15.777761679 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/hddtemp.if 2011-10-11 16:42:16.147761574 -0400 @@ -60,8 +60,11 @@ interface(`hddtemp_admin',` type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; ') @@ -1763,15 +1759,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace serefpolic - allow $1 hddtemp_t:process { ptrace signal_perms }; + allow $1 hddtemp_t:process signal_perms; ps_process_pattern($1, hddtemp_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 hddtemp_t:process ptrace; + ') init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace serefpolicy-3.10.0/policy/modules/services/icecast.if ---- serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace 2011-10-05 14:34:03.469103522 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/icecast.if 2011-10-05 14:34:03.815103889 -0400 +--- serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace 2011-10-11 16:42:15.778761679 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/icecast.if 2011-10-11 16:42:16.148761574 -0400 @@ -173,8 +173,11 @@ interface(`icecast_admin',` type icecast_t, icecast_initrc_exec_t; ') @@ -1779,15 +1775,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace serefpolic - allow $1 icecast_t:process { ptrace signal_perms }; + allow $1 icecast_t:process signal_perms; ps_process_pattern($1, icecast_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 icecast_t:process ptrace; + ') # Allow icecast_t to restart the apache service icecast_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.if ---- serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace 2011-10-05 14:34:03.470103523 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ifplugd.if 2011-10-05 14:34:03.815103889 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace 2011-10-11 16:42:15.779761678 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ifplugd.if 2011-10-11 16:42:16.148761574 -0400 @@ -117,7 +117,7 @@ interface(`ifplugd_admin',` type ifplugd_initrc_exec_t; ') @@ -1797,9 +1793,21 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace serefpolic ps_process_pattern($1, ifplugd_t) init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) +diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.te +--- serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace 2011-10-11 16:42:15.779761678 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ifplugd.te 2011-10-11 16:42:16.149761574 -0400 +@@ -26,7 +26,7 @@ files_pid_file(ifplugd_var_run_t) + # + + allow ifplugd_t self:capability { net_admin sys_nice net_bind_service }; +-dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace }; ++dontaudit ifplugd_t self:capability sys_tty_config; + allow ifplugd_t self:process { signal signull }; + allow ifplugd_t self:fifo_file rw_fifo_file_perms; + allow ifplugd_t self:tcp_socket create_stream_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace serefpolicy-3.10.0/policy/modules/services/inn.if ---- serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace 2011-10-05 14:34:03.472103525 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/inn.if 2011-10-05 14:34:03.816103890 -0400 +--- serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace 2011-10-11 16:42:15.781761676 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/inn.if 2011-10-11 16:42:16.149761574 -0400 @@ -202,8 +202,11 @@ interface(`inn_admin',` type innd_initrc_exec_t; ') @@ -1807,15 +1815,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace serefpolicy-3. - allow $1 innd_t:process { ptrace signal_perms }; + allow $1 innd_t:process signal_perms; ps_process_pattern($1, innd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 innd_t:process ptrace; + ') init_labeled_script_domtrans($1, innd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace serefpolicy-3.10.0/policy/modules/services/jabber.if ---- serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace 2011-10-05 14:34:03.474103527 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/jabber.if 2011-10-05 14:34:03.816103890 -0400 +--- serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace 2011-10-11 16:42:15.784761676 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/jabber.if 2011-10-11 16:42:16.150761573 -0400 @@ -143,10 +143,14 @@ interface(`jabber_admin',` type jabberd_initrc_exec_t, jabberd_router_t; ') @@ -1823,7 +1831,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace serefpolicy - allow $1 jabberd_t:process { ptrace signal_perms }; + allow $1 jabberd_t:process signal_perms; ps_process_pattern($1, jabberd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 jabberd_t:process ptrace; + allow $1 jabberd_router_t:process ptrace; + ') @@ -1834,8 +1842,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace serefpolicy init_labeled_script_domtrans($1, jabberd_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerberos.if ---- serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace 2011-10-05 14:34:03.476103529 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/kerberos.if 2011-10-05 14:34:03.817103892 -0400 +--- serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace 2011-10-11 16:42:15.785761676 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/kerberos.if 2011-10-11 16:42:16.150761573 -0400 @@ -340,13 +340,18 @@ interface(`kerberos_admin',` type krb5kdc_var_run_t, krb5_host_rcache_t; ') @@ -1843,7 +1851,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace serefpoli - allow $1 kadmind_t:process { ptrace signal_perms }; + allow $1 kadmind_t:process signal_perms; ps_process_pattern($1, kadmind_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 kadmind_t:process ptrace; + allow $1 krb5kdc_t:process ptrace; + allow $1 kpropd_t:process ptrace; @@ -1859,8 +1867,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace serefpoli init_labeled_script_domtrans($1, kerberos_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerneloops.if ---- serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace 2011-10-05 14:34:03.477103530 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/kerneloops.if 2011-10-05 14:34:03.818103893 -0400 +--- serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace 2011-10-11 16:42:15.786761676 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/kerneloops.if 2011-10-11 16:42:16.151761573 -0400 @@ -101,8 +101,11 @@ interface(`kerneloops_admin',` type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t; ') @@ -1868,15 +1876,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace serefpo - allow $1 kerneloops_t:process { ptrace signal_perms }; + allow $1 kerneloops_t:process signal_perms; ps_process_pattern($1, kerneloops_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 kerneloops_t:process ptrace; + ') init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.if ---- serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace 2011-10-05 14:34:03.479103533 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.if 2011-10-05 14:34:03.818103893 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace 2011-10-11 16:42:15.788761674 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.if 2011-10-11 16:42:16.151761573 -0400 @@ -58,8 +58,11 @@ interface(`ksmtuned_admin',` type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t; ') @@ -1884,31 +1892,27 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace serefpoli - allow $1 ksmtuned_t:process { ptrace signal_perms }; + allow $1 ksmtuned_t:process signal_perms; ps_process_pattern($1, ksmtuned_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 ksmtuned_t:process ptrace; + ') files_list_pids($1) admin_pattern($1, ksmtuned_var_run_t) diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.te ---- serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace 2011-10-05 14:34:03.480103534 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.te 2011-10-05 14:34:03.819103894 -0400 -@@ -23,7 +23,11 @@ files_pid_file(ksmtuned_var_run_t) +--- serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace 2011-10-11 16:42:15.789761674 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.te 2011-10-11 16:42:16.152761572 -0400 +@@ -23,7 +23,7 @@ files_pid_file(ksmtuned_var_run_t) # ksmtuned local policy # -allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; +allow ksmtuned_t self:capability sys_tty_config; -+tunable_policy(`allow_ptrace',` -+ allow ksmtuned_t self:capability sys_ptrace; -+') -+ allow ksmtuned_t self:fifo_file rw_file_perms; manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t) diff -up serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/l2tpd.if ---- serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace 2011-10-05 14:34:03.481103535 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/l2tpd.if 2011-10-05 14:34:03.819103894 -0400 +--- serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace 2011-10-11 16:42:15.790761674 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/l2tpd.if 2011-10-11 16:42:16.152761572 -0400 @@ -101,8 +101,11 @@ interface(`l2tpd_admin',` type l2tpd_var_run_t; ') @@ -1916,23 +1920,23 @@ diff -up serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace serefpolicy- - allow $1 l2tpd_t:process { ptrace signal_perms }; + allow $1 l2tpd_t:process signal_perms; ps_process_pattern($1, l2tpd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 l2tpd_t:process ptrace; + ') l2tpd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace serefpolicy-3.10.0/policy/modules/services/ldap.if ---- serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace 2011-10-05 14:34:03.482103536 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ldap.if 2011-10-05 14:34:03.820103895 -0400 -@@ -175,8 +175,11 @@ interface(`ldap_admin',` +--- serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace 2011-10-11 16:42:15.792761674 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ldap.if 2011-10-11 16:42:16.153761571 -0400 +@@ -174,8 +174,11 @@ interface(`ldap_admin',` type slapd_initrc_exec_t; ') - allow $1 slapd_t:process { ptrace signal_perms }; + allow $1 slapd_t:process signal_perms; ps_process_pattern($1, slapd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 slapd_t:process ptrace; + ') @@ -1940,7 +1944,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace serefpolicy-3 domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lircd.if --- serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/lircd.if 2011-10-05 14:34:03.821103896 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/lircd.if 2011-10-11 16:42:16.154761571 -0400 @@ -80,8 +80,11 @@ interface(`lircd_admin',` type lircd_initrc_exec_t, lircd_etc_t; ') @@ -1948,15 +1952,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace serefpolicy- - allow $1 lircd_t:process { ptrace signal_perms }; + allow $1 lircd_t:process signal_perms; ps_process_pattern($1, lircd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 lircd_t:process ptrace; + ') init_labeled_script_domtrans($1, lircd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace serefpolicy-3.10.0/policy/modules/services/lldpad.if ---- serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace 2011-10-05 14:34:03.486103540 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/lldpad.if 2011-10-05 14:34:03.821103896 -0400 +--- serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace 2011-10-11 16:42:15.795761672 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/lldpad.if 2011-10-11 16:42:16.154761571 -0400 @@ -180,8 +180,11 @@ interface(`lldpad_admin',` type lldpad_var_run_t; ') @@ -1964,30 +1968,30 @@ diff -up serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace serefpolicy - allow $1 lldpad_t:process { ptrace signal_perms }; + allow $1 lldpad_t:process signal_perms; ps_process_pattern($1, lldpad_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 lldpad_t:process ptrace; + ') lldpad_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lpd.if ---- serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace 2011-10-05 14:34:03.487103541 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/lpd.if 2011-10-05 14:34:03.822103897 -0400 +--- serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace 2011-10-11 16:42:15.796761672 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/lpd.if 2011-10-11 16:42:16.155761571 -0400 @@ -28,7 +28,10 @@ interface(`lpd_role',` dontaudit lpr_t $2:unix_stream_socket { read write }; ps_process_pattern($2, lpr_t) - allow $2 lpr_t:process { ptrace signal_perms }; + allow $2 lpr_t:process signal_perms; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $2 lpr_t:process ptrace; + ') optional_policy(` cups_read_config($2) diff -up serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace serefpolicy-3.10.0/policy/modules/services/mailscanner.if ---- serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace 2011-10-05 14:34:03.490103544 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/mailscanner.if 2011-10-05 14:34:03.823103898 -0400 +--- serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace 2011-10-11 16:42:15.799761672 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/mailscanner.if 2011-10-11 16:42:16.155761571 -0400 @@ -47,8 +47,11 @@ interface(`mailscanner_admin',` role_transition $2 mscan_initrc_exec_t system_r; allow $2 system_r; @@ -1995,15 +1999,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace serefp - allow $1 mscan_t:process { ptrace signal_perms }; + allow $1 mscan_t:process signal_perms; ps_process_pattern($1, mscan_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 mscan_t:process ptrace; + ') admin_pattern($1, mscan_etc_t) files_list_etc($1) diff -up serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.if ---- serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace 2011-10-05 14:34:03.491103545 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/matahari.if 2011-10-05 14:34:03.823103898 -0400 +--- serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace 2011-10-11 16:42:15.800761672 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/matahari.if 2011-10-11 16:42:16.156761571 -0400 @@ -229,13 +229,18 @@ interface(`matahari_admin',` role_transition $2 matahari_initrc_exec_t system_r; allow $2 system_r; @@ -2011,7 +2015,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace serefpoli - allow $1 matahari_netd_t:process { ptrace signal_perms }; + allow $1 matahari_netd_t:process signal_perms; ps_process_pattern($1, matahari_netd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 matahari_netd_t:process ptrace; + allow $1 matahari_hostd_t:process ptrace; + allow $1 matahari_serviced_t:process ptrace; @@ -2027,23 +2031,21 @@ diff -up serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace serefpoli files_search_var_lib($1) diff -up serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.te ---- serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace 2011-10-05 14:34:03.491103545 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/matahari.te 2011-10-05 14:34:03.824103899 -0400 -@@ -24,8 +24,9 @@ files_pid_file(matahari_var_run_t) +--- serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace 2011-10-11 16:42:15.800761672 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/matahari.te 2011-10-11 16:42:16.156761571 -0400 +@@ -24,9 +24,6 @@ files_pid_file(matahari_var_run_t) # # matahari_hostd local policy # - -allow matahari_hostd_t self:capability sys_ptrace; -+tunable_policy(`allow_ptrace',` -+ allow matahari_hostd_t self:capability sys_ptrace; -+') - +- kernel_read_network_state(matahari_hostd_t) + dev_read_sysfs(matahari_hostd_t) diff -up serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace serefpolicy-3.10.0/policy/modules/services/memcached.if ---- serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace 2011-10-05 14:34:03.493103547 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/memcached.if 2011-10-05 14:34:03.824103899 -0400 +--- serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace 2011-10-11 16:42:15.801761671 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/memcached.if 2011-10-11 16:42:16.157761571 -0400 @@ -59,8 +59,11 @@ interface(`memcached_admin',` type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; ') @@ -2051,22 +2053,22 @@ diff -up serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace serefpol - allow $1 memcached_t:process { ptrace signal_perms }; + allow $1 memcached_t:process signal_perms; ps_process_pattern($1, memcached_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 memcached_t:process ptrace; + ') init_labeled_script_domtrans($1, memcached_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace serefpolicy-3.10.0/policy/modules/services/mock.if ---- serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace 2011-10-05 14:34:03.495103550 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/mock.if 2011-10-05 14:34:03.825103900 -0400 +--- serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace 2011-10-11 16:42:15.804761670 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/mock.if 2011-10-11 16:42:16.158761571 -0400 @@ -245,7 +245,10 @@ interface(`mock_role',` mock_run($2, $1) ps_process_pattern($2, mock_t) - allow $2 mock_t:process { ptrace signal_perms }; + allow $2 mock_t:process signal_perms; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $2 mock_t:process ptrace; + ') ') @@ -2079,7 +2081,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace serefpolicy-3 - allow $1 mock_t:process { ptrace signal_perms }; + allow $1 mock_t:process signal_perms; ps_process_pattern($1, mock_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 mock_t:process ptrace; + allow $1 mock_build_t:process ptrace; + ') @@ -2090,8 +2092,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace serefpolicy-3 files_list_var_lib($1) diff -up serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace serefpolicy-3.10.0/policy/modules/services/mock.te ---- serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace 2011-10-05 14:34:03.496103551 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/mock.te 2011-10-05 14:34:03.825103900 -0400 +--- serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace 2011-10-11 16:42:15.805761670 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/mock.te 2011-10-11 16:42:16.158761571 -0400 @@ -41,7 +41,7 @@ files_config_file(mock_etc_t) # mock local policy # @@ -2111,8 +2113,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace serefpolicy-3 allow mock_build_t self:process { fork setsched setpgid signal_perms }; allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; diff -up serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace serefpolicy-3.10.0/policy/modules/services/mojomojo.if ---- serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace 2011-10-05 14:34:03.497103552 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/mojomojo.if 2011-10-05 14:34:03.826103901 -0400 +--- serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace 2011-10-11 16:42:15.806761670 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/mojomojo.if 2011-10-11 16:42:16.159761570 -0400 @@ -24,8 +24,11 @@ interface(`mojomojo_admin',` type httpd_mojomojo_script_exec_t; ') @@ -2120,7 +2122,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace serefpoli - allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms }; + allow $1 httpd_mojomojo_script_t:process signal_perms; ps_process_pattern($1, httpd_mojomojo_script_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 httpd_mojomo_script_t:process ptrace; + ') @@ -2128,7 +2130,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace serefpoli admin_pattern($1, httpd_mojomojo_tmp_t) diff -up serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/mpd.if --- serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/mpd.if 2011-10-05 14:34:03.827103902 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/mpd.if 2011-10-11 16:42:16.159761570 -0400 @@ -244,8 +244,11 @@ interface(`mpd_admin',` type mpd_tmpfs_t; ') @@ -2136,15 +2138,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace serefpolicy-3. - allow $1 mpd_t:process { ptrace signal_perms }; + allow $1 mpd_t:process signal_perms; ps_process_pattern($1, mpd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 mpd_t:process ptrace; + ') mpd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace serefpolicy-3.10.0/policy/modules/services/munin.if ---- serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace 2011-10-05 14:34:03.502103557 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/munin.if 2011-10-05 14:34:03.827103902 -0400 +--- serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace 2011-10-11 16:42:15.811761668 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/munin.if 2011-10-11 16:42:16.160761569 -0400 @@ -183,8 +183,11 @@ interface(`munin_admin',` type httpd_munin_content_t, munin_initrc_exec_t; ') @@ -2152,15 +2154,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace serefpolicy- - allow $1 munin_t:process { ptrace signal_perms }; + allow $1 munin_t:process signal_perms; ps_process_pattern($1, munin_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 munin_t:process ptrace; + ') init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.if ---- serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace 2011-10-05 14:34:03.503103558 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/mysql.if 2011-10-05 14:34:03.828103903 -0400 +--- serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace 2011-10-11 16:42:15.812761668 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/mysql.if 2011-10-11 16:42:16.160761569 -0400 @@ -389,8 +389,11 @@ interface(`mysql_admin',` type mysqld_etc_t; ') @@ -2168,15 +2170,26 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace serefpolicy- - allow $1 mysqld_t:process { ptrace signal_perms }; + allow $1 mysqld_t:process signal_perms; ps_process_pattern($1, mysqld_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 mysqld_t:process ptrace; + ') init_labeled_script_domtrans($1, mysqld_initrc_exec_t) domain_system_change_exemption($1) +diff -up serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.te +--- serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace 2011-10-11 16:42:15.813761668 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/mysql.te 2011-10-11 16:42:16.161761569 -0400 +@@ -158,7 +158,6 @@ optional_policy(` + # + + allow mysqld_safe_t self:capability { chown dac_override fowner kill }; +-dontaudit mysqld_safe_t self:capability sys_ptrace; + allow mysqld_safe_t self:process { setsched getsched setrlimit }; + allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; + diff -up serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace serefpolicy-3.10.0/policy/modules/services/nagios.if ---- serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace 2011-10-05 14:34:03.505103560 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/nagios.if 2011-10-05 14:34:03.829103904 -0400 +--- serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace 2011-10-11 16:42:15.814761668 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/nagios.if 2011-10-11 16:42:16.162761569 -0400 @@ -225,8 +225,11 @@ interface(`nagios_admin',` type nagios_etc_t, nrpe_etc_t, nagios_spool_t; ') @@ -2184,29 +2197,30 @@ diff -up serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace serefpolicy - allow $1 nagios_t:process { ptrace signal_perms }; + allow $1 nagios_t:process signal_perms; ps_process_pattern($1, nagios_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 nagios_t:process ptrace; + ') init_labeled_script_domtrans($1, nagios_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/networkmanager.te ---- serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace 2011-10-05 14:34:03.507103562 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/networkmanager.te 2011-10-05 14:34:03.830103905 -0400 +--- serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace 2011-10-11 16:42:15.817761668 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/networkmanager.te 2011-10-11 16:42:16.162761569 -0400 @@ -44,13 +44,17 @@ init_system_domain(wpa_cli_t, wpa_cli_ex # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) -allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock }; +-dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; +allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; - dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; ++dontaudit NetworkManager_t self:capability sys_tty_config; ifdef(`hide_broken_symptoms',` # caused by some bogus kernel code dontaudit NetworkManager_t self:capability sys_module; ') -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms }; +allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms }; -+tunable_policy(`allow_ptrace',` ++tunable_policy(`deny_ptrace',`',` + allow NetworkManager_t self:process ptrace; +') + @@ -2214,16 +2228,16 @@ diff -up serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace ser allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace serefpolicy-3.10.0/policy/modules/services/nis.if ---- serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace 2011-10-05 14:34:03.509103564 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/nis.if 2011-10-05 14:34:03.830103905 -0400 -@@ -392,16 +392,22 @@ interface(`nis_admin',` +--- serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace 2011-10-11 16:42:15.818761667 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/nis.if 2011-10-11 16:42:16.163761569 -0400 +@@ -390,16 +390,22 @@ interface(`nis_admin',` type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t; ') - allow $1 ypbind_t:process { ptrace signal_perms }; + allow $1 ypbind_t:process signal_perms; ps_process_pattern($1, ypbind_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 ypbind_t:process ptrace; + allow $1 yppasswdd_t:process ptrace; + allow $1 ypserv_t:process ptrace; @@ -2244,71 +2258,67 @@ diff -up serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace serefpolicy-3. nis_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.if ---- serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace 2011-10-05 14:34:03.510103566 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/nscd.if 2011-10-05 14:34:03.831103906 -0400 -@@ -322,8 +322,11 @@ interface(`nscd_admin',` +--- serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace 2011-10-11 16:42:15.819761666 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/nscd.if 2011-10-11 16:42:16.164761569 -0400 +@@ -321,8 +321,11 @@ interface(`nscd_admin',` type nscd_initrc_exec_t; ') - allow $1 nscd_t:process { ptrace signal_perms }; + allow $1 nscd_t:process signal_perms; ps_process_pattern($1, nscd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 nscd_t:process ptrace; + ') init_labeled_script_domtrans($1, nscd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.te ---- serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace 2011-10-05 14:34:03.511103567 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/nscd.te 2011-10-05 14:34:03.831103906 -0400 -@@ -40,7 +40,11 @@ logging_log_file(nscd_log_t) +--- serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace 2011-10-11 16:42:15.820761665 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/nscd.te 2011-10-11 16:42:16.164761569 -0400 +@@ -40,7 +40,7 @@ logging_log_file(nscd_log_t) # Local policy # -allow nscd_t self:capability { kill setgid setuid sys_ptrace }; +allow nscd_t self:capability { kill setgid setuid }; -+tunable_policy(`allow_ptrace',` -+ allow nscd_t self:capability sys_ptrace; -+') -+ dontaudit nscd_t self:capability sys_tty_config; allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; allow nscd_t self:fifo_file read_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nslcd.if ---- serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace 2011-10-05 14:34:03.511103567 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/nslcd.if 2011-10-05 14:34:03.832103907 -0400 +--- serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace 2011-10-11 16:42:15.820761665 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/nslcd.if 2011-10-11 16:42:16.165761569 -0400 @@ -98,7 +98,10 @@ interface(`nslcd_admin',` ') ps_process_pattern($1, nslcd_t) - allow $1 nslcd_t:process { ptrace signal_perms }; + allow $1 nslcd_t:process signal_perms; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 nslcd_t:process ptrace; + ') # Allow nslcd_t to restart the apache service nslcd_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ntp.if ---- serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace 2011-10-05 14:34:03.513103569 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ntp.if 2011-10-05 14:34:03.832103907 -0400 -@@ -205,8 +205,11 @@ interface(`ntp_admin',` +--- serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace 2011-10-11 16:42:15.822761665 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ntp.if 2011-10-11 16:42:16.165761569 -0400 +@@ -204,8 +204,11 @@ interface(`ntp_admin',` type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t; ') - allow $1 ntpd_t:process { ptrace signal_perms }; + allow $1 ntpd_t:process signal_perms; ps_process_pattern($1, ntpd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 ntpd_t:process ptrace; + ') init_labeled_script_domtrans($1, ntpd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace serefpolicy-3.10.0/policy/modules/services/oident.if ---- serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace 2011-10-05 14:34:03.518103574 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/oident.if 2011-10-05 14:34:03.833103909 -0400 +--- serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace 2011-10-11 16:42:15.827761663 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/oident.if 2011-10-11 16:42:16.166761568 -0400 @@ -89,8 +89,11 @@ interface(`oident_admin',` type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t; ') @@ -2316,7 +2326,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace serefpolicy - allow $1 oidentd_t:process { ptrace signal_perms }; + allow $1 oidentd_t:process signal_perms; ps_process_pattern($1, oidentd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 oidentd_t:process ptrace; + ') @@ -2324,7 +2334,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace serefpolicy domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace serefpolicy-3.10.0/policy/modules/services/openvpn.if --- serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/openvpn.if 2011-10-05 14:34:03.834103910 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/openvpn.if 2011-10-11 16:42:16.167761567 -0400 @@ -144,8 +144,11 @@ interface(`openvpn_admin',` type openvpn_var_run_t, openvpn_initrc_exec_t; ') @@ -2332,15 +2342,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace serefpolic - allow $1 openvpn_t:process { ptrace signal_perms }; + allow $1 openvpn_t:process signal_perms; ps_process_pattern($1, openvpn_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 openvpn_t:process ptrace; + ') init_labeled_script_domtrans($1, openvpn_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace serefpolicy-3.10.0/policy/modules/services/pads.if ---- serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace 2011-10-05 14:34:03.521103577 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/pads.if 2011-10-05 14:34:03.834103910 -0400 +--- serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace 2011-10-11 16:42:15.830761663 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/pads.if 2011-10-11 16:42:16.167761567 -0400 @@ -31,8 +31,11 @@ interface(`pads_admin',` type pads_var_run_t; ') @@ -2348,15 +2358,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace serefpolicy-3 - allow $1 pads_t:process { ptrace signal_perms }; + allow $1 pads_t:process signal_perms; ps_process_pattern($1, pads_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 pads_t:process ptrace; + ') init_labeled_script_domtrans($1, pads_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace serefpolicy-3.10.0/policy/modules/services/pingd.if ---- serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace 2011-10-05 14:34:03.524103580 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/pingd.if 2011-10-05 14:34:03.835103911 -0400 +--- serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace 2011-10-11 16:42:15.833761662 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/pingd.if 2011-10-11 16:42:16.168761567 -0400 @@ -80,8 +80,11 @@ interface(`pingd_admin',` type pingd_initrc_exec_t; ') @@ -2364,22 +2374,22 @@ diff -up serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace serefpolicy- - allow $1 pingd_t:process { ptrace signal_perms }; + allow $1 pingd_t:process signal_perms; ps_process_pattern($1, pingd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 pingd_t:process ptrace; + ') init_labeled_script_domtrans($1, pingd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace serefpolicy-3.10.0/policy/modules/services/piranha.te ---- serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace 2011-10-05 14:34:03.526103583 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/piranha.te 2011-10-05 14:34:03.835103911 -0400 +--- serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace 2011-10-11 16:42:15.835761661 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/piranha.te 2011-10-11 16:42:16.168761567 -0400 @@ -65,7 +65,11 @@ init_domtrans_script(piranha_fos_t) # allow piranha_web_t self:capability { setuid sys_nice kill setgid }; -allow piranha_web_t self:process { getsched setsched signal signull ptrace }; +allow piranha_web_t self:process { getsched setsched signal signull }; -+tunable_policy(`allow_ptrace',` ++tunable_policy(`deny_ptrace',`',` + allow piranha_web_t self:process ptrace; +') + @@ -2387,8 +2397,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace serefpolic allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms; allow piranha_web_t self:sem create_sem_perms; diff -up serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace serefpolicy-3.10.0/policy/modules/services/plymouthd.if ---- serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace 2011-10-05 14:34:03.527103584 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/plymouthd.if 2011-10-05 14:34:03.836103912 -0400 +--- serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace 2011-10-11 16:42:15.836761661 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/plymouthd.if 2011-10-11 16:42:16.169761567 -0400 @@ -291,8 +291,11 @@ interface(`plymouthd_admin',` type plymouthd_var_run_t; ') @@ -2396,44 +2406,36 @@ diff -up serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace serefpol - allow $1 plymouthd_t:process { ptrace signal_perms }; + allow $1 plymouthd_t:process signal_perms; ps_process_pattern($1, plymouthd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 plymouthd_t:process ptrace; + ') files_list_var_lib($1) admin_pattern($1, plymouthd_spool_t) diff -up serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace serefpolicy-3.10.0/policy/modules/services/policykit.te ---- serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace 2011-10-05 14:34:03.529103586 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/policykit.te 2011-10-05 14:34:03.837103913 -0400 -@@ -38,7 +38,11 @@ files_pid_file(policykit_var_run_t) +--- serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace 2011-10-11 16:42:15.838761661 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/policykit.te 2011-10-11 16:42:16.170761567 -0400 +@@ -38,7 +38,7 @@ files_pid_file(policykit_var_run_t) # policykit local policy # -allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace }; +allow policykit_t self:capability { dac_override dac_read_search setgid setuid }; -+tunable_policy(`allow_ptrace',` -+ allow policykit_t self:capability sys_ptrace; -+') -+ allow policykit_t self:process { getsched getattr signal }; allow policykit_t self:fifo_file rw_fifo_file_perms; allow policykit_t self:unix_dgram_socket create_socket_perms; -@@ -233,7 +237,11 @@ optional_policy(` +@@ -233,7 +233,7 @@ optional_policy(` # polkit_resolve local policy # -allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace }; +allow policykit_resolve_t self:capability { setuid sys_nice }; -+tunable_policy(`allow_ptrace',` -+ allow policykit_resolve_t self:capability sys_ptrace; -+') -+ allow policykit_resolve_t self:process getattr; allow policykit_resolve_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy-3.10.0/policy/modules/services/polipo.if ---- serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace 2011-10-05 14:34:03.530103587 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/polipo.if 2011-10-05 14:34:03.838103914 -0400 +--- serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace 2011-10-11 16:42:15.839761661 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/polipo.if 2011-10-11 16:42:16.171761567 -0400 @@ -32,8 +32,11 @@ template(`polipo_role',` # Policy # @@ -2441,7 +2443,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy - allow $2 polipo_session_t:process { ptrace signal_perms }; + allow $2 polipo_session_t:process signal_perms; ps_process_pattern($2, polipo_session_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $2 polipo_session_t:process ptrace; + ') @@ -2454,7 +2456,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy - allow $1 polipo_t:process { ptrace signal_perms }; + allow $1 polipo_t:process signal_perms; ps_process_pattern($1, polipo_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 polipo_t:process ptrace; + ') @@ -2462,7 +2464,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace serefpolicy-3.10.0/policy/modules/services/portreserve.if --- serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/portreserve.if 2011-10-05 14:34:03.838103914 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/portreserve.if 2011-10-11 16:42:16.171761567 -0400 @@ -104,8 +104,11 @@ interface(`portreserve_admin',` type portreserve_initrc_exec_t; ') @@ -2470,15 +2472,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace serefp - allow $1 portreserve_t:process { ptrace signal_perms }; + allow $1 portreserve_t:process signal_perms; ps_process_pattern($1, portreserve_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 portreserve_t:process ptrace; + ') portreserve_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfix.if ---- serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace 2011-10-05 14:34:03.534103591 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/postfix.if 2011-10-05 14:34:03.839103915 -0400 +--- serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace 2011-10-11 16:42:15.843761659 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/postfix.if 2011-10-11 16:42:16.172761567 -0400 @@ -729,25 +729,36 @@ interface(`postfix_admin',` type postfix_smtpd_t, postfix_var_run_t; ') @@ -2486,14 +2488,14 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace serefpolic - allow $1 postfix_bounce_t:process { ptrace signal_perms }; + allow $1 postfix_bounce_t:process signal_perms; ps_process_pattern($1, postfix_bounce_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 postfix_bounce_t:process ptrace; + ') - allow $1 postfix_cleanup_t:process { ptrace signal_perms }; + allow $1 postfix_cleanup_t:process signal_perms; ps_process_pattern($1, postfix_cleanup_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 postfix_cleanup_t:process ptrace; + allow $1 postfix_local_t:process ptrace; + allow $1 postfix_master_t:process ptrace; @@ -2524,8 +2526,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace serefpolic postfix_run_map($1, $2) diff -up serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if ---- serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace 2011-10-05 14:34:03.535103592 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if 2011-10-05 14:34:03.840103916 -0400 +--- serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace 2011-10-11 16:42:15.844761659 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if 2011-10-11 16:42:16.172761567 -0400 @@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',` type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; ') @@ -2533,15 +2535,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace ser - allow $1 postfix_policyd_t:process { ptrace signal_perms }; + allow $1 postfix_policyd_t:process signal_perms; ps_process_pattern($1, postfix_policyd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 postfix_policyd_t:process ptrace; + ') init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgresql.if ---- serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace 2011-10-05 14:34:03.537103594 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/postgresql.if 2011-10-05 14:34:03.840103916 -0400 +--- serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace 2011-10-11 16:42:15.846761659 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/postgresql.if 2011-10-11 16:42:16.173761566 -0400 @@ -541,8 +541,11 @@ interface(`postgresql_admin',` typeattribute $1 sepgsql_admin_type; @@ -2549,15 +2551,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace serefpo - allow $1 postgresql_t:process { ptrace signal_perms }; + allow $1 postgresql_t:process signal_perms; ps_process_pattern($1, postgresql_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 postgresql_t:process ptrace; + ') init_labeled_script_domtrans($1, postgresql_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgrey.if ---- serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace 2011-10-05 14:34:03.538103595 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/postgrey.if 2011-10-05 14:34:03.841103917 -0400 +--- serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace 2011-10-11 16:42:15.848761657 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/postgrey.if 2011-10-11 16:42:16.174761565 -0400 @@ -62,8 +62,11 @@ interface(`postgrey_admin',` type postgrey_var_lib_t, postgrey_var_run_t; ') @@ -2565,23 +2567,23 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace serefpoli - allow $1 postgrey_t:process { ptrace signal_perms }; + allow $1 postgrey_t:process signal_perms; ps_process_pattern($1, postgrey_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 postgrey_t:process ptrace; + ') init_labeled_script_domtrans($1, postgrey_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ppp.if ---- serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace 2011-10-05 14:34:03.539103596 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ppp.if 2011-10-05 14:34:03.841103917 -0400 -@@ -387,10 +387,14 @@ interface(`ppp_admin',` +--- serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace 2011-10-11 16:42:15.849761657 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ppp.if 2011-10-11 16:42:16.174761565 -0400 +@@ -386,10 +386,14 @@ interface(`ppp_admin',` type pppd_initrc_exec_t, pppd_etc_rw_t; ') - allow $1 pppd_t:process { ptrace signal_perms }; + allow $1 pppd_t:process signal_perms; ps_process_pattern($1, pppd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 pppd_t:process ptrace; + allow $1 pptp_t:process ptrace; + ') @@ -2592,8 +2594,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace serefpolicy-3. ppp_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace serefpolicy-3.10.0/policy/modules/services/prelude.if ---- serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace 2011-10-05 14:34:03.541103598 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/prelude.if 2011-10-05 14:34:03.842103918 -0400 +--- serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace 2011-10-11 16:42:15.850761657 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/prelude.if 2011-10-11 16:42:16.175761565 -0400 @@ -118,13 +118,18 @@ interface(`prelude_admin',` type prelude_lml_t; ') @@ -2601,7 +2603,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace serefpolic - allow $1 prelude_t:process { ptrace signal_perms }; + allow $1 prelude_t:process signal_perms; ps_process_pattern($1, prelude_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 prelude_t:process ptrace; + allow $1 prelude_audisp_t:process ptrace; + allow $1 prelude_lml_t:process ptrace; @@ -2618,7 +2620,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace serefpolic init_labeled_script_domtrans($1, prelude_initrc_exec_t) diff -up serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace serefpolicy-3.10.0/policy/modules/services/privoxy.if --- serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/privoxy.if 2011-10-05 14:34:03.843103919 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/privoxy.if 2011-10-11 16:42:16.175761565 -0400 @@ -23,8 +23,11 @@ interface(`privoxy_admin',` type privoxy_etc_rw_t, privoxy_var_run_t; ') @@ -2626,15 +2628,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace serefpolic - allow $1 privoxy_t:process { ptrace signal_perms }; + allow $1 privoxy_t:process signal_perms; ps_process_pattern($1, privoxy_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 privoxy_t:process ptrace; + ') init_labeled_script_domtrans($1, privoxy_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace serefpolicy-3.10.0/policy/modules/services/psad.if ---- serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace 2011-10-05 14:34:03.544103602 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/psad.if 2011-10-05 14:34:03.843103919 -0400 +--- serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace 2011-10-11 16:42:15.853761657 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/psad.if 2011-10-11 16:42:16.176761565 -0400 @@ -295,8 +295,11 @@ interface(`psad_admin',` type psad_tmp_t; ') @@ -2642,38 +2644,34 @@ diff -up serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace serefpolicy-3 - allow $1 psad_t:process { ptrace signal_perms }; + allow $1 psad_t:process signal_perms; ps_process_pattern($1, psad_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 psad_t:process ptrace; + ') init_labeled_script_domtrans($1, psad_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace serefpolicy-3.10.0/policy/modules/services/puppet.te ---- serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace 2011-10-05 14:34:03.546103604 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/puppet.te 2011-10-05 14:34:03.844103920 -0400 -@@ -62,7 +62,11 @@ files_tmp_file(puppetmaster_tmp_t) +--- serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace 2011-10-11 16:42:15.856761655 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/puppet.te 2011-10-11 16:42:16.177761565 -0400 +@@ -62,7 +62,7 @@ files_tmp_file(puppetmaster_tmp_t) # Puppet personal policy # -allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config }; +allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; -+tunable_policy(`allow_ptrace',` -+ allow puppet_t self:capability sys_ptrace; -+') -+ allow puppet_t self:process { signal signull getsched setsched }; allow puppet_t self:fifo_file rw_fifo_file_perms; allow puppet_t self:netlink_route_socket create_netlink_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace serefpolicy-3.10.0/policy/modules/services/pyzor.if ---- serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace 2011-10-05 14:34:03.548103606 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/pyzor.if 2011-10-05 14:34:03.845103921 -0400 +--- serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace 2011-10-11 16:42:15.857761655 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/pyzor.if 2011-10-11 16:42:16.178761565 -0400 @@ -29,7 +29,10 @@ interface(`pyzor_role',` # allow ps to show pyzor and allow the user to kill it ps_process_pattern($2, pyzor_t) - allow $2 pyzor_t:process { ptrace signal_perms }; + allow $2 pyzor_t:process signal_perms; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $2 pyzor_t:process ptrace; + ') ') @@ -2686,15 +2684,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace serefpolicy- - allow $1 pyzord_t:process { ptrace signal_perms }; + allow $1 pyzord_t:process signal_perms; ps_process_pattern($1, pyzord_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 pyzord_t:process ptrace; + ') init_labeled_script_domtrans($1, pyzord_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace serefpolicy-3.10.0/policy/modules/services/qpid.if ---- serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace 2011-10-05 14:34:03.551103609 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/qpid.if 2011-10-05 14:34:03.845103921 -0400 +--- serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace 2011-10-11 16:42:15.860761655 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/qpid.if 2011-10-11 16:42:16.178761565 -0400 @@ -177,8 +177,11 @@ interface(`qpidd_admin',` type qpidd_t, qpidd_initrc_exec_t; ') @@ -2702,7 +2700,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace serefpolicy-3 - allow $1 qpidd_t:process { ptrace signal_perms }; + allow $1 qpidd_t:process signal_perms; ps_process_pattern($1, qpidd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 qpidd_t:process ptrace; + ') @@ -2710,7 +2708,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace serefpolicy-3 qpidd_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace serefpolicy-3.10.0/policy/modules/services/radius.if --- serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/radius.if 2011-10-05 14:34:03.846103922 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/radius.if 2011-10-11 16:42:16.179761565 -0400 @@ -38,8 +38,11 @@ interface(`radius_admin',` type radiusd_initrc_exec_t; ') @@ -2718,15 +2716,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace serefpolicy - allow $1 radiusd_t:process { ptrace signal_perms }; + allow $1 radiusd_t:process signal_perms; ps_process_pattern($1, radiusd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 radiusd_t:process ptrace; + ') init_labeled_script_domtrans($1, radiusd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace serefpolicy-3.10.0/policy/modules/services/radvd.if ---- serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace 2011-10-05 14:34:03.553103611 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/radvd.if 2011-10-05 14:34:03.846103922 -0400 +--- serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace 2011-10-11 16:42:15.862761655 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/radvd.if 2011-10-11 16:42:16.179761565 -0400 @@ -23,8 +23,11 @@ interface(`radvd_admin',` type radvd_var_run_t; ') @@ -2734,30 +2732,30 @@ diff -up serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace serefpolicy- - allow $1 radvd_t:process { ptrace signal_perms }; + allow $1 radvd_t:process signal_perms; ps_process_pattern($1, radvd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 radvd_t:process ptrace; + ') init_labeled_script_domtrans($1, radvd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace serefpolicy-3.10.0/policy/modules/services/razor.if ---- serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace 2011-10-05 14:34:03.554103612 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/razor.if 2011-10-05 14:34:03.847103923 -0400 +--- serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace 2011-10-11 16:42:15.863761655 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/razor.if 2011-10-11 16:42:16.180761564 -0400 @@ -132,7 +132,10 @@ interface(`razor_role',` # allow ps to show razor and allow the user to kill it ps_process_pattern($2, razor_t) - allow $2 razor_t:process { ptrace signal_perms }; + allow $2 razor_t:process signal_perms; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $2 razor_t:process ptrace; + ') manage_dirs_pattern($2, razor_home_t, razor_home_t) manage_files_pattern($2, razor_home_t, razor_home_t) diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.if ---- serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace 2011-10-05 14:34:03.557103615 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/rgmanager.if 2011-10-05 14:34:03.848103924 -0400 +--- serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace 2011-10-11 16:42:15.866761652 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/rgmanager.if 2011-10-11 16:42:16.181761563 -0400 @@ -117,8 +117,11 @@ interface(`rgmanager_admin',` type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; ') @@ -2765,15 +2763,26 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace serefpol - allow $1 rgmanager_t:process { ptrace signal_perms }; + allow $1 rgmanager_t:process signal_perms; ps_process_pattern($1, rgmanager_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 rgmanager_t:process ptrace; + ') init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) domain_system_change_exemption($1) +diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.te +--- serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace 2011-10-11 16:42:15.866761652 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/rgmanager.te 2011-10-11 16:42:16.181761563 -0400 +@@ -37,7 +37,6 @@ files_pid_file(rgmanager_var_run_t) + # + + allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; +-dontaudit rgmanager_t self:capability { sys_ptrace }; + allow rgmanager_t self:process { setsched signal }; + dontaudit rgmanager_t self:process ptrace; + diff -up serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if ---- serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace 2011-10-05 14:34:03.562103621 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if 2011-10-05 14:34:03.848103924 -0400 +--- serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace 2011-10-11 16:42:15.871761652 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if 2011-10-11 16:42:16.182761563 -0400 @@ -284,8 +284,11 @@ interface(`rhsmcertd_admin',` type rhsmcertd_var_run_t; ') @@ -2781,15 +2790,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace serefpol - allow $1 rhsmcertd_t:process { ptrace signal_perms }; + allow $1 rhsmcertd_t:process signal_perms; ps_process_pattern($1, rhsmcertd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 rhsmcertd_t:process ptrace; + ') rhsmcertd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace serefpolicy-3.10.0/policy/modules/services/ricci.if ---- serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace 2011-10-05 14:34:03.563103622 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ricci.if 2011-10-05 14:34:03.849103926 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace 2011-10-11 16:42:15.873761650 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ricci.if 2011-10-11 16:42:16.182761563 -0400 @@ -245,8 +245,11 @@ interface(`ricci_admin',` type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; ') @@ -2797,7 +2806,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace serefpolicy- - allow $1 ricci_t:process { ptrace signal_perms }; + allow $1 ricci_t:process signal_perms; ps_process_pattern($1, ricci_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 ricci_t:process ptrace; + ') @@ -2805,7 +2814,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace serefpolicy- domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace serefpolicy-3.10.0/policy/modules/services/roundup.if --- serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/roundup.if 2011-10-05 14:34:03.849103926 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/roundup.if 2011-10-11 16:42:16.183761563 -0400 @@ -23,8 +23,11 @@ interface(`roundup_admin',` type roundup_initrc_exec_t; ') @@ -2813,15 +2822,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace serefpolic - allow $1 roundup_t:process { ptrace signal_perms }; + allow $1 roundup_t:process signal_perms; ps_process_pattern($1, roundup_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 roundup_t:process ptrace; + ') init_labeled_script_domtrans($1, roundup_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace serefpolicy-3.10.0/policy/modules/services/rpcbind.if ---- serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace 2011-10-05 14:34:03.568103627 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/rpcbind.if 2011-10-05 14:34:03.850103927 -0400 +--- serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace 2011-10-11 16:42:15.878761650 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/rpcbind.if 2011-10-11 16:42:16.184761563 -0400 @@ -155,8 +155,11 @@ interface(`rpcbind_admin',` type rpcbind_initrc_exec_t; ') @@ -2829,30 +2838,27 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace serefpolic - allow $1 rpcbind_t:process { ptrace signal_perms }; + allow $1 rpcbind_t:process signal_perms; ps_process_pattern($1, rpcbind_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 rpcbind_t:process ptrace; + ') init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace serefpolicy-3.10.0/policy/modules/services/rtkit.te ---- serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace 2011-10-05 14:34:03.571103630 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/rtkit.te 2011-10-05 14:34:03.851103928 -0400 -@@ -15,7 +15,10 @@ init_system_domain(rtkit_daemon_t, rtkit +--- serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace 2011-10-11 16:42:15.881761648 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/rtkit.te 2011-10-11 16:42:16.184761563 -0400 +@@ -15,7 +15,7 @@ init_system_domain(rtkit_daemon_t, rtkit # rtkit_daemon local policy # -allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; +allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice }; -+tunable_policy(`allow_ptrace',` -+ allow rtkit_daemon_t self:capability sys_ptrace; -+') allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; kernel_read_system_state(rtkit_daemon_t) diff -up serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace serefpolicy-3.10.0/policy/modules/services/rwho.if ---- serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace 2011-10-05 14:34:03.572103631 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/rwho.if 2011-10-05 14:34:03.851103928 -0400 +--- serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace 2011-10-11 16:42:15.881761648 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/rwho.if 2011-10-11 16:42:16.185761563 -0400 @@ -138,8 +138,11 @@ interface(`rwho_admin',` type rwho_initrc_exec_t; ') @@ -2860,23 +2866,23 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace serefpolicy-3 - allow $1 rwho_t:process { ptrace signal_perms }; + allow $1 rwho_t:process signal_perms; ps_process_pattern($1, rwho_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 rwho_t:process ptrace; + ') init_labeled_script_domtrans($1, rwho_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace serefpolicy-3.10.0/policy/modules/services/samba.if ---- serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace 2011-10-05 14:34:03.574103633 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/samba.if 2011-10-05 14:34:03.852103929 -0400 -@@ -785,13 +785,18 @@ interface(`samba_admin',` +--- serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace 2011-10-11 16:42:15.883761648 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/samba.if 2011-10-11 16:42:16.186761563 -0400 +@@ -784,13 +784,18 @@ interface(`samba_admin',` type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t; ') - allow $1 smbd_t:process { ptrace signal_perms }; + allow $1 smbd_t:process signal_perms; ps_process_pattern($1, smbd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 smbd_t:process ptrace; + allow $1 nmbd_t:process ptrace; + allow $1 samba_unconfined_script_t:process ptrace; @@ -2893,7 +2899,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace serefpolicy- samba_run_smbcontrol($1, $2, $3) diff -up serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace serefpolicy-3.10.0/policy/modules/services/samhain.if --- serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/samhain.if 2011-10-05 14:34:03.853103930 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/samhain.if 2011-10-11 16:42:16.187761563 -0400 @@ -271,10 +271,14 @@ interface(`samhain_admin',` type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; ') @@ -2901,7 +2907,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace serefpolic - allow $1 samhain_t:process { ptrace signal_perms }; + allow $1 samhain_t:process signal_perms; ps_process_pattern($1, samhain_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 samhain_t:process ptrace; + allow $1 samhaind_t:process ptrace; + ') @@ -2912,8 +2918,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace serefpolic files_list_var_lib($1) diff -up serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace serefpolicy-3.10.0/policy/modules/services/sanlock.if ---- serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace 2011-10-05 14:34:03.576103636 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/sanlock.if 2011-10-05 14:34:03.854103931 -0400 +--- serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace 2011-10-11 16:42:15.885761648 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/sanlock.if 2011-10-11 16:42:16.187761563 -0400 @@ -99,8 +99,11 @@ interface(`sanlock_admin',` type sanlock_initrc_exec_t; ') @@ -2921,15 +2927,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace serefpolic - allow $1 sanlock_t:process { ptrace signal_perms }; + allow $1 sanlock_t:process signal_perms; ps_process_pattern($1, sanlock_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 sanlock_t:process ptrace; + ') sanlock_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace serefpolicy-3.10.0/policy/modules/services/sasl.if ---- serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace 2011-10-05 14:34:03.577103637 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/sasl.if 2011-10-05 14:34:03.854103931 -0400 +--- serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace 2011-10-11 16:42:15.886761647 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/sasl.if 2011-10-11 16:42:16.188761563 -0400 @@ -42,8 +42,11 @@ interface(`sasl_admin',` type saslauthd_initrc_exec_t; ') @@ -2937,15 +2943,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace serefpolicy-3 - allow $1 saslauthd_t:process { ptrace signal_perms }; + allow $1 saslauthd_t:process signal_perms; ps_process_pattern($1, saslauthd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 saslauthd_t:process ptrace; + ') init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.if ---- serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace 2011-10-05 14:34:03.578103638 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/sblim.if 2011-10-05 14:34:03.855103932 -0400 +--- serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace 2011-10-11 16:42:15.888761646 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/sblim.if 2011-10-11 16:42:16.188761563 -0400 @@ -65,11 +65,15 @@ interface(`sblim_admin',` type sblim_var_run_t; ') @@ -2953,7 +2959,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace serefpolicy- - allow $1 sblim_gatherd_t:process { ptrace signal_perms }; + allow $1 sblim_gatherd_t:process signal_perms; ps_process_pattern($1, sblim_gatherd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 sblim_gatherd_t:process ptrace; + allow $1 sblim_reposd_t:process ptrace; + ') @@ -2966,21 +2972,20 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace serefpolicy- files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff -up serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.te ---- serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace 2011-10-05 14:34:03.578103638 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/sblim.te 2011-10-05 14:34:03.855103932 -0400 -@@ -24,7 +24,8 @@ files_pid_file(sblim_var_run_t) +--- serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace 2011-10-11 16:42:15.888761646 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/sblim.te 2011-10-11 16:42:16.189761562 -0400 +@@ -24,7 +24,7 @@ files_pid_file(sblim_var_run_t) # #needed by ps -allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override }; +allow sblim_gatherd_t self:capability { kill dac_override }; -+dontaudit sblim_gatherd_t self:capability sys_ptrace; allow sblim_gatherd_t self:process signal; allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/sendmail.if ---- serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace 2011-10-05 14:34:03.579103639 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/sendmail.if 2011-10-05 14:34:03.856103933 -0400 +--- serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace 2011-10-11 16:42:15.889761646 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/sendmail.if 2011-10-11 16:42:16.189761562 -0400 @@ -334,10 +334,14 @@ interface(`sendmail_admin',` type mail_spool_t; ') @@ -2988,7 +2993,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace serefpoli - allow $1 sendmail_t:process { ptrace signal_perms }; + allow $1 sendmail_t:process signal_perms; ps_process_pattern($1, sendmail_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 sendmail_t:process ptrace; + allow $1 unconfined_sendmail_t:process ptrace; + ') @@ -2999,8 +3004,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace serefpoli sendmail_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if ---- serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace 2011-10-05 14:34:03.581103641 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if 2011-10-05 14:34:03.856103933 -0400 +--- serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace 2011-10-11 16:42:15.890761646 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if 2011-10-11 16:42:16.190761562 -0400 @@ -140,8 +140,11 @@ interface(`setroubleshoot_admin',` type setroubleshoot_var_lib_t; ') @@ -3008,15 +3013,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace ser - allow $1 setroubleshootd_t:process { ptrace signal_perms }; + allow $1 setroubleshootd_t:process signal_perms; ps_process_pattern($1, setroubleshootd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 setroubleshootd_t:process ptrace; + ') logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff -up serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace serefpolicy-3.10.0/policy/modules/services/smartmon.if ---- serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace 2011-10-05 14:34:03.582103642 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/smartmon.if 2011-10-05 14:34:03.857103934 -0400 +--- serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace 2011-10-11 16:42:15.892761646 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/smartmon.if 2011-10-11 16:42:16.190761562 -0400 @@ -42,8 +42,11 @@ interface(`smartmon_admin',` type fsdaemon_initrc_exec_t; ') @@ -3024,7 +3029,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace serefpoli - allow $1 fsdaemon_t:process { ptrace signal_perms }; + allow $1 fsdaemon_t:process signal_perms; ps_process_pattern($1, fsdaemon_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 smartmon_t:process ptrace; + ') @@ -3032,7 +3037,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace serefpoli domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace serefpolicy-3.10.0/policy/modules/services/smokeping.if --- serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/smokeping.if 2011-10-05 14:34:03.857103934 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/smokeping.if 2011-10-11 16:42:16.191761561 -0400 @@ -153,8 +153,11 @@ interface(`smokeping_admin',` type smokeping_t, smokeping_initrc_exec_t; ') @@ -3040,15 +3045,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace serefpol - allow $1 smokeping_t:process { ptrace signal_perms }; + allow $1 smokeping_t:process signal_perms; ps_process_pattern($1, smokeping_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 smokeping_t:process ptrace; + ') smokeping_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.if ---- serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace 2011-10-05 14:34:03.584103644 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/snmp.if 2011-10-05 14:34:03.858103935 -0400 +--- serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace 2011-10-11 16:42:15.893761645 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/snmp.if 2011-10-11 16:42:16.192761560 -0400 @@ -168,8 +168,11 @@ interface(`snmp_admin',` type snmpd_var_lib_t, snmpd_var_run_t; ') @@ -3056,31 +3061,28 @@ diff -up serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace serefpolicy-3 - allow $1 snmpd_t:process { ptrace signal_perms }; + allow $1 snmpd_t:process signal_perms; ps_process_pattern($1, snmpd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 snmpd_t:process ptrace; + ') init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.te ---- serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace 2011-10-05 14:34:03.585103645 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/snmp.te 2011-10-05 14:34:03.858103935 -0400 -@@ -26,7 +26,11 @@ files_type(snmpd_var_lib_t) +--- serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace 2011-10-11 16:42:15.894761644 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/snmp.te 2011-10-11 16:42:16.192761560 -0400 +@@ -26,7 +26,8 @@ files_type(snmpd_var_lib_t) # Local policy # -allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config }; +allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config }; -+tunable_policy(`allow_ptrace',` -+ allow snmpd_t self:capability sys_ptrace; -+') + dontaudit snmpd_t self:capability { sys_module sys_tty_config }; allow snmpd_t self:process { signal_perms getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace serefpolicy-3.10.0/policy/modules/services/snort.if ---- serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace 2011-10-05 14:34:03.585103645 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/snort.if 2011-10-05 14:34:03.859103936 -0400 +--- serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace 2011-10-11 16:42:15.894761644 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/snort.if 2011-10-11 16:42:16.193761560 -0400 @@ -41,8 +41,11 @@ interface(`snort_admin',` type snort_etc_t, snort_initrc_exec_t; ') @@ -3088,15 +3090,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace serefpolicy- - allow $1 snort_t:process { ptrace signal_perms }; + allow $1 snort_t:process signal_perms; ps_process_pattern($1, snort_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 snort_t:process ptrace; + ') init_labeled_script_domtrans($1, snort_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace serefpolicy-3.10.0/policy/modules/services/soundserver.if ---- serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace 2011-10-05 14:34:03.586103646 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/soundserver.if 2011-10-05 14:34:03.860103937 -0400 +--- serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace 2011-10-11 16:42:15.896761644 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/soundserver.if 2011-10-11 16:42:16.194761560 -0400 @@ -37,8 +37,11 @@ interface(`soundserver_admin',` type soundd_tmp_t, soundd_var_run_t; ') @@ -3104,15 +3106,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace serefp - allow $1 soundd_t:process { ptrace signal_perms }; + allow $1 soundd_t:process signal_perms; ps_process_pattern($1, soundd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 soundd_t:process ptrace; + ') init_labeled_script_domtrans($1, soundd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace serefpolicy-3.10.0/policy/modules/services/spamassassin.if ---- serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace 2011-10-05 14:34:03.587103647 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/spamassassin.if 2011-10-05 14:34:03.861103938 -0400 +--- serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace 2011-10-11 16:42:15.897761644 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/spamassassin.if 2011-10-11 16:42:16.194761560 -0400 @@ -27,12 +27,12 @@ interface(`spamassassin_role',` domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) @@ -3135,15 +3137,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace seref - allow $1 spamd_t:process { ptrace signal_perms }; + allow $1 spamd_t:process signal_perms; ps_process_pattern($1, spamd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 spamd_t:process ptrace; + ') init_labeled_script_domtrans($1, spamd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace serefpolicy-3.10.0/policy/modules/services/squid.if ---- serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace 2011-10-05 14:34:03.590103650 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/squid.if 2011-10-05 14:34:03.861103938 -0400 +--- serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace 2011-10-11 16:42:15.899761644 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/squid.if 2011-10-11 16:42:16.195761560 -0400 @@ -209,8 +209,11 @@ interface(`squid_admin',` type squid_log_t, squid_var_run_t, squid_initrc_exec_t; ') @@ -3151,15 +3153,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace serefpolicy- - allow $1 squid_t:process { ptrace signal_perms }; + allow $1 squid_t:process signal_perms; ps_process_pattern($1, squid_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 squid_t:process ptrace; + ') init_labeled_script_domtrans($1, squid_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace serefpolicy-3.10.0/policy/modules/services/ssh.if ---- serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace 2011-10-05 14:34:03.732103801 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-10-05 14:34:03.862103939 -0400 +--- serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace 2011-10-11 16:42:16.055761600 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-10-11 16:42:16.196761560 -0400 @@ -367,7 +367,7 @@ template(`ssh_role_template',` # allow ps to show ssh @@ -3179,8 +3181,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace serefpolicy-3. # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t) diff -up serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace serefpolicy-3.10.0/policy/modules/services/sssd.if ---- serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace 2011-10-05 14:34:03.593103654 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/sssd.if 2011-10-05 14:34:03.863103940 -0400 +--- serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace 2011-10-11 16:42:15.902761644 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/sssd.if 2011-10-11 16:42:16.196761560 -0400 @@ -232,8 +232,11 @@ interface(`sssd_admin',` type sssd_t, sssd_public_t, sssd_initrc_exec_t; ') @@ -3188,15 +3190,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace serefpolicy-3 - allow $1 sssd_t:process { ptrace signal_perms }; + allow $1 sssd_t:process signal_perms; ps_process_pattern($1, sssd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 sssd_t:process ptrace; + ') # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff -up serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/tcsd.if ---- serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace 2011-10-05 14:34:03.597103658 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/tcsd.if 2011-10-05 14:34:03.863103940 -0400 +--- serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace 2011-10-11 16:42:15.905761641 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/tcsd.if 2011-10-11 16:42:16.197761560 -0400 @@ -137,8 +137,11 @@ interface(`tcsd_admin',` type tcsd_var_lib_t; ') @@ -3204,15 +3206,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace serefpolicy-3 - allow $1 tcsd_t:process { ptrace signal_perms }; + allow $1 tcsd_t:process signal_perms; ps_process_pattern($1, tcsd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 tcsd_t:process ptrace; + ') tcsd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/tftp.if ---- serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace 2011-10-05 14:34:03.598103659 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/tftp.if 2011-10-05 14:34:03.864103941 -0400 +--- serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace 2011-10-11 16:42:15.907761641 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/tftp.if 2011-10-11 16:42:16.197761560 -0400 @@ -109,8 +109,11 @@ interface(`tftp_admin',` type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; ') @@ -3220,15 +3222,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace serefpolicy-3 - allow $1 tftpd_t:process { ptrace signal_perms }; + allow $1 tftpd_t:process signal_perms; ps_process_pattern($1, tftpd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 tftp_t:process ptrace; + ') files_list_var_lib($1) admin_pattern($1, tftpdir_rw_t) diff -up serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace serefpolicy-3.10.0/policy/modules/services/tor.if ---- serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace 2011-10-05 14:34:03.600103661 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/tor.if 2011-10-05 14:34:03.864103941 -0400 +--- serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace 2011-10-11 16:42:15.909761641 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/tor.if 2011-10-11 16:42:16.198761559 -0400 @@ -42,8 +42,11 @@ interface(`tor_admin',` type tor_initrc_exec_t; ') @@ -3236,15 +3238,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace serefpolicy-3. - allow $1 tor_t:process { ptrace signal_perms }; + allow $1 tor_t:process signal_perms; ps_process_pattern($1, tor_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 tor_t:process ptrace; + ') init_labeled_script_domtrans($1, tor_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/tuned.if ---- serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace 2011-10-05 14:34:03.601103662 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/tuned.if 2011-10-05 14:34:03.865103943 -0400 +--- serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace 2011-10-11 16:42:15.910761641 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/tuned.if 2011-10-11 16:42:16.198761559 -0400 @@ -115,8 +115,11 @@ interface(`tuned_admin',` type tuned_t, tuned_var_run_t, tuned_initrc_exec_t; ') @@ -3252,7 +3254,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace serefpolicy- - allow $1 tuned_t:process { ptrace signal_perms }; + allow $1 tuned_t:process signal_perms; ps_process_pattern($1, tuned_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 tuned_t:process ptrace; + ') @@ -3260,7 +3262,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace serefpolicy- domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ulogd.if --- serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/ulogd.if 2011-10-05 14:34:03.865103943 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ulogd.if 2011-10-11 16:42:16.199761558 -0400 @@ -123,8 +123,11 @@ interface(`ulogd_admin',` type ulogd_var_log_t, ulogd_initrc_exec_t; ') @@ -3268,7 +3270,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace serefpolicy- - allow $1 ulogd_t:process { ptrace signal_perms }; + allow $1 ulogd_t:process signal_perms; ps_process_pattern($1, ulogd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 ulogd_t:process ptrace; + ') @@ -3276,7 +3278,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace serefpolicy- domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace serefpolicy-3.10.0/policy/modules/services/uucp.if --- serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/uucp.if 2011-10-05 14:34:03.866103944 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/uucp.if 2011-10-11 16:42:16.200761558 -0400 @@ -99,8 +99,11 @@ interface(`uucp_admin',` type uucpd_var_run_t; ') @@ -3284,15 +3286,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace serefpolicy-3 - allow $1 uucpd_t:process { ptrace signal_perms }; + allow $1 uucpd_t:process signal_perms; ps_process_pattern($1, uucpd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 uucpd_t:process ptrace; + ') logging_list_logs($1) admin_pattern($1, uucpd_log_t) diff -up serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace serefpolicy-3.10.0/policy/modules/services/uuidd.if ---- serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace 2011-10-05 14:34:03.606103667 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/uuidd.if 2011-10-05 14:34:03.866103944 -0400 +--- serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace 2011-10-11 16:42:15.915761639 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/uuidd.if 2011-10-11 16:42:16.200761558 -0400 @@ -177,8 +177,11 @@ interface(`uuidd_admin',` type uuidd_var_run_t; ') @@ -3300,7 +3302,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace serefpolicy- - allow $1 uuidd_t:process { ptrace signal_perms }; + allow $1 uuidd_t:process signal_perms; ps_process_pattern($1, uuidd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 uuidd_t:process ptrace; + ') @@ -3308,7 +3310,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace serefpolicy- domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace serefpolicy-3.10.0/policy/modules/services/varnishd.if --- serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace 2011-06-27 14:18:04.000000000 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/varnishd.if 2011-10-05 14:34:03.867103945 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/varnishd.if 2011-10-11 16:42:16.201761558 -0400 @@ -155,8 +155,11 @@ interface(`varnishd_admin_varnishlog',` type varnishlog_var_run_t; ') @@ -3316,7 +3318,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace serefpoli - allow $1 varnishlog_t:process { ptrace signal_perms }; + allow $1 varnishlog_t:process signal_perms; ps_process_pattern($1, varnishlog_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 varnishd_t:process ptrace; + ') @@ -3329,15 +3331,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace serefpoli - allow $1 varnishd_t:process { ptrace signal_perms }; + allow $1 varnishd_t:process signal_perms; ps_process_pattern($1, varnishd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 varnishd_t:process ptrace; + ') init_labeled_script_domtrans($1, varnishd_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace serefpolicy-3.10.0/policy/modules/services/vdagent.if ---- serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace 2011-10-05 14:34:03.608103670 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/vdagent.if 2011-10-05 14:34:03.868103946 -0400 +--- serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace 2011-10-11 16:42:15.917761639 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/vdagent.if 2011-10-11 16:42:16.202761558 -0400 @@ -118,8 +118,11 @@ interface(`vdagent_admin',` type vdagent_var_run_t; ') @@ -3345,15 +3347,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace serefpolic - allow $1 vdagent_t:process { ptrace signal_perms }; + allow $1 vdagent_t:process signal_perms; ps_process_pattern($1, vdagent_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 vdagent_t:process ptrace; + ') files_search_pids($1) admin_pattern($1, vdagent_var_run_t) diff -up serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vhostmd.if ---- serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace 2011-10-05 14:34:03.609103671 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/vhostmd.if 2011-10-05 14:34:03.869103947 -0400 +--- serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace 2011-10-11 16:42:15.918761638 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/vhostmd.if 2011-10-11 16:42:16.202761558 -0400 @@ -210,8 +210,11 @@ interface(`vhostmd_admin',` type vhostmd_t, vhostmd_initrc_exec_t; ') @@ -3361,15 +3363,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace serefpolic - allow $1 vhostmd_t:process { ptrace signal_perms }; + allow $1 vhostmd_t:process signal_perms; ps_process_pattern($1, vhostmd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 vhostmd_t:process ptrace; + ') vhostmd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace serefpolicy-3.10.0/policy/modules/services/virt.if ---- serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace 2011-10-05 14:34:03.611103673 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/virt.if 2011-10-05 14:34:03.870103948 -0400 +--- serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace 2011-10-11 16:42:15.920761637 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/virt.if 2011-10-11 16:42:16.203761558 -0400 @@ -618,10 +618,14 @@ interface(`virt_admin',` type virt_lxc_t; ') @@ -3377,7 +3379,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace serefpolicy-3 - allow $1 virtd_t:process { ptrace signal_perms }; + allow $1 virtd_t:process signal_perms; ps_process_pattern($1, virtd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 virtd_t:process ptrace; + allow $1 virt_lxc_t:process ptrace; + ') @@ -3397,24 +3399,28 @@ diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace serefpolicy-3 ######################################## diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace serefpolicy-3.10.0/policy/modules/services/virt.te ---- serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace 2011-10-05 14:34:03.685103751 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/virt.te 2011-10-05 14:34:03.870103948 -0400 -@@ -247,7 +247,11 @@ optional_policy(` +--- serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace 2011-10-11 16:42:16.006761613 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/virt.te 2011-10-11 16:42:16.204761558 -0400 +@@ -247,7 +247,7 @@ optional_policy(` # virtd local policy # -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; +allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; -+tunable_policy(`allow_ptrace',` -+ allow virtd_t self:capability sys_ptrace; -+') -+ allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; ifdef(`hide_broken_symptoms',` # caused by some bogus kernel code +@@ -838,7 +838,6 @@ optional_policy(` + # virt_lxc_domain local policy + # + allow svirt_lxc_domain self:capability { setuid setgid dac_override }; +-dontaudit svirt_lxc_domain self:capability sys_ptrace; + + allow virtd_t svirt_lxc_domain:process { signal_perms }; + allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; diff -up serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vnstatd.if ---- serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace 2011-10-05 14:34:03.613103675 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/vnstatd.if 2011-10-05 14:34:03.871103949 -0400 +--- serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace 2011-10-11 16:42:15.922761637 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/vnstatd.if 2011-10-11 16:42:16.204761558 -0400 @@ -136,8 +136,11 @@ interface(`vnstatd_admin',` type vnstatd_t, vnstatd_var_lib_t; ') @@ -3422,15 +3428,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace serefpolic - allow $1 vnstatd_t:process { ptrace signal_perms }; + allow $1 vnstatd_t:process signal_perms; ps_process_pattern($1, vnstatd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 vnstatd_t:process ptrace; + ') files_list_var_lib($1) admin_pattern($1, vnstatd_var_lib_t) diff -up serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/wdmd.if ---- serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace 2011-10-05 14:34:03.615103677 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/wdmd.if 2011-10-05 14:34:03.872103950 -0400 +--- serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace 2011-10-11 16:42:15.924761637 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/wdmd.if 2011-10-11 16:42:16.205761557 -0400 @@ -62,8 +62,11 @@ interface(`wdmd_admin',` type wdmd_initrc_exec_t; ') @@ -3438,48 +3444,44 @@ diff -up serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace serefpolicy-3 - allow $1 wdmd_t:process { ptrace signal_perms }; + allow $1 wdmd_t:process signal_perms; ps_process_pattern($1, wdmd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 wdmd_t:process ptrace; + ') wdmd_initrc_domtrans($1) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace serefpolicy-3.10.0/policy/modules/services/xserver.te ---- serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace 2011-10-05 14:34:03.734103803 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-10-05 14:34:03.873103951 -0400 -@@ -417,8 +417,14 @@ optional_policy(` +--- serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace 2011-10-11 16:42:16.063761597 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-10-11 16:42:16.206761556 -0400 +@@ -417,8 +417,13 @@ optional_policy(` # XDM Local policy # -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace }; -allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate ptrace }; +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -+dontaudit xdm_t self:capability sys_ptrace; + +allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate }; -+tunable_policy(`allow_ptrace',` ++tunable_policy(`deny_ptrace',`',` + allow xdm_t self:process ptrace; +') + allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; -@@ -929,7 +935,11 @@ allow xserver_t input_xevent_t:x_event s +@@ -929,7 +934,8 @@ allow xserver_t input_xevent_t:x_event s # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack -allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; +allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; -+tunable_policy(`allow_ptrace',` -+ allow xserver_t self:capability sys_ptrace; -+') + dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; diff -up serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace serefpolicy-3.10.0/policy/modules/services/zabbix.if ---- serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace 2011-10-05 14:34:03.621103683 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/zabbix.if 2011-10-05 14:34:03.873103951 -0400 +--- serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace 2011-10-11 16:42:15.929761635 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/zabbix.if 2011-10-11 16:42:16.207761556 -0400 @@ -142,8 +142,11 @@ interface(`zabbix_admin',` type zabbix_initrc_exec_t; ') @@ -3487,15 +3489,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace serefpolicy - allow $1 zabbix_t:process { ptrace signal_perms }; + allow $1 zabbix_t:process signal_perms; ps_process_pattern($1, zabbix_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 zabbix_t:process ptrace; + ') init_labeled_script_domtrans($1, zabbix_initrc_exec_t) domain_system_change_exemption($1) diff -up serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace serefpolicy-3.10.0/policy/modules/services/zebra.if ---- serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace 2011-10-05 14:34:03.623103686 -0400 -+++ serefpolicy-3.10.0/policy/modules/services/zebra.if 2011-10-05 14:34:03.874103952 -0400 +--- serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace 2011-10-11 16:42:15.931761635 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/zebra.if 2011-10-11 16:42:16.207761556 -0400 @@ -64,8 +64,11 @@ interface(`zebra_admin',` type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t; ') @@ -3503,29 +3505,41 @@ diff -up serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace serefpolicy- - allow $1 zebra_t:process { ptrace signal_perms }; + allow $1 zebra_t:process signal_perms; ps_process_pattern($1, zebra_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 zebra_t:process ptrace; + ') init_labeled_script_domtrans($1, zebra_initrc_exec_t) domain_system_change_exemption($1) +diff -up serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace serefpolicy-3.10.0/policy/modules/system/hotplug.te +--- serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace 2011-10-11 16:42:15.941761633 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/hotplug.te 2011-10-11 16:42:16.208761556 -0400 +@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t) + # + + allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; +-dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config }; ++dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config }; + # for access("/etc/bashrc", X_OK) on Red Hat + dontaudit hotplug_t self:capability { dac_override dac_read_search }; + allow hotplug_t self:process { setpgid getsession getattr signal_perms }; diff -up serefpolicy-3.10.0/policy/modules/system/init.if.ptrace serefpolicy-3.10.0/policy/modules/system/init.if ---- serefpolicy-3.10.0/policy/modules/system/init.if.ptrace 2011-10-05 14:34:03.634103697 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/init.if 2011-10-05 14:34:03.875103953 -0400 +--- serefpolicy-3.10.0/policy/modules/system/init.if.ptrace 2011-10-11 16:42:15.942761632 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/init.if 2011-10-11 16:42:16.209761556 -0400 @@ -1123,7 +1123,9 @@ interface(`init_ptrace',` type init_t; ') - allow $1 init_t:process ptrace; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 init_t:process ptrace; + ') ') ######################################## diff -up serefpolicy-3.10.0/policy/modules/system/init.te.ptrace serefpolicy-3.10.0/policy/modules/system/init.te ---- serefpolicy-3.10.0/policy/modules/system/init.te.ptrace 2011-10-05 14:34:03.713103781 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/init.te 2011-10-05 14:34:03.875103953 -0400 +--- serefpolicy-3.10.0/policy/modules/system/init.te.ptrace 2011-10-11 16:42:16.031761606 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/init.te 2011-10-11 16:42:16.209761556 -0400 @@ -121,7 +121,7 @@ ifdef(`enable_mls',` # @@ -3535,7 +3549,7 @@ diff -up serefpolicy-3.10.0/policy/modules/system/init.te.ptrace serefpolicy-3.1 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -406,7 +406,8 @@ optional_policy(` +@@ -408,7 +408,8 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -3546,20 +3560,52 @@ diff -up serefpolicy-3.10.0/policy/modules/system/init.te.ptrace serefpolicy-3.1 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; diff -up serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace serefpolicy-3.10.0/policy/modules/system/ipsec.te ---- serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace 2011-10-05 14:34:03.637103700 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/ipsec.te 2011-10-05 14:34:03.876103954 -0400 -@@ -194,7 +194,7 @@ optional_policy(` +--- serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace 2011-10-11 16:42:15.946761630 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/ipsec.te 2011-10-11 16:42:16.210761556 -0400 +@@ -73,7 +73,7 @@ role system_r types setkey_t; + # + + allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; +-dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; ++dontaudit ipsec_t self:capability sys_tty_config; + allow ipsec_t self:process { getcap setcap getsched signal setsched }; + allow ipsec_t self:tcp_socket create_stream_socket_perms; + allow ipsec_t self:udp_socket create_socket_perms; +@@ -193,8 +193,8 @@ optional_policy(` + # allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice }; - dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; +-dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config }; -allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal }; ++dontaudit ipsec_mgmt_t self:capability sys_tty_config; +allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal }; allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; +@@ -251,9 +251,6 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) + kernel_getattr_core_if(ipsec_mgmt_t) + kernel_getattr_message_if(ipsec_mgmt_t) + +-# don't audit using of lsof +-dontaudit ipsec_mgmt_t self:capability sys_ptrace; +- + domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t) + domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t) + +diff -up serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace serefpolicy-3.10.0/policy/modules/system/iscsi.te +--- serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace 2011-10-11 16:42:15.948761630 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/iscsi.te 2011-10-11 16:42:16.211761556 -0400 +@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t) + # + + allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; +-dontaudit iscsid_t self:capability sys_ptrace; + allow iscsid_t self:process { setrlimit setsched signal }; + allow iscsid_t self:fifo_file rw_fifo_file_perms; + allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto }; diff -up serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace serefpolicy-3.10.0/policy/modules/system/locallogin.te ---- serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace 2011-10-05 14:34:03.642103706 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/locallogin.te 2011-10-05 14:34:03.877103955 -0400 +--- serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace 2011-10-11 16:42:15.950761629 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/locallogin.te 2011-10-11 16:42:16.211761556 -0400 @@ -32,7 +32,7 @@ role system_r types sulogin_t; # Local login local policy # @@ -3570,8 +3616,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace serefpoli allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy-3.10.0/policy/modules/system/logging.if ---- serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace 2011-10-05 14:34:03.643103707 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/logging.if 2011-10-05 14:34:03.878103956 -0400 +--- serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace 2011-10-11 16:42:15.952761628 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/logging.if 2011-10-11 16:42:16.212761555 -0400 @@ -1095,9 +1095,13 @@ interface(`logging_admin_audit',` type auditd_initrc_exec_t; ') @@ -3580,7 +3626,7 @@ diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy- + allow $1 auditd_t:process signal_perms; ps_process_pattern($1, auditd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 auditd_t:process ptrace; + ') + @@ -3597,7 +3643,7 @@ diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy- + allow $1 klogd_t:process signal_perms; ps_process_pattern($1, syslogd_t) ps_process_pattern($1, klogd_t) -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 syslogd_t:process ptrace; + allow $1 klogd_t:process ptrace; + ') @@ -3605,15 +3651,15 @@ diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy- manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) diff -up serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace serefpolicy-3.10.0/policy/modules/system/mount.te ---- serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace 2011-10-05 14:34:03.650103714 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/mount.te 2011-10-05 14:34:03.878103956 -0400 +--- serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace 2011-10-11 16:42:15.959761626 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/mount.te 2011-10-11 16:42:16.212761555 -0400 @@ -48,7 +48,11 @@ role system_r types showmount_t; # setuid/setgid needed to mount cifs allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid }; -allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal }; +allow mount_t self:process { getcap getsched setcap setrlimit signal }; -+tunable_policy(`allow_ptrace',` ++tunable_policy(`deny_ptrace',`',` + allow mount_t self:process ptrace; +') + @@ -3621,43 +3667,43 @@ diff -up serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace serefpolicy-3. allow mount_t self:unix_stream_socket create_stream_socket_perms; allow mount_t self:unix_dgram_socket create_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace serefpolicy-3.10.0/policy/modules/system/sysnetwork.te ---- serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace 2011-10-05 14:34:03.658103723 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/sysnetwork.te 2011-10-05 14:34:03.879103957 -0400 -@@ -54,7 +54,10 @@ allow dhcpc_t self:capability { dac_over - dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; +--- serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace 2011-10-11 16:42:15.966761624 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/sysnetwork.te 2011-10-11 16:42:16.213761554 -0400 +@@ -51,10 +51,13 @@ files_config_file(net_conf_t) + # DHCP client local policy + # + allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; +-dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace }; ++dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; +allow dhcpc_t self:process { getsched getcap setcap setfscreate signal_perms }; -+tunable_policy(`allow_ptrace',` ++tunable_policy(`deny_ptrace',`',` + allow dhcpc_t self:process ptrace; +') allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace serefpolicy-3.10.0/policy/modules/system/udev.te ---- serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace 2011-10-05 14:34:03.661103726 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/udev.te 2011-10-05 14:34:03.879103957 -0400 -@@ -34,7 +34,11 @@ ifdef(`enable_mcs',` +--- serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace 2011-10-11 16:42:15.970761624 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/udev.te 2011-10-11 16:42:16.214761554 -0400 +@@ -34,7 +34,7 @@ ifdef(`enable_mcs',` # Local policy # -allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice }; -+tunable_policy(`allow_ptrace',` -+ allow udev_t self:capability sys_ptrace; -+') -+ dontaudit udev_t self:capability sys_tty_config; ifdef(`hide_broken_symptoms',` -@@ -42,7 +46,11 @@ ifdef(`hide_broken_symptoms',` +@@ -42,7 +42,11 @@ ifdef(`hide_broken_symptoms',` dontaudit udev_t self:capability sys_module; ') -allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+tunable_policy(`allow_ptrace',` ++tunable_policy(`deny_ptrace',`',` + allow udev_t self:process ptrace; +') + @@ -3665,8 +3711,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace serefpolicy-3.1 allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace serefpolicy-3.10.0/policy/modules/system/unconfined.if ---- serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace 2011-10-05 14:34:03.676103742 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/unconfined.if 2011-10-05 14:34:03.880103958 -0400 +--- serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace 2011-10-11 16:42:15.988761619 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/unconfined.if 2011-10-11 16:42:16.214761554 -0400 @@ -18,7 +18,12 @@ interface(`unconfined_domain_noaudit',` ') @@ -3674,7 +3720,7 @@ diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace serefpoli - allow $1 self:capability ~sys_module; + + allow $1 self:capability ~{ sys_module sys_ptrace }; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 self:capability sys_ptrace; + ') + @@ -3682,15 +3728,15 @@ diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace serefpoli allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpolicy-3.10.0/policy/modules/system/userdomain.if ---- serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace 2011-10-05 14:34:03.736103806 -0400 -+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-10-05 14:34:03.881103960 -0400 +--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace 2011-10-11 16:42:16.065761597 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-10-11 16:42:16.216761554 -0400 @@ -40,7 +40,10 @@ template(`userdom_base_user_template',` role $1_r types $1_t; allow system_r $1_r; - allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; + allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1_usertype $1_usertype:process ptrace; + ') allow $1_usertype $1_usertype:fd use; @@ -3705,23 +3751,37 @@ diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpoli dontaudit $1_t self:process setrlimit; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; -@@ -1052,7 +1055,7 @@ template(`userdom_admin_user_template',` +@@ -1052,7 +1055,10 @@ template(`userdom_admin_user_template',` # $1_t local policy # - allow $1_t self:capability ~{ sys_module audit_control audit_write }; + allow $1_t self:capability ~{ sys_ptrace sys_module audit_control audit_write }; ++ tunable_policy(`deny_ptrace',`',` ++ allow $1_t self:capability sys_ptrace; ++ ') allow $1_t self:capability2 syslog; allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; -@@ -3638,7 +3641,9 @@ interface(`userdom_ptrace_all_users',` +@@ -3657,7 +3663,9 @@ interface(`userdom_ptrace_all_users',` attribute userdomain; ') - allow $1 userdomain:process ptrace; -+ tunable_policy(`allow_ptrace',` ++ tunable_policy(`deny_ptrace',`',` + allow $1 userdomain:process ptrace; + ') ') ######################################## +diff -up serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace serefpolicy-3.10.0/policy/modules/system/xen.te +--- serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace 2011-10-11 16:42:15.977761622 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/xen.te 2011-10-11 16:42:16.217761554 -0400 +@@ -206,7 +206,6 @@ tunable_policy(`xend_run_qemu',` + # + + allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw }; +-dontaudit xend_t self:capability { sys_ptrace }; + allow xend_t self:process { signal sigkill }; + dontaudit xend_t self:process ptrace; + # internal communication is often done using fifo and unix sockets. diff --git a/selinux-policy.spec b/selinux-policy.spec index 11ecaf7..93631ef 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 38.1%{?dist} +Release: 39.1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -29,6 +29,7 @@ patch4: execmem.patch patch5: userdomain.patch patch6: apache.patch patch7: ptrace.patch +patch8: dontaudit.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -218,7 +219,7 @@ fi; if [ -e /etc/selinux/%2/.rebuild ]; then \ rm /etc/selinux/%2/.rebuild; \ if [ %1 -ne 1 ]; then \ - /usr/sbin/semodule -n -s %2 -r java mono moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \ + /usr/sbin/semodule -n -s %2 -r hotplug howl java mono moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \ fi \ /usr/sbin/semodule -B -s %2; \ else \ @@ -248,7 +249,8 @@ Based off of reference policy: Checked out revision 2.20091117 %patch4 -p1 -b .execmem %patch5 -p1 -b .userdomain %patch6 -p1 -b .apache -#%patch7 -p1 -b .ptrace +%patch7 -p1 -b .ptrace +%patch8 -p1 -b .dontaudit %install mkdir selinux_config @@ -480,6 +482,31 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Oct 11 2011 Dan Walsh 3.10.0-39.1 +- Remove allow_ptrace and replace it with deny_ptrace, which will remove all +ptrace from the system +- Remove 2000 dontaudit rules between confined domains on transition +and replace with single +dontaudit domain domain:process { noatsecure siginh rlimitinh } ; + +* Mon Oct 10 2011 Miroslav Grepl 3.10.0-39 +- Fixes for bootloader policy +- $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore +- Allow nsplugin to read /usr/share/config +- Allow sa-update to update rules +- Add use_fusefs_home_dirs for chroot ssh option +- Fixes for grub2 +- Update systemd_exec_systemctl() interface +- Allow gpg to read the mail spool +- More fixes for sa-update running out of cron job +- Allow ipsec_mgmt_t to read hardware state information +- Allow pptp_t to connect to unreserved_port_t +- Dontaudit getattr on initctl in /dev from chfn +- Dontaudit getattr on kernel_core from chfn +- Add systemd_list_unit_dirs to systemd_exec_systemctl call +- Fixes for collectd policy +- CHange sysadm_t to create content as user_tmp_t under /tmp + * Thu Oct 6 2011 Dan Walsh 3.10.0-38.1 - Shrink size of policy through use of attributes for userdomain and apache @@ -496,9 +523,6 @@ SELinux Reference policy mls base module. - Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly - Allow systemd_logind_t to manage /run/USER/dconf/user -* Tue Oct 3 2011 Dan Walsh 3.10.0-36.2 -- Make allow_ptrace remove all ptrace - * Tue Oct 3 2011 Dan Walsh 3.10.0-36.1 - Fix missing patch from F16 diff --git a/userdomain.patch b/userdomain.patch index 8556ed4..34832c9 100644 --- a/userdomain.patch +++ b/userdomain.patch @@ -1,7 +1,6 @@ -diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if -index 66cf96c..a6d907b 100644 ---- a/policy/modules/admin/usermanage.if -+++ b/policy/modules/admin/usermanage.if +diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.if +--- serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain 2011-10-11 10:15:28.062129903 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/usermanage.if 2011-10-11 10:15:28.489129089 -0400 @@ -308,7 +308,7 @@ interface(`usermanage_run_useradd',` role $2 types useradd_t; @@ -11,11 +10,10 @@ index 66cf96c..a6d907b 100644 seutil_run_semanage(useradd_t, $2) -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 4779a8d..7d7efd7 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -509,7 +509,7 @@ seutil_domtrans_setfiles(useradd_t) +diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.te +--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain 2011-10-11 10:15:28.447129169 -0400 ++++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-10-11 10:15:28.490129087 -0400 +@@ -512,7 +512,7 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories userdom_home_filetrans_user_home_dir(useradd_t) @@ -24,10 +22,9 @@ index 4779a8d..7d7efd7 100644 mta_manage_spool(useradd_t) -diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if -index e23f640..182d6d1 100644 ---- a/policy/modules/apps/execmem.if -+++ b/policy/modules/apps/execmem.if +diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain serefpolicy-3.10.0/policy/modules/apps/execmem.if +--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain 2011-10-11 10:15:28.472129121 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-10-11 10:15:28.491129085 -0400 @@ -57,8 +57,6 @@ template(`execmem_role_template',` role $2 types $1_execmem_t; @@ -37,10 +34,9 @@ index e23f640..182d6d1 100644 allow $1_execmem_t self:process { execmem execstack }; allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms }; -diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if -index 7c398c0..c64cced 100644 ---- a/policy/modules/apps/java.if -+++ b/policy/modules/apps/java.if +diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain serefpolicy-3.10.0/policy/modules/apps/java.if +--- serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain 2011-10-11 10:15:28.077129873 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-10-11 10:15:28.492129083 -0400 @@ -73,7 +73,8 @@ template(`java_role_template',` domain_interactive_fd($1_java_t) @@ -51,10 +47,9 @@ index 7c398c0..c64cced 100644 allow $1_java_t self:process { ptrace signal getsched execmem execstack }; -diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if -index 1fa8573..8179185 100644 ---- a/policy/modules/apps/mono.if -+++ b/policy/modules/apps/mono.if +diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mono.if +--- serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain 2011-10-11 10:15:28.082129864 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-10-11 10:15:28.493129081 -0400 @@ -49,7 +49,8 @@ template(`mono_role_template',` corecmd_bin_domtrans($1_mono_t, $1_t) @@ -65,10 +60,9 @@ index 1fa8573..8179185 100644 optional_policy(` xserver_role($1_r, $1_mono_t) -diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index 83fc139..596232f 100644 ---- a/policy/modules/apps/mozilla.if -+++ b/policy/modules/apps/mozilla.if +diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mozilla.if +--- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain 2011-10-11 10:15:28.083129862 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-10-11 10:15:28.494129079 -0400 @@ -51,7 +51,7 @@ interface(`mozilla_role',` mozilla_run_plugin(mozilla_t, $1) mozilla_dbus_chat($2) @@ -78,10 +72,9 @@ index 83fc139..596232f 100644 optional_policy(` nsplugin_role($1, mozilla_t) -diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if -index 1925bd9..0a794bc 100644 ---- a/policy/modules/apps/nsplugin.if -+++ b/policy/modules/apps/nsplugin.if +diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.if +--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain 2011-10-11 10:15:28.087129854 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-10-11 10:15:28.495129077 -0400 @@ -103,7 +103,7 @@ ifdef(`hide_broken_symptoms', ` userdom_use_inherited_user_terminals(nsplugin_t) userdom_use_inherited_user_terminals(nsplugin_config_t) @@ -91,11 +84,10 @@ index 1925bd9..0a794bc 100644 optional_policy(` pulseaudio_role($1, nsplugin_t) -diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te -index 9bf1dd8..564d1ea 100644 ---- a/policy/modules/apps/nsplugin.te -+++ b/policy/modules/apps/nsplugin.te -@@ -284,6 +284,7 @@ userdom_search_user_home_content(nsplugin_config_t) +diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.te +--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain 2011-10-11 10:15:28.088129853 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-10-11 10:15:28.496129075 -0400 +@@ -286,6 +286,7 @@ userdom_search_user_home_content(nsplugi userdom_read_user_home_content_symlinks(nsplugin_config_t) userdom_read_user_home_content_files(nsplugin_config_t) userdom_dontaudit_search_admin_dir(nsplugin_config_t) @@ -103,10 +95,9 @@ index 9bf1dd8..564d1ea 100644 tunable_policy(`use_nfs_home_dirs',` fs_getattr_nfs(nsplugin_t) -diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if -index 9a5e99c..1e6cf7d 100644 ---- a/policy/modules/apps/pulseaudio.if -+++ b/policy/modules/apps/pulseaudio.if +diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if +--- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain 2011-10-11 10:15:28.089129851 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if 2011-10-11 10:15:28.497129073 -0400 @@ -35,9 +35,9 @@ interface(`pulseaudio_role',` allow pulseaudio_t $2:unix_stream_socket connectto; allow $2 pulseaudio_t:unix_stream_socket connectto; @@ -120,10 +111,9 @@ index 9a5e99c..1e6cf7d 100644 allow $2 pulseaudio_t:dbus send_msg; allow pulseaudio_t $2:dbus { acquire_svc send_msg }; -diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te -index 8522ab4..6941c29 100644 ---- a/policy/modules/apps/pulseaudio.te -+++ b/policy/modules/apps/pulseaudio.te +diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te +--- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain 2011-10-11 10:15:28.091129847 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te 2011-10-11 10:15:28.498129071 -0400 @@ -95,6 +95,10 @@ logging_send_syslog_msg(pulseaudio_t) miscfiles_read_localization(pulseaudio_t) @@ -135,11 +125,10 @@ index 8522ab4..6941c29 100644 optional_policy(` alsa_read_rw_config(pulseaudio_t) ') -diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if -index 8895098..19438a5 100644 ---- a/policy/modules/apps/userhelper.if -+++ b/policy/modules/apps/userhelper.if -@@ -294,7 +294,7 @@ template(`userhelper_console_role_template',` +diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.if +--- serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain 2011-10-11 10:15:28.102129826 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/userhelper.if 2011-10-11 10:15:28.498129071 -0400 +@@ -294,7 +294,7 @@ template(`userhelper_console_role_templa auth_use_pam($1_consolehelper_t) @@ -148,10 +137,9 @@ index 8895098..19438a5 100644 optional_policy(` dbus_connect_session_bus($1_consolehelper_t) -diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te -index 8ce8577..f967898 100644 ---- a/policy/modules/apps/userhelper.te -+++ b/policy/modules/apps/userhelper.te +diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.te +--- serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain 2011-10-11 10:15:28.102129826 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/userhelper.te 2011-10-11 10:15:28.499129069 -0400 @@ -65,6 +65,7 @@ userhelper_exec(consolehelper_domain) userdom_use_user_ptys(consolehelper_domain) userdom_use_user_ttys(consolehelper_domain) @@ -160,10 +148,9 @@ index 8ce8577..f967898 100644 optional_policy(` gnome_read_gconf_home_files(consolehelper_domain) -diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if -index e10101a..cf453e6 100644 ---- a/policy/modules/apps/wine.if -+++ b/policy/modules/apps/wine.if +diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wine.if +--- serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain 2011-10-11 10:15:28.105129820 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-10-11 10:15:28.499129069 -0400 @@ -105,7 +105,8 @@ template(`wine_role_template',` corecmd_bin_domtrans($1_wine_t, $1_t) @@ -174,10 +161,9 @@ index e10101a..cf453e6 100644 domain_mmap_low($1_wine_t) -diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if -index 50c1a74..d618395 100644 ---- a/policy/modules/apps/wm.if -+++ b/policy/modules/apps/wm.if +diff -up serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wm.if +--- serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain 2011-10-11 10:15:28.107129816 -0400 ++++ serefpolicy-3.10.0/policy/modules/apps/wm.if 2011-10-11 10:15:28.500129068 -0400 @@ -77,9 +77,13 @@ template(`wm_role_template',` miscfiles_read_fonts($1_wm_t) miscfiles_read_localization($1_wm_t) @@ -195,10 +181,22 @@ index 50c1a74..d618395 100644 userdom_exec_user_tmp_files($1_wm_t) optional_policy(` -diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te -index e1113e0..5bcd298 100644 ---- a/policy/modules/roles/unconfineduser.te -+++ b/policy/modules/roles/unconfineduser.te +diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain serefpolicy-3.10.0/policy/modules/roles/sysadm.te +--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain 2011-10-11 10:15:28.000000000 -0400 ++++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-10-11 10:16:15.471039586 -0400 +@@ -60,7 +60,8 @@ sysnet_filetrans_named_content(sysadm_t) + # Add/remove user home directories + userdom_manage_user_home_dirs(sysadm_t) + userdom_home_filetrans_user_home_dir(sysadm_t) +-userdom_manage_tmp_role(sysadm_r, sysadm_t) ++userdom_manage_tmp_role(sysadm_r) ++userdom_manage_tmp(sysadm_t) + + optional_policy(` + ssh_filetrans_admin_home_content(sysadm_t) +diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te +--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain 2011-10-11 10:15:28.476129113 -0400 ++++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te 2011-10-11 10:15:28.501129066 -0400 @@ -45,9 +45,12 @@ gen_tunable(unconfined_login, true) # calls is not correct, however we dont currently # have another method to add access to these types @@ -215,10 +213,9 @@ index e1113e0..5bcd298 100644 userdom_unpriv_usertype(unconfined, unconfined_t) type unconfined_exec_t; -diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te -index 49a4283..7a3ea96 100644 ---- a/policy/modules/services/rshd.te -+++ b/policy/modules/services/rshd.te +diff -up serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain serefpolicy-3.10.0/policy/modules/services/rshd.te +--- serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain 2011-10-11 10:15:28.333129386 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/rshd.te 2011-10-11 10:15:28.502129064 -0400 @@ -66,7 +66,7 @@ seutil_read_config(rshd_t) seutil_read_default_contexts(rshd_t) @@ -228,10 +225,9 @@ index 49a4283..7a3ea96 100644 tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(rshd_t) -diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 8e3e9de..862e108 100644 ---- a/policy/modules/services/ssh.if -+++ b/policy/modules/services/ssh.if +diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.if +--- serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain 2011-10-11 10:15:28.354129346 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-10-11 10:15:28.503129062 -0400 @@ -380,7 +380,7 @@ template(`ssh_role_template',` manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) @@ -241,10 +237,9 @@ index 8e3e9de..862e108 100644 ############################## # -diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index d81a09f..3fdc1df 100644 ---- a/policy/modules/services/ssh.te -+++ b/policy/modules/services/ssh.te +diff -up serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.te +--- serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain 2011-10-11 10:15:28.355129344 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/ssh.te 2011-10-11 10:15:28.503129062 -0400 @@ -200,6 +200,7 @@ userdom_read_user_tmp_files(ssh_t) userdom_write_user_tmp_files(ssh_t) userdom_read_user_home_content_symlinks(ssh_t) @@ -253,7 +248,7 @@ index d81a09f..3fdc1df 100644 tunable_policy(`allow_ssh_keysign',` domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -@@ -280,7 +281,7 @@ corenet_sendrecv_xserver_server_packets(sshd_t) +@@ -280,7 +281,7 @@ corenet_sendrecv_xserver_server_packets( userdom_read_user_home_content_files(sshd_t) userdom_read_user_home_content_symlinks(sshd_t) @@ -262,10 +257,9 @@ index d81a09f..3fdc1df 100644 userdom_spec_domtrans_unpriv_users(sshd_t) userdom_signal_unpriv_users(sshd_t) userdom_dyntransition_unpriv_users(sshd_t) -diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te -index 7d5a298..36b8a4c 100644 ---- a/policy/modules/services/sssd.te -+++ b/policy/modules/services/sssd.te +diff -up serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain serefpolicy-3.10.0/policy/modules/services/sssd.te +--- serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain 2011-10-11 10:15:28.356129342 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/sssd.te 2011-10-11 10:15:28.504129060 -0400 @@ -92,7 +92,7 @@ miscfiles_read_generic_certs(sssd_t) sysnet_dns_name_resolve(sssd_t) sysnet_use_ldap(sssd_t) @@ -275,10 +269,9 @@ index 7d5a298..36b8a4c 100644 optional_policy(` dbus_system_bus_client(sssd_t) -diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 60e0e2d..fcf2f38 100644 ---- a/policy/modules/services/xserver.te -+++ b/policy/modules/services/xserver.te +diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain serefpolicy-3.10.0/policy/modules/services/xserver.te +--- serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain 2011-10-11 10:15:28.480129106 -0400 ++++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-10-11 10:15:28.505129058 -0400 @@ -671,7 +671,7 @@ userdom_stream_connect(xdm_t) userdom_manage_user_tmp_dirs(xdm_t) userdom_manage_user_tmp_files(xdm_t) @@ -288,10 +281,9 @@ index 60e0e2d..fcf2f38 100644 application_signal(xdm_t) -diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e7a65ae..6974244 100644 ---- a/policy/modules/system/userdomain.if -+++ b/policy/modules/system/userdomain.if +diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.if +--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain 2011-10-11 10:15:28.482129102 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-10-11 10:15:28.506129056 -0400 @@ -35,21 +35,14 @@ template(`userdom_base_user_template',` type $1_t, userdomain, $1_usertype; domain_type($1_t) @@ -611,7 +603,7 @@ index e7a65ae..6974244 100644 ') ####################################### -@@ -424,6 +336,21 @@ interface(`userdom_exec_user_tmp_files',` +@@ -424,6 +336,21 @@ interface(`userdom_exec_user_tmp_files', ## Role allowed access. ## ## @@ -633,7 +625,7 @@ index e7a65ae..6974244 100644 ## ## ## Domain allowed access. -@@ -431,25 +358,23 @@ interface(`userdom_exec_user_tmp_files',` +@@ -431,25 +358,23 @@ interface(`userdom_exec_user_tmp_files', ## ## # @@ -671,7 +663,7 @@ index e7a65ae..6974244 100644 ') ####################################### -@@ -578,260 +503,31 @@ template(`userdom_change_password_template',` +@@ -578,260 +503,31 @@ template(`userdom_change_password_templa template(`userdom_common_user_template',` gen_require(` attribute unpriv_userdomain; @@ -690,11 +682,9 @@ index e7a65ae..6974244 100644 - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; - allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; - allow $1_t self:socket create_socket_perms; -+ typeattribute $1_t common_userdomain; - +- - allow $1_usertype unpriv_userdomain:fd use; -+ userdom_basic_networking(common_userdomain) - +- - kernel_read_system_state($1_usertype) - kernel_read_network_state($1_usertype) - kernel_read_software_raid_state($1_usertype) @@ -746,11 +736,13 @@ index e7a65ae..6974244 100644 - - # for eject - storage_getattr_fixed_disk_dev($1_usertype) -- ++ typeattribute $1_t common_userdomain; + - auth_read_login_records($1_usertype) - auth_run_pam($1_t,$1_r) - auth_run_utempter($1_t,$1_r) -- ++ userdom_basic_networking(common_userdomain) + - init_read_utmp($1_usertype) - - seutil_read_file_contexts($1_usertype) @@ -775,21 +767,16 @@ index e7a65ae..6974244 100644 - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_usertype) - ') -+ auth_run_pam(common_userdomain,$1_r) -+ auth_run_utempter(common_userdomain,$1_r) -+ seutil_run_newrole(common_userdomain,$1_r) - - optional_policy(` +- +- optional_policy(` - canna_stream_connect($1_usertype) -+ chrome_role($1_r, common_userdomain) - ') - - optional_policy(` +- ') +- +- optional_policy(` - chrome_role($1_r, $1_usertype) -+ git_session_role($1_r, common_userdomain) - ') - - optional_policy(` +- ') +- +- optional_policy(` - colord_read_lib_files($1_usertype) - ') - @@ -850,10 +837,9 @@ index e7a65ae..6974244 100644 - optional_policy(` - vpn_dbus_chat($1_usertype) - ') -+ nsplugin_role($1_r, common_userdomain) - ') - - optional_policy(` +- ') +- +- optional_policy(` - git_session_role($1_r, $1_usertype) - ') - @@ -922,27 +908,33 @@ index e7a65ae..6974244 100644 - optional_policy(` - resmgr_stream_connect($1_usertype) - ') -- -- optional_policy(` ++ auth_run_pam(common_userdomain,$1_r) ++ auth_run_utempter(common_userdomain,$1_r) ++ seutil_run_newrole(common_userdomain,$1_r) + + optional_policy(` - rpc_dontaudit_getattr_exports($1_usertype) - rpc_manage_nfs_rw_content($1_usertype) -- ') -- -- optional_policy(` ++ chrome_role($1_r, common_userdomain) + ') + + optional_policy(` - rpcbind_stream_connect($1_usertype) -- ') -- -- optional_policy(` ++ git_session_role($1_r, common_userdomain) + ') + + optional_policy(` - samba_stream_connect_winbind($1_usertype) -- ') -- -- optional_policy(` ++ nsplugin_role($1_r, common_userdomain) + ') + + optional_policy(` - sandbox_transition($1_usertype, $1_r) + sandbox_transition(common_userdomain, $1_r) ') optional_policy(` -@@ -839,11 +535,7 @@ template(`userdom_common_user_template',` +@@ -839,11 +535,7 @@ template(`userdom_common_user_template', ') optional_policy(` @@ -955,7 +947,7 @@ index e7a65ae..6974244 100644 ') ') -@@ -872,10 +564,9 @@ template(`userdom_login_user_template', ` +@@ -872,10 +564,9 @@ template(`userdom_login_user_template', userdom_base_user_template($1) @@ -969,7 +961,7 @@ index e7a65ae..6974244 100644 ifelse(`$1',`unconfined',`',` gen_tunable(allow_$1_exec_content, true) -@@ -1010,9 +701,6 @@ template(`userdom_restricted_user_template',` +@@ -1010,9 +701,6 @@ template(`userdom_restricted_user_templa typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -979,7 +971,7 @@ index e7a65ae..6974244 100644 ############################## # # Local policy -@@ -3918,6 +3606,10 @@ template(`userdom_unpriv_usertype',` +@@ -3929,6 +3617,10 @@ template(`userdom_unpriv_usertype',` auth_use_nsswitch($2) ubac_constrained($2) @@ -990,10 +982,9 @@ index e7a65ae..6974244 100644 ') ######################################## -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 04d748b..c636356 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te +diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.te +--- serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain 2011-10-11 10:15:28.427129208 -0400 ++++ serefpolicy-3.10.0/policy/modules/system/userdomain.te 2011-10-11 10:15:28.507129054 -0400 @@ -69,6 +69,8 @@ attribute userdomain; # unprivileged user domains