[selinux-policy: 3016/3172] Allow users to ptrace and send any signal to their bluetooth helper agent.

[Daniel J Walsh]

commit dd0d453cdf767396b8c61d1795546cb4fcf78954
Author: Dominick Grift <domg472 at gmail.com>
Date:   Fri Sep 17 10:16:23 2010 +0200

    Allow users to ptrace and send any signal to their bluetooth helper agent.
    
    Allow users to prtrace and send any signal to their cron job.
    
    Allow users to prtrace and send any signal to their cron job.
    
    Allow users to prtrace and send any signal to their cron job.
    
    Allow users to ps, ptrace and send any signal to their session bus.

 policy/modules/services/bluetooth.if |    2 +-
 policy/modules/services/cron.if      |    5 +++--
 policy/modules/services/dbus.if      |    5 +++--
 3 files changed, 7 insertions(+), 5 deletions(-)
---
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 328302d..303ba6c 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -27,7 +27,7 @@ interface(`bluetooth_role',`
 
 	# allow ps to show cdrecord and allow the user to kill it
 	ps_process_pattern($2, bluetooth_helper_t)
-	allow $2 bluetooth_helper_t:process signal;
+	allow $2 bluetooth_helper_t:process { ptrace signal_perms };
 
 	manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
 	manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 72a174a..f17a4c2 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -138,7 +138,7 @@ interface(`cron_role',`
 
 	# crontab shows up in user ps
 	ps_process_pattern($2, crontab_t)
-	allow $2 crontab_t:process signal;
+	allow $2 crontab_t:process { ptrace signal_perms };
 
 	# Run helper programs as the user domain
 	#corecmd_bin_domtrans(crontab_t, $2)
@@ -180,6 +180,7 @@ interface(`cron_unconfined_role',`
 
 	# cronjob shows up in user ps
 	ps_process_pattern($2, unconfined_cronjob_t)
+	allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
 
 	optional_policy(`
 		gen_require(`
@@ -225,7 +226,7 @@ interface(`cron_admin_role',`
 
 	# crontab shows up in user ps
 	ps_process_pattern($2, admin_crontab_t)
-	allow $2 admin_crontab_t:process signal;
+	allow $2 admin_crontab_t:process { ptrace signal_perms };
 
 	# Run helper programs as the user domain
 	#corecmd_bin_domtrans(admin_crontab_t, $2)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 7852441..dc7ff5a 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -90,14 +90,15 @@ template(`dbus_role_template',`
 	files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
 
 	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
-	allow $3 $1_dbusd_t:process { signull sigkill signal };
+
+	ps_process_pattern($3, $1_dbusd_t)
+	allow $3 $1_dbusd_t:process { ptrace signal_perms };
 
 	# cjp: this seems very broken
 	corecmd_bin_domtrans($1_dbusd_t, $1_t)
 	allow $1_dbusd_t $3:process sigkill;
 	allow $3 $1_dbusd_t:fd use;
 	allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
-	allow $3 $1_dbusd_t:process sigchld;
 
 	kernel_read_system_state($1_dbusd_t)
 	kernel_read_kernel_sysctls($1_dbusd_t)