[selinux-policy: 3016/3172] Allow users to ptrace and send any signal to their bluetooth helper agent.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:28:22 UTC 2010
commit dd0d453cdf767396b8c61d1795546cb4fcf78954
Author: Dominick Grift <domg472 at gmail.com>
Date: Fri Sep 17 10:16:23 2010 +0200
Allow users to ptrace and send any signal to their bluetooth helper agent.
Allow users to prtrace and send any signal to their cron job.
Allow users to prtrace and send any signal to their cron job.
Allow users to prtrace and send any signal to their cron job.
Allow users to ps, ptrace and send any signal to their session bus.
policy/modules/services/bluetooth.if | 2 +-
policy/modules/services/cron.if | 5 +++--
policy/modules/services/dbus.if | 5 +++--
3 files changed, 7 insertions(+), 5 deletions(-)
---
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 328302d..303ba6c 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -27,7 +27,7 @@ interface(`bluetooth_role',`
# allow ps to show cdrecord and allow the user to kill it
ps_process_pattern($2, bluetooth_helper_t)
- allow $2 bluetooth_helper_t:process signal;
+ allow $2 bluetooth_helper_t:process { ptrace signal_perms };
manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 72a174a..f17a4c2 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -138,7 +138,7 @@ interface(`cron_role',`
# crontab shows up in user ps
ps_process_pattern($2, crontab_t)
- allow $2 crontab_t:process signal;
+ allow $2 crontab_t:process { ptrace signal_perms };
# Run helper programs as the user domain
#corecmd_bin_domtrans(crontab_t, $2)
@@ -180,6 +180,7 @@ interface(`cron_unconfined_role',`
# cronjob shows up in user ps
ps_process_pattern($2, unconfined_cronjob_t)
+ allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
optional_policy(`
gen_require(`
@@ -225,7 +226,7 @@ interface(`cron_admin_role',`
# crontab shows up in user ps
ps_process_pattern($2, admin_crontab_t)
- allow $2 admin_crontab_t:process signal;
+ allow $2 admin_crontab_t:process { ptrace signal_perms };
# Run helper programs as the user domain
#corecmd_bin_domtrans(admin_crontab_t, $2)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 7852441..dc7ff5a 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -90,14 +90,15 @@ template(`dbus_role_template',`
files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
- allow $3 $1_dbusd_t:process { signull sigkill signal };
+
+ ps_process_pattern($3, $1_dbusd_t)
+ allow $3 $1_dbusd_t:process { ptrace signal_perms };
# cjp: this seems very broken
corecmd_bin_domtrans($1_dbusd_t, $1_t)
allow $1_dbusd_t $3:process sigkill;
allow $3 $1_dbusd_t:fd use;
allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
- allow $3 $1_dbusd_t:process sigchld;
kernel_read_system_state($1_dbusd_t)
kernel_read_kernel_sysctls($1_dbusd_t)
More information about the scm-commits
mailing list