[selinux-policy: 3/3] Remove allow_ptrace and replace it with deny_ptrace, which will remove all ptrace from the system Re
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Oct 11 20:49:04 UTC 2011
commit 80347b11c4fa8c53def8da43ad4966d4eb5ecf0f
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Oct 11 16:48:46 2011 -0400
Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
dontaudit.patch | 23 +++++++++++++++++++++++
1 files changed, 23 insertions(+), 0 deletions(-)
---
diff --git a/dontaudit.patch b/dontaudit.patch
new file mode 100644
index 0000000..73d1ac9
--- /dev/null
+++ b/dontaudit.patch
@@ -0,0 +1,23 @@
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index db2a183..02cf550 100644
+--- a/policy/modules/kernel/domain.te
++++ b/policy/modules/kernel/domain.te
+@@ -312,3 +312,5 @@ optional_policy(`
+ optional_policy(`
+ seutil_dontaudit_read_config(domain)
+ ')
++
++dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
+diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
+index 823794e..18e1b2f 100644
+--- a/policy/support/misc_patterns.spt
++++ b/policy/support/misc_patterns.spt
+@@ -4,7 +4,7 @@
+ define(`domain_transition_pattern',`
+ allow $1 $2:file { getattr open read execute };
+ allow $1 $3:process transition;
+- dontaudit $1 $3:process { noatsecure siginh rlimitinh };
++# dontaudit $1 $3:process { noatsecure siginh rlimitinh };
+ ')
+
+ # compatibility:
More information about the scm-commits
mailing list