[selinux-policy: 1563/3172] ps/ptrace dontaudit cleanup

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:20:17 UTC 2010 

commit 497da0953cbc5ccee0d82b901f5382e20698e66c
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Aug 8 17:49:03 2006 +0000

    ps/ptrace dontaudit cleanup

 policy/modules/apps/cdrecord.if    |    6 ------
 policy/modules/apps/evolution.if   |    5 -----
 policy/modules/apps/irc.if         |    5 -----
 policy/modules/apps/mozilla.if     |    5 -----
 policy/modules/apps/mplayer.if     |   10 ----------
 policy/modules/apps/thunderbird.if |    5 -----
 policy/modules/apps/tvtime.if      |    5 -----
 policy/modules/apps/uml.if         |    5 -----
 policy/modules/services/cron.if    |    1 -
 policy/modules/services/xserver.if |   22 ----------------------
 policy/modules/system/init.if      |    6 ------
 11 files changed, 0 insertions(+), 75 deletions(-)
---
diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if
index f756bc4..4b98c08 100644
--- a/policy/modules/apps/cdrecord.if
+++ b/policy/modules/apps/cdrecord.if
@@ -64,12 +64,6 @@ template(`cdrecord_per_userdomain_template', `
 	allow $2 $1_cdrecord_t:dir { search getattr read };
 	allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr };
 	allow $2 $1_cdrecord_t:process getattr;
-	#We need to suppress this denial because procps
-	#tries to access /proc/pid/environ and this now
-	#triggers a ptrace check in recent kernels
-	# (2.4 and 2.6). Might want to change procps
-	#to not do this, or only if running in a privileged domain.
-	dontaudit $2 $1_cdrecord_t:process ptrace;
 	allow $2 $1_cdrecord_t:process signal;
 
 	# Transition from the user domain to the derived domain.
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index 946a9fb..16b640e 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -170,11 +170,6 @@ template(`evolution_per_userdomain_template',`
 	allow $2 $1_evolution_t:dir { search getattr read };
 	allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
 	allow $2 $1_evolution_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_evolution_t:process ptrace;
 
 	#FIXME check to see if really needed
 	kernel_read_kernel_sysctls($1_evolution_t)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 1cd0fbf..9fe7592 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -96,11 +96,6 @@ template(`irc_per_userdomain_template',`
 	allow $2 $1_irc_t:dir { search getattr read };
 	allow $2 $1_irc_t:{ file lnk_file } { read getattr };
 	allow $2 $1_irc_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_irc_t:process ptrace;
 	
 	kernel_read_proc_symlinks($1_irc_t)
 
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 26e7bad..747bde4 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -106,11 +106,6 @@ template(`mozilla_per_userdomain_template',`
 	allow $2 $1_mozilla_t:dir { search getattr read };
 	allow $2 $1_mozilla_t:{ file lnk_file } { read getattr };
 	allow $2 $1_mozilla_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_mozilla_t:process ptrace;
 
 	allow $2 $1_mozilla_t:process signal_perms;
 	
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index 12e9260..347f0fb 100644
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -81,11 +81,6 @@ template(`mplayer_per_userdomain_template',`
 	allow $2 $1_mencoder_t:dir { search getattr read };
 	allow $2 $1_mencoder_t:{ file lnk_file } { read getattr };
 	allow $2 $1_mencoder_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_mencoder_t:process ptrace;
 	allow $2 $1_mencoder_t:process signal_perms;
 
 	# Read /proc files and directories
@@ -295,11 +290,6 @@ template(`mplayer_per_userdomain_template',`
 	allow $2 $1_mplayer_t:dir { search getattr read };
 	allow $2 $1_mplayer_t:{ file lnk_file } { read getattr };
 	allow $2 $1_mplayer_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_mplayer_t:process ptrace;
 	allow $2 $1_mplayer_t:process signal_perms;
 
 	kernel_dontaudit_list_unlabeled($1_mplayer_t)
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index 2e197eb..0c84014 100644
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -87,11 +87,6 @@ template(`thunderbird_per_userdomain_template',`
 	allow $2 $1_thunderbird_t:dir { search getattr read };
 	allow $2 $1_thunderbird_t:{ file lnk_file } { read getattr };
 	allow $2 $1_thunderbird_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_thunderbird_t:process ptrace;
 
 	# Access ~/.thunderbird
 	allow $2 $1_thunderbird_home_t:dir manage_dir_perms;
diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if
index 4a6899b..22c035f 100644
--- a/policy/modules/apps/tvtime.if
+++ b/policy/modules/apps/tvtime.if
@@ -99,11 +99,6 @@ template(`tvtime_per_userdomain_template',`
 	allow $2 $1_tvtime_t:dir { search getattr read };
 	allow $2 $1_tvtime_t:{ file lnk_file } { read getattr };
 	allow $2 $1_tvtime_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_tvtime_t:process ptrace;
 	allow $2 $1_tvtime_t:process signal_perms;
 	
 	kernel_read_all_sysctls($1_tvtime_t)
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index abc568f..fb067bb 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -120,11 +120,6 @@ template(`uml_per_userdomain_template',`
 	allow $2 $1_uml_t:dir { search getattr read };
 	allow $2 $1_uml_t:{ file lnk_file } { read getattr };
 	allow $2 $1_uml_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_uml_t:process ptrace;
 
 	allow $2 $1_uml_tmp_t:dir create_dir_perms;
 	allow $2 $1_uml_tmp_t:file create_file_perms;
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index fb6b883..88033ab 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -186,7 +186,6 @@ template(`cron_per_userdomain_template',`
 	allow $2 $1_crontab_t:dir { search getattr read };
 	allow $2 $1_crontab_t:{ file lnk_file } { read getattr };
 	allow $2 $1_crontab_t:process getattr;
-	dontaudit $2 $1_crontab_t:process ptrace;
 
 	# for ^Z
 	allow $2 $1_crontab_t:process signal;
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6868bb6..bac7292 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -174,16 +174,6 @@ template(`xserver_common_domain_template',`
 	optional_policy(`
 		xfs_stream_connect($1_xserver_t)
 	')
-
-	ifdef(`TODO',`
-	ifdef(`distro_redhat',`
-		ifdef(`rpm.te', `
-			allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
-			allow $1_xserver_t rpm_tmpfs_t:file { read write };
-			rpm_use_fds($1_xserver_t)
-		')
-	')
-	') dnl end TODO
 ')
 
 #######################################
@@ -317,8 +307,6 @@ template(`xserver_per_userdomain_template',`
 	')
 
 	ifdef(`TODO',`
-	allow $1_t xdm_xserver_t:unix_stream_socket connectto;
-
 	ifdef(`xdm.te', `
 		allow $1_t xdm_tmp_t:sock_file unlink;
 		allow $1_xserver_t xdm_var_run_t:dir search;
@@ -352,11 +340,6 @@ template(`xserver_per_userdomain_template',`
 	allow $2 $1_xauth_t:dir { search getattr read };
 	allow $2 $1_xauth_t:{ file lnk_file } { read getattr };
 	allow $2 $1_xauth_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_xauth_t:process ptrace;
 
 	allow $2 $1_xauth_home_t:file manage_file_perms;
 	allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
@@ -419,11 +402,6 @@ template(`xserver_per_userdomain_template',`
 	allow $2 $1_iceauth_t:dir { search getattr read };
 	allow $2 $1_iceauth_t:{ file lnk_file } { read getattr };
 	allow $2 $1_iceauth_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_iceauth_t:process ptrace;
 
 	allow $2 $1_iceauth_home_t:file manage_file_perms;
 	allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4e76bd4..cfe04fa 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -620,12 +620,6 @@ interface(`init_read_script_state',`
 	allow $1 initrc_t:dir r_dir_perms;
 	allow $1 initrc_t:{ file lnk_file } r_file_perms;
 	allow $1 initrc_t:process getattr;
-
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $1 initrc_t:process ptrace;
 ')
 
 ########################################

More information about the scm-commits mailing list