[selinux-policy: 1563/3172] ps/ptrace dontaudit cleanup
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:20:17 UTC 2010
commit 497da0953cbc5ccee0d82b901f5382e20698e66c
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Aug 8 17:49:03 2006 +0000
ps/ptrace dontaudit cleanup
policy/modules/apps/cdrecord.if | 6 ------
policy/modules/apps/evolution.if | 5 -----
policy/modules/apps/irc.if | 5 -----
policy/modules/apps/mozilla.if | 5 -----
policy/modules/apps/mplayer.if | 10 ----------
policy/modules/apps/thunderbird.if | 5 -----
policy/modules/apps/tvtime.if | 5 -----
policy/modules/apps/uml.if | 5 -----
policy/modules/services/cron.if | 1 -
policy/modules/services/xserver.if | 22 ----------------------
policy/modules/system/init.if | 6 ------
11 files changed, 0 insertions(+), 75 deletions(-)
---
diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if
index f756bc4..4b98c08 100644
--- a/policy/modules/apps/cdrecord.if
+++ b/policy/modules/apps/cdrecord.if
@@ -64,12 +64,6 @@ template(`cdrecord_per_userdomain_template', `
allow $2 $1_cdrecord_t:dir { search getattr read };
allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr };
allow $2 $1_cdrecord_t:process getattr;
- #We need to suppress this denial because procps
- #tries to access /proc/pid/environ and this now
- #triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps
- #to not do this, or only if running in a privileged domain.
- dontaudit $2 $1_cdrecord_t:process ptrace;
allow $2 $1_cdrecord_t:process signal;
# Transition from the user domain to the derived domain.
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index 946a9fb..16b640e 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -170,11 +170,6 @@ template(`evolution_per_userdomain_template',`
allow $2 $1_evolution_t:dir { search getattr read };
allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
allow $2 $1_evolution_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_evolution_t:process ptrace;
#FIXME check to see if really needed
kernel_read_kernel_sysctls($1_evolution_t)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 1cd0fbf..9fe7592 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -96,11 +96,6 @@ template(`irc_per_userdomain_template',`
allow $2 $1_irc_t:dir { search getattr read };
allow $2 $1_irc_t:{ file lnk_file } { read getattr };
allow $2 $1_irc_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_irc_t:process ptrace;
kernel_read_proc_symlinks($1_irc_t)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 26e7bad..747bde4 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -106,11 +106,6 @@ template(`mozilla_per_userdomain_template',`
allow $2 $1_mozilla_t:dir { search getattr read };
allow $2 $1_mozilla_t:{ file lnk_file } { read getattr };
allow $2 $1_mozilla_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_mozilla_t:process ptrace;
allow $2 $1_mozilla_t:process signal_perms;
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index 12e9260..347f0fb 100644
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -81,11 +81,6 @@ template(`mplayer_per_userdomain_template',`
allow $2 $1_mencoder_t:dir { search getattr read };
allow $2 $1_mencoder_t:{ file lnk_file } { read getattr };
allow $2 $1_mencoder_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_mencoder_t:process ptrace;
allow $2 $1_mencoder_t:process signal_perms;
# Read /proc files and directories
@@ -295,11 +290,6 @@ template(`mplayer_per_userdomain_template',`
allow $2 $1_mplayer_t:dir { search getattr read };
allow $2 $1_mplayer_t:{ file lnk_file } { read getattr };
allow $2 $1_mplayer_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_mplayer_t:process ptrace;
allow $2 $1_mplayer_t:process signal_perms;
kernel_dontaudit_list_unlabeled($1_mplayer_t)
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index 2e197eb..0c84014 100644
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -87,11 +87,6 @@ template(`thunderbird_per_userdomain_template',`
allow $2 $1_thunderbird_t:dir { search getattr read };
allow $2 $1_thunderbird_t:{ file lnk_file } { read getattr };
allow $2 $1_thunderbird_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_thunderbird_t:process ptrace;
# Access ~/.thunderbird
allow $2 $1_thunderbird_home_t:dir manage_dir_perms;
diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if
index 4a6899b..22c035f 100644
--- a/policy/modules/apps/tvtime.if
+++ b/policy/modules/apps/tvtime.if
@@ -99,11 +99,6 @@ template(`tvtime_per_userdomain_template',`
allow $2 $1_tvtime_t:dir { search getattr read };
allow $2 $1_tvtime_t:{ file lnk_file } { read getattr };
allow $2 $1_tvtime_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_tvtime_t:process ptrace;
allow $2 $1_tvtime_t:process signal_perms;
kernel_read_all_sysctls($1_tvtime_t)
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index abc568f..fb067bb 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -120,11 +120,6 @@ template(`uml_per_userdomain_template',`
allow $2 $1_uml_t:dir { search getattr read };
allow $2 $1_uml_t:{ file lnk_file } { read getattr };
allow $2 $1_uml_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_uml_t:process ptrace;
allow $2 $1_uml_tmp_t:dir create_dir_perms;
allow $2 $1_uml_tmp_t:file create_file_perms;
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index fb6b883..88033ab 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -186,7 +186,6 @@ template(`cron_per_userdomain_template',`
allow $2 $1_crontab_t:dir { search getattr read };
allow $2 $1_crontab_t:{ file lnk_file } { read getattr };
allow $2 $1_crontab_t:process getattr;
- dontaudit $2 $1_crontab_t:process ptrace;
# for ^Z
allow $2 $1_crontab_t:process signal;
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6868bb6..bac7292 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -174,16 +174,6 @@ template(`xserver_common_domain_template',`
optional_policy(`
xfs_stream_connect($1_xserver_t)
')
-
- ifdef(`TODO',`
- ifdef(`distro_redhat',`
- ifdef(`rpm.te', `
- allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
- allow $1_xserver_t rpm_tmpfs_t:file { read write };
- rpm_use_fds($1_xserver_t)
- ')
- ')
- ') dnl end TODO
')
#######################################
@@ -317,8 +307,6 @@ template(`xserver_per_userdomain_template',`
')
ifdef(`TODO',`
- allow $1_t xdm_xserver_t:unix_stream_socket connectto;
-
ifdef(`xdm.te', `
allow $1_t xdm_tmp_t:sock_file unlink;
allow $1_xserver_t xdm_var_run_t:dir search;
@@ -352,11 +340,6 @@ template(`xserver_per_userdomain_template',`
allow $2 $1_xauth_t:dir { search getattr read };
allow $2 $1_xauth_t:{ file lnk_file } { read getattr };
allow $2 $1_xauth_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_xauth_t:process ptrace;
allow $2 $1_xauth_home_t:file manage_file_perms;
allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
@@ -419,11 +402,6 @@ template(`xserver_per_userdomain_template',`
allow $2 $1_iceauth_t:dir { search getattr read };
allow $2 $1_iceauth_t:{ file lnk_file } { read getattr };
allow $2 $1_iceauth_t:process getattr;
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $2 $1_iceauth_t:process ptrace;
allow $2 $1_iceauth_home_t:file manage_file_perms;
allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4e76bd4..cfe04fa 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -620,12 +620,6 @@ interface(`init_read_script_state',`
allow $1 initrc_t:dir r_dir_perms;
allow $1 initrc_t:{ file lnk_file } r_file_perms;
allow $1 initrc_t:process getattr;
-
- # We need to suppress this denial because procps tries to access
- # /proc/pid/environ and this now triggers a ptrace check in recent kernels
- # (2.4 and 2.6). Might want to change procps to not do this, or only if
- # running in a privileged domain.
- dontaudit $1 initrc_t:process ptrace;
')
########################################
More information about the scm-commits
mailing list