[selinux-policy: 1/3] Remove allow_ptrace and replace it with deny_ptrace, which will remove all ptrace from the system Re
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Oct 11 20:48:54 UTC 2011
commit 6554bb3ccaae803b67917f38fcc0a94ed7fffb58
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Oct 11 16:46:26 2011 -0400
Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
apache.patch | 92 +---
booleans-mls.conf | 6 +-
booleans-targeted.conf | 8 +-
policy-F16.patch | 1082 +++++++++++++++++++++-----------
ptrace.patch | 1604 +++++++++++++++++++++++++-----------------------
selinux-policy.spec | 36 +-
userdomain.patch | 257 ++++----
7 files changed, 1718 insertions(+), 1367 deletions(-)
---
diff --git a/apache.patch b/apache.patch
index 4575cda..065be6a 100644
--- a/apache.patch
+++ b/apache.patch
@@ -1,81 +1,8 @@
-diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index cf3d50b..3ded83e 100644
---- a/policy/modules/kernel/domain.if
-+++ b/policy/modules/kernel/domain.if
-@@ -75,34 +75,6 @@ interface(`domain_base_type',`
- interface(`domain_type',`
- # start with basic domain
- domain_base_type($1)
--
-- ifdef(`distro_redhat',`
-- optional_policy(`
-- unconfined_use_fds($1)
-- ')
-- ')
--
-- # send init a sigchld and signull
-- optional_policy(`
-- init_sigchld($1)
-- init_signull($1)
-- ')
--
-- # these seem questionable:
--
-- optional_policy(`
-- rpm_use_fds($1)
-- rpm_read_pipes($1)
-- ')
--
-- optional_policy(`
-- selinux_dontaudit_getattr_fs($1)
-- selinux_dontaudit_read_fs($1)
-- ')
--
-- optional_policy(`
-- seutil_dontaudit_read_config($1)
-- ')
- ')
-
- ########################################
-diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index 00e20f7..db2a183 100644
---- a/policy/modules/kernel/domain.te
-+++ b/policy/modules/kernel/domain.te
-@@ -285,3 +285,30 @@ optional_policy(`
- # broken kernel
- dontaudit can_change_object_identity can_change_object_identity:key link;
-
-+ifdef(`distro_redhat',`
-+ optional_policy(`
-+ unconfined_use_fds(domain)
-+ ')
-+')
-+
-+# send init a sigchld and signull
-+optional_policy(`
-+ init_sigchld(domain)
-+ init_signull(domain)
-+')
-+
-+# these seem questionable:
-+
-+optional_policy(`
-+ rpm_use_fds(domain)
-+ rpm_read_pipes(domain)
-+')
-+
-+optional_policy(`
-+ selinux_dontaudit_getattr_fs(domain)
-+ selinux_dontaudit_read_fs(domain)
-+')
-+
-+optional_policy(`
-+ seutil_dontaudit_read_config(domain)
-+')
-diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index e12bbc0..606323d 100644
---- a/policy/modules/services/apache.if
-+++ b/policy/modules/services/apache.if
+diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.if.apache serefpolicy-3.10.0/policy/modules/kernel/domain.if
+diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.apache serefpolicy-3.10.0/policy/modules/kernel/domain.te
+diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.apache serefpolicy-3.10.0/policy/modules/services/apache.if
+--- serefpolicy-3.10.0/policy/modules/services/apache.if.apache 2011-10-11 10:17:05.262944711 -0400
++++ serefpolicy-3.10.0/policy/modules/services/apache.if 2011-10-11 10:17:13.416929487 -0400
@@ -16,55 +16,43 @@ template(`apache_content_template',`
attribute httpd_exec_scripts, httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -240,11 +167,10 @@ index e12bbc0..606323d 100644
')
')
-diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index f165efd..adf2423 100644
---- a/policy/modules/services/apache.te
-+++ b/policy/modules/services/apache.te
-@@ -217,10 +217,12 @@ gen_tunable(allow_httpd_sys_script_anon_write, false)
+diff -up serefpolicy-3.10.0/policy/modules/services/apache.te.apache serefpolicy-3.10.0/policy/modules/services/apache.te
+--- serefpolicy-3.10.0/policy/modules/services/apache.te.apache 2011-10-11 10:17:05.263944709 -0400
++++ serefpolicy-3.10.0/policy/modules/services/apache.te 2011-10-11 10:17:13.418929446 -0400
+@@ -217,10 +217,12 @@ gen_tunable(allow_httpd_sys_script_anon_
attribute httpdcontent;
attribute httpd_user_content_type;
diff --git a/booleans-mls.conf b/booleans-mls.conf
index ed149cd..c264bb2 100644
--- a/booleans-mls.conf
+++ b/booleans-mls.conf
@@ -1,4 +1,4 @@
-d# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
+# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
@@ -38,9 +38,9 @@ allow_saslauthd_read_shadow = false
#
allow_smbd_anon_write = false
-# Allow sysadm to ptrace all processes
+# Deny all processes the ability to ptrace other processes
#
-allow_ptrace = false
+deny_ptrace = false
# Allow system to run with NIS
#
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index d564050..2477bd2 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -210,9 +210,9 @@ allow_daemons_use_tty = false
#
allow_polyinstantiation = false
-# Allow confined domains to ptrace them selves
+# Deny all processes the ability to ptrace other processes
#
-allow_ptrace = true
+deny_ptrace = false
# Allow all domains to dump core
#
@@ -267,6 +267,10 @@ unconfined_mozilla_plugin_transition=true
#
unconfined_telepathy_transition=true
+# Allow unconfined domain to transition to chrome_sandbox confined domain
+#
+unconfined_chrome_sandbox_transition=true
+
# Allow telepathy domains to connect to all network ports
#
telepathy_tcp_connect_generic_network_ports=true
diff --git a/policy-F16.patch b/policy-F16.patch
index 7ae3dcf..1eb543f 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -540,7 +540,7 @@ index 63eb96b..17a9f6d 100644
## <summary>
## Execute bootloader interactively and do
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index d3da8f2..9152065 100644
+index d3da8f2..9e5a1d0 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -23,7 +23,7 @@ role system_r types bootloader_t;
@@ -552,12 +552,55 @@ index d3da8f2..9152065 100644
#
# The temp file is used for initrd creation;
-@@ -116,18 +116,18 @@ init_rw_script_pipes(bootloader_t)
+@@ -38,7 +38,7 @@ dev_node(bootloader_tmp_t)
+ # bootloader local policy
+ #
+
+-allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
++allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown };
+ allow bootloader_t self:process { signal_perms execmem };
+ allow bootloader_t self:fifo_file rw_fifo_file_perms;
+
+@@ -78,6 +78,7 @@ dev_rw_nvram(bootloader_t)
+
+ fs_getattr_xattr_fs(bootloader_t)
+ fs_getattr_tmpfs(bootloader_t)
++fs_list_hugetlbfs(bootloader_t)
+ fs_read_tmpfs_symlinks(bootloader_t)
+ #Needed for ia64
+ fs_manage_dos_files(bootloader_t)
+@@ -86,6 +87,7 @@ mls_file_read_all_levels(bootloader_t)
+ mls_file_write_all_levels(bootloader_t)
+
+ term_getattr_all_ttys(bootloader_t)
++term_getattr_all_ptys(bootloader_t)
+ term_dontaudit_manage_pty_dirs(bootloader_t)
+
+ corecmd_exec_all_executables(bootloader_t)
+@@ -101,6 +103,7 @@ files_read_usr_src_files(bootloader_t)
+ files_read_usr_files(bootloader_t)
+ files_read_var_files(bootloader_t)
+ files_read_kernel_modules(bootloader_t)
++files_read_kernel_symbol_table(bootloader_t)
+ # for nscd
+ files_dontaudit_search_pids(bootloader_t)
+ # for blkid.tab
+@@ -108,6 +111,7 @@ files_manage_etc_runtime_files(bootloader_t)
+ files_etc_filetrans_etc_runtime(bootloader_t, file)
+ files_dontaudit_search_home(bootloader_t)
+
++
+ init_getattr_initctl(bootloader_t)
+ init_use_script_ptys(bootloader_t)
+ init_use_script_fds(bootloader_t)
+@@ -115,19 +119,21 @@ init_rw_script_pipes(bootloader_t)
+
libs_read_lib_files(bootloader_t)
libs_exec_lib_files(bootloader_t)
-
-+auth_use_nsswitch(bootloader_t)
++libs_use_ld_so(bootloader_t)
+
++auth_use_nsswitch(bootloader_t)
+
logging_send_syslog_msg(bootloader_t)
logging_rw_generic_logs(bootloader_t)
@@ -570,11 +613,12 @@ index d3da8f2..9152065 100644
seutil_dontaudit_search_config(bootloader_t)
-userdom_use_user_terminals(bootloader_t)
++userdom_getattr_user_tmpfs_files(bootloader_t)
+userdom_use_inherited_user_terminals(bootloader_t)
userdom_dontaudit_search_user_home_dirs(bootloader_t)
ifdef(`distro_debian',`
-@@ -162,8 +162,10 @@ ifdef(`distro_redhat',`
+@@ -162,8 +168,10 @@ ifdef(`distro_redhat',`
files_manage_isid_type_blk_files(bootloader_t)
files_manage_isid_type_chr_files(bootloader_t)
@@ -587,7 +631,7 @@ index d3da8f2..9152065 100644
optional_policy(`
unconfined_domain(bootloader_t)
-@@ -171,6 +173,10 @@ ifdef(`distro_redhat',`
+@@ -171,6 +179,10 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -598,7 +642,24 @@ index d3da8f2..9152065 100644
fstools_exec(bootloader_t)
')
-@@ -197,10 +203,7 @@ optional_policy(`
+@@ -180,6 +192,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gpm_getattr_gpmctl(bootloader_t)
++')
++
++optional_policy(`
+ kudzu_domtrans(bootloader_t)
+ ')
+
+@@ -192,15 +208,13 @@ optional_policy(`
+
+ optional_policy(`
+ modutils_exec_insmod(bootloader_t)
++ modutils_list_module_config(bootloader_t)
+ modutils_read_module_deps(bootloader_t)
+ modutils_read_module_config(bootloader_t)
modutils_exec_insmod(bootloader_t)
modutils_exec_depmod(bootloader_t)
modutils_exec_update_mods(bootloader_t)
@@ -3828,10 +3889,18 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..4779a8d 100644
+index 441cf22..772a68e 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
-@@ -79,18 +79,17 @@ selinux_compute_create_context(chfn_t)
+@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
+
+ kernel_read_system_state(chfn_t)
+ kernel_read_kernel_sysctls(chfn_t)
++kernel_dontaudit_getattr_core_if(chfn_t)
+
+ selinux_get_fs_mount(chfn_t)
+ selinux_validate_context(chfn_t)
+@@ -79,18 +80,17 @@ selinux_compute_create_context(chfn_t)
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@@ -3854,7 +3923,15 @@ index 441cf22..4779a8d 100644
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
-@@ -118,6 +117,10 @@ userdom_use_unpriv_users_fds(chfn_t)
+@@ -105,6 +105,7 @@ files_dontaudit_search_home(chfn_t)
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it. Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(chfn_t)
++init_dontaudit_getattr_initctl(chfn_t)
+
+ miscfiles_read_localization(chfn_t)
+
+@@ -118,6 +119,10 @@ userdom_use_unpriv_users_fds(chfn_t)
# on user home dir
userdom_dontaudit_search_user_home_content(chfn_t)
@@ -3865,7 +3942,7 @@ index 441cf22..4779a8d 100644
########################################
#
# Crack local policy
-@@ -194,8 +197,7 @@ selinux_compute_create_context(groupadd_t)
+@@ -194,8 +199,7 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -3875,7 +3952,7 @@ index 441cf22..4779a8d 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -277,6 +279,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -277,6 +281,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -3883,7 +3960,7 @@ index 441cf22..4779a8d 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -291,17 +294,18 @@ selinux_compute_create_context(passwd_t)
+@@ -291,17 +296,18 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -3906,7 +3983,7 @@ index 441cf22..4779a8d 100644
domain_use_interactive_fds(passwd_t)
-@@ -311,6 +315,8 @@ files_search_var(passwd_t)
+@@ -311,6 +317,8 @@ files_search_var(passwd_t)
files_dontaudit_search_pids(passwd_t)
files_relabel_etc_files(passwd_t)
@@ -3915,7 +3992,7 @@ index 441cf22..4779a8d 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -323,7 +329,7 @@ miscfiles_read_localization(passwd_t)
+@@ -323,7 +331,7 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
@@ -3924,7 +4001,7 @@ index 441cf22..4779a8d 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -332,6 +338,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +340,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3932,7 +4009,7 @@ index 441cf22..4779a8d 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -381,8 +388,7 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,8 +390,7 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -3942,7 +4019,7 @@ index 441cf22..4779a8d 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
-@@ -426,7 +432,7 @@ optional_policy(`
+@@ -426,7 +434,7 @@ optional_policy(`
# Useradd local policy
#
@@ -3951,7 +4028,7 @@ index 441cf22..4779a8d 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -448,8 +454,12 @@ corecmd_exec_shell(useradd_t)
+@@ -448,8 +456,12 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -3964,7 +4041,7 @@ index 441cf22..4779a8d 100644
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
-@@ -460,6 +470,7 @@ fs_search_auto_mountpoints(useradd_t)
+@@ -460,6 +472,7 @@ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
@@ -3972,7 +4049,7 @@ index 441cf22..4779a8d 100644
# Allow access to context for shadow file
selinux_get_fs_mount(useradd_t)
-@@ -469,8 +480,7 @@ selinux_compute_create_context(useradd_t)
+@@ -469,8 +482,7 @@ selinux_compute_create_context(useradd_t)
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
@@ -3982,7 +4059,7 @@ index 441cf22..4779a8d 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -498,21 +508,11 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -498,21 +510,11 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -4953,10 +5030,10 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..89acd12 100644
+index f5afe78..47c5063 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,786 @@
+@@ -1,44 +1,787 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -5065,6 +5142,7 @@ index f5afe78..89acd12 100644
+ dbus_session_bus_client($1_gkeyringd_t)
+ gnome_home_dir_filetrans($1_gkeyringd_t)
+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
++ gnome_read_generic_data_home_files($1_gkeyringd_t)
+
+ optional_policy(`
+ telepathy_mission_control_read_state($1_gkeyringd_t)
@@ -5761,7 +5839,7 @@ index f5afe78..89acd12 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +788,60 @@ interface(`gnome_role',`
+@@ -46,37 +789,60 @@ interface(`gnome_role',`
## </summary>
## </param>
#
@@ -5833,7 +5911,7 @@ index f5afe78..89acd12 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +849,38 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +850,38 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -5883,7 +5961,7 @@ index f5afe78..89acd12 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +888,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +889,17 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -5905,7 +5983,7 @@ index f5afe78..89acd12 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +906,335 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +907,335 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -6590,7 +6668,7 @@ index 40e0a2a..93d212c 100644
## <summary>
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..3b10693 100644
+index 9050e8c..b5d4ca3 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -6665,7 +6743,7 @@ index 9050e8c..3b10693 100644
mta_write_config(gpg_t)
-@@ -142,6 +161,11 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -142,6 +161,15 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -6674,10 +6752,14 @@ index 9050e8c..3b10693 100644
+')
+
+optional_policy(`
++ mta_read_spool(gpg_t)
++')
++
++optional_policy(`
mozilla_read_user_home_files(gpg_t)
mozilla_write_user_home_files(gpg_t)
')
-@@ -151,10 +175,10 @@ optional_policy(`
+@@ -151,10 +179,10 @@ optional_policy(`
xserver_rw_xdm_pipes(gpg_t)
')
@@ -6692,7 +6774,7 @@ index 9050e8c..3b10693 100644
########################################
#
-@@ -191,7 +215,7 @@ files_read_etc_files(gpg_helper_t)
+@@ -191,7 +219,7 @@ files_read_etc_files(gpg_helper_t)
auth_use_nsswitch(gpg_helper_t)
@@ -6701,7 +6783,7 @@ index 9050e8c..3b10693 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -205,11 +229,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -205,11 +233,12 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
@@ -6715,7 +6797,7 @@ index 9050e8c..3b10693 100644
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-@@ -239,19 +264,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
+@@ -239,19 +268,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
miscfiles_read_localization(gpg_agent_t)
# Write to the user domain tty.
@@ -6738,7 +6820,7 @@ index 9050e8c..3b10693 100644
userdom_manage_user_home_content_dirs(gpg_agent_t)
userdom_manage_user_home_content_files(gpg_agent_t)
')
-@@ -332,6 +358,10 @@ miscfiles_read_localization(gpg_pinentry_t)
+@@ -332,6 +362,10 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
@@ -6749,7 +6831,7 @@ index 9050e8c..3b10693 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
-@@ -342,11 +372,21 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -342,11 +376,21 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -6771,7 +6853,7 @@ index 9050e8c..3b10693 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +396,28 @@ optional_policy(`
+@@ -356,4 +400,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -8477,10 +8559,10 @@ index 0000000..1925bd9
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..9bf1dd8
+index 0000000..008fbe3
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,338 @@
+@@ -0,0 +1,340 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -8557,6 +8639,7 @@ index 0000000..9bf1dd8
+
+tunable_policy(`nsplugin_can_network',`
+ corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
++ corenet_tcp_connect_all_ephemeral_ports(nsplugin_t)
+')
+
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
@@ -8670,6 +8753,7 @@ index 0000000..9bf1dd8
+ gnome_exec_gconf(nsplugin_t)
+ gnome_manage_config(nsplugin_t)
+ gnome_read_gconf_home_files(nsplugin_t)
++ gnome_read_usr_config(nsplugin_t)
+')
+
+optional_policy(`
@@ -9393,10 +9477,10 @@ index 4c091ca..a58f123 100644
+
+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
-index f594e12..c4ee834 100644
+index f594e12..2025c1f 100644
--- a/policy/modules/apps/sambagui.te
+++ b/policy/modules/apps/sambagui.te
-@@ -27,6 +27,7 @@ corecmd_exec_bin(sambagui_t)
+@@ -27,11 +27,13 @@ corecmd_exec_bin(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
@@ -9404,7 +9488,13 @@ index f594e12..c4ee834 100644
files_read_etc_files(sambagui_t)
files_search_var_lib(sambagui_t)
files_read_usr_files(sambagui_t)
-@@ -56,6 +57,7 @@ optional_policy(`
+
+ auth_use_nsswitch(sambagui_t)
++auth_dontaudit_read_shadow(sambagui_t)
+
+ logging_send_syslog_msg(sambagui_t)
+
+@@ -56,6 +58,7 @@ optional_policy(`
samba_manage_var_files(sambagui_t)
samba_read_secrets(sambagui_t)
samba_initrc_domtrans(sambagui_t)
@@ -10921,7 +11011,7 @@ index 3cfb128..d49274d 100644
+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..b4888b3 100644
+index 2533ea0..6de0d2d 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -26,12 +26,18 @@ attribute telepathy_executable;
@@ -11019,12 +11109,22 @@ index 2533ea0..b4888b3 100644
dev_read_rand(telepathy_mission_control_t)
-@@ -194,6 +230,16 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -194,6 +230,26 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(telepathy_mission_control_t)
')
+optional_policy(`
-+ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t)
++ dbus_system_bus_client(telepathy_mission_control_t)
++
++ optional_policy(`
++ devicekit_dbus_chat_power(telepathy_mission_control_t)
++ ')
++ optional_policy(`
++ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t)
++ ')
++ optional_policy(`
++ networkmanager_dbus_chat(telepathy_mission_control_t)
++ ')
+')
+
+# ~/.cache/.mc_connections.
@@ -11036,7 +11136,7 @@ index 2533ea0..b4888b3 100644
#######################################
#
# Telepathy Butterfly and Haze local policy.
-@@ -205,8 +251,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+@@ -205,8 +261,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@@ -11048,7 +11148,7 @@ index 2533ea0..b4888b3 100644
corenet_all_recvfrom_netlabel(telepathy_msn_t)
corenet_all_recvfrom_unlabeled(telepathy_msn_t)
-@@ -246,6 +295,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -246,6 +305,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
')
optional_policy(`
@@ -11059,7 +11159,7 @@ index 2533ea0..b4888b3 100644
dbus_system_bus_client(telepathy_msn_t)
optional_policy(`
-@@ -361,14 +414,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+@@ -361,14 +424,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
allow telepathy_domain self:tcp_socket create_socket_perms;
allow telepathy_domain self:udp_socket create_socket_perms;
@@ -11078,7 +11178,7 @@ index 2533ea0..b4888b3 100644
miscfiles_read_localization(telepathy_domain)
optional_policy(`
-@@ -376,5 +431,23 @@ optional_policy(`
+@@ -376,5 +441,23 @@ optional_policy(`
')
optional_policy(`
@@ -12125,7 +12225,7 @@ index 9e9263a..59c2125 100644
manage_lnk_files_pattern($1, bin_t, bin_t)
')
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 4f3b542..54e4c81 100644
+index 4f3b542..cf422f4 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',`
@@ -12782,8 +12882,9 @@ index 4f3b542..54e4c81 100644
gen_require(`
- attribute port_type, reserved_port_type;
+ attribute unreserved_port_type;
-+ ')
-+
+ ')
+
+- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+ allow $1 unreserved_port_type:udp_socket name_bind;
+')
+
@@ -12800,9 +12901,8 @@ index 4f3b542..54e4c81 100644
+interface(`corenet_tcp_bind_all_ephemeral_ports',`
+ gen_require(`
+ attribute ephemeral_port_type;
- ')
-
-- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
++ ')
++
+ allow $1 ephemeral_port_type:tcp_socket name_bind;
+')
+
@@ -12843,7 +12943,7 @@ index 4f3b542..54e4c81 100644
')
########################################
-@@ -1900,6 +2341,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
+@@ -1900,6 +2341,42 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
########################################
## <summary>
@@ -12863,20 +12963,37 @@ index 4f3b542..54e4c81 100644
+ allow $1 unreserved_port_type:dccp_socket name_connect;
+')
+
++#######################################
++## <summary>
++## Connect TCP sockets to ports > 1024.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_tcp_connect_unreserved_ports',`
++ gen_require(`
++ type unreserved_port_t;
++ ')
++
++ allow $1 unreserved_port_t:tcp_socket name_connect;
++')
++
+########################################
+## <summary>
## Connect TCP sockets to all ports > 1024.
## </summary>
## <param name="domain">
-@@ -1910,10 +2369,47 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
+@@ -1910,10 +2387,47 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
#
interface(`corenet_tcp_connect_all_unreserved_ports',`
gen_require(`
- attribute port_type, reserved_port_type;
+ attribute unreserved_port_type;
- ')
-
-- allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
++ ')
++
+ allow $1 unreserved_port_type:tcp_socket name_connect;
+')
+
@@ -12912,13 +13029,14 @@ index 4f3b542..54e4c81 100644
+interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
-+ ')
-+
+ ')
+
+- allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
+ dontaudit $1 reserved_port_type:dccp_socket name_connect;
')
########################################
-@@ -1937,6 +2433,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+@@ -1937,6 +2451,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
########################################
## <summary>
@@ -12943,7 +13061,7 @@ index 4f3b542..54e4c81 100644
## Connect TCP sockets to rpc ports.
## </summary>
## <param name="domain">
-@@ -1955,6 +2469,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
+@@ -1955,6 +2487,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
########################################
## <summary>
@@ -12969,7 +13087,7 @@ index 4f3b542..54e4c81 100644
## Do not audit attempts to connect TCP sockets
## all rpc ports.
## </summary>
-@@ -1993,6 +2526,24 @@ interface(`corenet_rw_tun_tap_dev',`
+@@ -1993,6 +2544,24 @@ interface(`corenet_rw_tun_tap_dev',`
########################################
## <summary>
@@ -12994,7 +13112,7 @@ index 4f3b542..54e4c81 100644
## Do not audit attempts to read or write the TUN/TAP
## virtual network device.
## </summary>
-@@ -2049,6 +2600,25 @@ interface(`corenet_rw_ppp_dev',`
+@@ -2049,6 +2618,25 @@ interface(`corenet_rw_ppp_dev',`
########################################
## <summary>
@@ -13020,7 +13138,7 @@ index 4f3b542..54e4c81 100644
## Bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2068,6 +2638,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+@@ -2068,6 +2656,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
########################################
## <summary>
@@ -13045,7 +13163,7 @@ index 4f3b542..54e4c81 100644
## Do not audit attempts to bind TCP sockets to all RPC ports.
## </summary>
## <param name="domain">
-@@ -2194,6 +2782,25 @@ interface(`corenet_tcp_recv_netlabel',`
+@@ -2194,6 +2800,25 @@ interface(`corenet_tcp_recv_netlabel',`
########################################
## <summary>
@@ -13071,7 +13189,7 @@ index 4f3b542..54e4c81 100644
## Receive TCP packets from a NetLabel connection.
## </summary>
## <param name="domain">
-@@ -2213,6 +2820,31 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2213,6 +2838,31 @@ interface(`corenet_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -13103,7 +13221,7 @@ index 4f3b542..54e4c81 100644
## Receive TCP packets from an unlabled connection.
## </summary>
## <param name="domain">
-@@ -2222,9 +2854,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2222,9 +2872,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
## </param>
#
interface(`corenet_tcp_recvfrom_unlabeled',`
@@ -13118,7 +13236,7 @@ index 4f3b542..54e4c81 100644
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
-@@ -2249,6 +2886,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+@@ -2249,6 +2904,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
########################################
## <summary>
@@ -13145,7 +13263,7 @@ index 4f3b542..54e4c81 100644
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
## </summary>
-@@ -2269,6 +2926,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+@@ -2269,6 +2944,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
########################################
## <summary>
@@ -13173,7 +13291,7 @@ index 4f3b542..54e4c81 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
-@@ -2533,6 +3211,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+@@ -2533,6 +3229,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
## <infoflow type="read" weight="10"/>
#
interface(`corenet_all_recvfrom_unlabeled',`
@@ -13181,7 +13299,7 @@ index 4f3b542..54e4c81 100644
kernel_tcp_recvfrom_unlabeled($1)
kernel_udp_recvfrom_unlabeled($1)
kernel_raw_recvfrom_unlabeled($1)
-@@ -2571,7 +3250,31 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2571,7 +3268,31 @@ interface(`corenet_all_recvfrom_netlabel',`
')
allow $1 netlabel_peer_t:peer recv;
@@ -13214,7 +13332,7 @@ index 4f3b542..54e4c81 100644
')
########################################
-@@ -2585,6 +3288,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2585,6 +3306,7 @@ interface(`corenet_all_recvfrom_netlabel',`
## </param>
#
interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
@@ -13222,7 +13340,7 @@ index 4f3b542..54e4c81 100644
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
-@@ -2613,7 +3317,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+@@ -2613,7 +3335,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
')
dontaudit $1 netlabel_peer_t:peer recv;
@@ -13259,7 +13377,7 @@ index 4f3b542..54e4c81 100644
')
########################################
-@@ -2727,6 +3459,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+@@ -2727,6 +3477,7 @@ interface(`corenet_raw_recvfrom_labeled',`
## </param>
#
interface(`corenet_all_recvfrom_labeled',`
@@ -15080,10 +15198,45 @@ index 08f01e7..1c2562c 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..cf3d50b 100644
+index 6a1e4d1..3ded83e 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
-@@ -631,7 +631,7 @@ interface(`domain_read_all_domains_state',`
+@@ -75,34 +75,6 @@ interface(`domain_base_type',`
+ interface(`domain_type',`
+ # start with basic domain
+ domain_base_type($1)
+-
+- ifdef(`distro_redhat',`
+- optional_policy(`
+- unconfined_use_fds($1)
+- ')
+- ')
+-
+- # send init a sigchld and signull
+- optional_policy(`
+- init_sigchld($1)
+- init_signull($1)
+- ')
+-
+- # these seem questionable:
+-
+- optional_policy(`
+- rpm_use_fds($1)
+- rpm_read_pipes($1)
+- ')
+-
+- optional_policy(`
+- selinux_dontaudit_getattr_fs($1)
+- selinux_dontaudit_read_fs($1)
+- ')
+-
+- optional_policy(`
+- seutil_dontaudit_read_config($1)
+- ')
+ ')
+
+ ########################################
+@@ -631,7 +603,7 @@ interface(`domain_read_all_domains_state',`
########################################
## <summary>
@@ -15092,7 +15245,7 @@ index 6a1e4d1..cf3d50b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -655,7 +655,7 @@ interface(`domain_getattr_all_domains',`
+@@ -655,7 +627,7 @@ interface(`domain_getattr_all_domains',`
## </summary>
## <param name="domain">
## <summary>
@@ -15101,7 +15254,7 @@ index 6a1e4d1..cf3d50b 100644
## </summary>
## </param>
#
-@@ -1530,4 +1530,29 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1502,29 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
@@ -15132,7 +15285,7 @@ index 6a1e4d1..cf3d50b 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..00e20f7 100644
+index fae1ab1..db2a183 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -15225,7 +15378,7 @@ index fae1ab1..00e20f7 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -160,3 +197,91 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +197,118 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -15317,6 +15470,33 @@ index fae1ab1..00e20f7 100644
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
+
++ifdef(`distro_redhat',`
++ optional_policy(`
++ unconfined_use_fds(domain)
++ ')
++')
++
++# send init a sigchld and signull
++optional_policy(`
++ init_sigchld(domain)
++ init_signull(domain)
++')
++
++# these seem questionable:
++
++optional_policy(`
++ rpm_use_fds(domain)
++ rpm_read_pipes(domain)
++')
++
++optional_policy(`
++ selinux_dontaudit_getattr_fs(domain)
++ selinux_dontaudit_read_fs(domain)
++')
++
++optional_policy(`
++ seutil_dontaudit_read_config(domain)
++')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index c19518a..12e8e9c 100644
--- a/policy/modules/kernel/files.fc
@@ -17335,7 +17515,7 @@ index 22821ff..20251b0 100644
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..a75dbe4 100644
+index 97fcdac..e5652a1 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -17818,7 +17998,33 @@ index 97fcdac..a75dbe4 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4457,6 +4732,8 @@ interface(`fs_mount_all_fs',`
+@@ -4251,6 +4526,25 @@ interface(`fs_manage_tmpfs_files',`
+
+ ########################################
+ ## <summary>
++## Execute files on a tmpfs filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_exec_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ exec_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++## <summary>
+ ## Read and write, create and delete symbolic
+ ## links on tmpfs filesystems.
+ ## </summary>
+@@ -4457,6 +4751,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -17827,7 +18033,7 @@ index 97fcdac..a75dbe4 100644
')
########################################
-@@ -4503,7 +4780,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4799,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -17836,7 +18042,7 @@ index 97fcdac..a75dbe4 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5143,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5162,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -20250,10 +20456,10 @@ index 2be17d2..bfabe3f 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..7cd6d4f 100644
+index e14b961..80db5fc 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -24,20 +24,51 @@ ifndef(`enable_mls',`
+@@ -24,20 +24,47 @@ ifndef(`enable_mls',`
#
# Local policy
#
@@ -20293,11 +20499,7 @@ index e14b961..7cd6d4f 100644
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
-+userdom_manage_user_tmp_dirs(sysadm_t)
-+userdom_manage_user_tmp_files(sysadm_t)
-+userdom_manage_user_tmp_symlinks(sysadm_t)
-+userdom_manage_user_tmp_chr_files(sysadm_t)
-+userdom_manage_user_tmp_blk_files(sysadm_t)
++userdom_manage_tmp_role(sysadm_r, sysadm_t)
+
+optional_policy(`
+ ssh_filetrans_admin_home_content(sysadm_t)
@@ -20305,7 +20507,7 @@ index e14b961..7cd6d4f 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,6 +86,7 @@ ifndef(`enable_mls',`
+@@ -55,6 +82,7 @@ ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
@@ -20313,7 +20515,7 @@ index e14b961..7cd6d4f 100644
')
tunable_policy(`allow_ptrace',`
-@@ -67,9 +99,9 @@ optional_policy(`
+@@ -67,9 +95,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -20324,7 +20526,7 @@ index e14b961..7cd6d4f 100644
')
optional_policy(`
-@@ -98,6 +130,10 @@ optional_policy(`
+@@ -98,6 +126,10 @@ optional_policy(`
')
optional_policy(`
@@ -20335,7 +20537,7 @@ index e14b961..7cd6d4f 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -110,11 +146,19 @@ optional_policy(`
+@@ -110,11 +142,19 @@ optional_policy(`
')
optional_policy(`
@@ -20356,7 +20558,7 @@ index e14b961..7cd6d4f 100644
')
optional_policy(`
-@@ -128,6 +172,10 @@ optional_policy(`
+@@ -128,6 +168,10 @@ optional_policy(`
')
optional_policy(`
@@ -20367,7 +20569,7 @@ index e14b961..7cd6d4f 100644
dmesg_exec(sysadm_t)
')
-@@ -163,6 +211,13 @@ optional_policy(`
+@@ -163,6 +207,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -20381,7 +20583,7 @@ index e14b961..7cd6d4f 100644
')
optional_policy(`
-@@ -170,15 +225,20 @@ optional_policy(`
+@@ -170,15 +221,20 @@ optional_policy(`
')
optional_policy(`
@@ -20405,7 +20607,7 @@ index e14b961..7cd6d4f 100644
')
optional_policy(`
-@@ -198,22 +258,19 @@ optional_policy(`
+@@ -198,22 +254,19 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -20433,7 +20635,7 @@ index e14b961..7cd6d4f 100644
')
optional_policy(`
-@@ -225,25 +282,47 @@ optional_policy(`
+@@ -225,25 +278,47 @@ optional_policy(`
')
optional_policy(`
@@ -20481,7 +20683,7 @@ index e14b961..7cd6d4f 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
-@@ -253,19 +332,19 @@ optional_policy(`
+@@ -253,19 +328,19 @@ optional_policy(`
')
optional_policy(`
@@ -20505,7 +20707,7 @@ index e14b961..7cd6d4f 100644
')
optional_policy(`
-@@ -274,10 +353,7 @@ optional_policy(`
+@@ -274,10 +349,7 @@ optional_policy(`
optional_policy(`
rpm_run(sysadm_t, sysadm_r)
@@ -20517,7 +20719,7 @@ index e14b961..7cd6d4f 100644
')
optional_policy(`
-@@ -302,12 +378,18 @@ optional_policy(`
+@@ -302,12 +374,18 @@ optional_policy(`
')
optional_policy(`
@@ -20537,7 +20739,7 @@ index e14b961..7cd6d4f 100644
')
optional_policy(`
-@@ -332,7 +414,10 @@ optional_policy(`
+@@ -332,7 +410,10 @@ optional_policy(`
')
optional_policy(`
@@ -20549,7 +20751,7 @@ index e14b961..7cd6d4f 100644
')
optional_policy(`
-@@ -343,19 +428,15 @@ optional_policy(`
+@@ -343,19 +424,15 @@ optional_policy(`
')
optional_policy(`
@@ -20571,7 +20773,7 @@ index e14b961..7cd6d4f 100644
')
optional_policy(`
-@@ -367,45 +448,45 @@ optional_policy(`
+@@ -367,45 +444,45 @@ optional_policy(`
')
optional_policy(`
@@ -20628,7 +20830,7 @@ index e14b961..7cd6d4f 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +499,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +495,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20639,7 +20841,7 @@ index e14b961..7cd6d4f 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +516,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +512,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -20647,7 +20849,7 @@ index e14b961..7cd6d4f 100644
')
optional_policy(`
-@@ -446,11 +524,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +520,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -25661,10 +25863,10 @@ index 59aa54f..f944a65 100644
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
-index 44a1e3d..f5c476a 100644
+index 44a1e3d..7802b7b 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
-@@ -20,6 +20,30 @@ interface(`bind_initrc_domtrans',`
+@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
########################################
## <summary>
@@ -25683,7 +25885,6 @@ index 44a1e3d..f5c476a 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 named_unit_file_t:file read_file_perms;
+ allow $1 named_unit_file_t:service all_service_perms;
+
@@ -25695,7 +25896,7 @@ index 44a1e3d..f5c476a 100644
## Execute ndc in the ndc domain.
## </summary>
## <param name="domain">
-@@ -186,7 +210,7 @@ interface(`bind_write_config',`
+@@ -186,7 +209,7 @@ interface(`bind_write_config',`
')
write_files_pattern($1, named_conf_t, named_conf_t)
@@ -25704,7 +25905,7 @@ index 44a1e3d..f5c476a 100644
')
########################################
-@@ -266,7 +290,7 @@ interface(`bind_setattr_pid_dirs',`
+@@ -266,7 +289,7 @@ interface(`bind_setattr_pid_dirs',`
type named_var_run_t;
')
@@ -25713,7 +25914,7 @@ index 44a1e3d..f5c476a 100644
')
########################################
-@@ -284,7 +308,7 @@ interface(`bind_setattr_zone_dirs',`
+@@ -284,7 +307,7 @@ interface(`bind_setattr_zone_dirs',`
type named_zone_t;
')
@@ -25722,7 +25923,7 @@ index 44a1e3d..f5c476a 100644
')
########################################
-@@ -308,6 +332,27 @@ interface(`bind_read_zone',`
+@@ -308,6 +331,27 @@ interface(`bind_read_zone',`
########################################
## <summary>
@@ -25750,7 +25951,7 @@ index 44a1e3d..f5c476a 100644
## Manage BIND zone files.
## </summary>
## <param name="domain">
-@@ -359,10 +404,9 @@ interface(`bind_udp_chat_named',`
+@@ -359,10 +403,9 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
@@ -25764,7 +25965,7 @@ index 44a1e3d..f5c476a 100644
')
allow $1 named_t:process { ptrace signal_perms };
-@@ -391,9 +435,10 @@ interface(`bind_admin',`
+@@ -391,9 +434,10 @@ interface(`bind_admin',`
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
@@ -27805,7 +28006,7 @@ index fd8cd0b..45096d8 100644
+/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..fecceac 100644
+index 9a0da94..714f905 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -27833,7 +28034,7 @@ index 9a0da94..fecceac 100644
####################################
## <summary>
## Execute chronyd
-@@ -56,6 +74,126 @@ interface(`chronyd_read_log',`
+@@ -56,6 +74,125 @@ interface(`chronyd_read_log',`
read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
')
@@ -27912,7 +28113,6 @@ index 9a0da94..fecceac 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 chronyd_unit_file_t:file read_file_perms;
+ allow $1 chronyd_unit_file_t:service all_service_perms;
+
@@ -27960,7 +28160,7 @@ index 9a0da94..fecceac 100644
####################################
## <summary>
## All of the rules required to administrate
-@@ -75,9 +213,9 @@ interface(`chronyd_read_log',`
+@@ -75,9 +212,9 @@ interface(`chronyd_read_log',`
#
interface(`chronyd_admin',`
gen_require(`
@@ -27973,7 +28173,7 @@ index 9a0da94..fecceac 100644
')
allow $1 chronyd_t:process { ptrace signal_perms };
-@@ -88,18 +226,19 @@ interface(`chronyd_admin',`
+@@ -88,18 +225,19 @@ interface(`chronyd_admin',`
role_transition $2 chronyd_initrc_exec_t system_r;
allow $2 system_r;
@@ -29061,10 +29261,10 @@ index 0000000..ed13d1e
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..1783fe6
+index 0000000..2ee2be0
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,61 @@
+@@ -0,0 +1,77 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -29072,6 +29272,14 @@ index 0000000..1783fe6
+# Declarations
+#
+
++## <desc>
++## <p>
++## Allow collectd to connect to the
++## network using TCP.
++## </p>
++## </desc>
++gen_tunable(collectd_can_network_connect, false)
++
+type collectd_t;
+type collectd_exec_t;
+init_daemon_domain(collectd_t, collectd_exec_t)
@@ -29105,10 +29313,12 @@ index 0000000..1783fe6
+domain_use_interactive_fds(collectd_t)
+
+kernel_read_network_state(collectd_t)
++kernel_read_net_sysctls(collectd_t)
+kernel_read_system_state(collectd_t)
+
+dev_read_sysfs(collectd_t)
+
++files_getattr_all_dirs(collectd_t)
+files_read_etc_files(collectd_t)
+files_read_usr_files(collectd_t)
+
@@ -29120,6 +29330,12 @@ index 0000000..1783fe6
+
+sysnet_dns_name_resolve(collectd_t)
+
++tunable_policy(`collectd_can_network_connect',`
++ corenet_tcp_connect_all_ports(collectd_t)
++ corenet_tcp_sendrecv_all_ports(collectd_t)
++ corenet_sendrecv_all_client_packets(collectd_t)
++')
++
+optional_policy(`
+ apache_content_template(collectd)
+
@@ -29762,7 +29978,7 @@ index 2eefc08..6ea5693 100644
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..d972767 100644
+index 35241ed..445ced4 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -29977,7 +30193,7 @@ index 35241ed..d972767 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -322,6 +331,30 @@ interface(`cron_initrc_domtrans',`
+@@ -322,6 +331,29 @@ interface(`cron_initrc_domtrans',`
########################################
## <summary>
@@ -29996,7 +30212,6 @@ index 35241ed..d972767 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 crond_unit_file_t:file read_file_perms;
+ allow $1 crond_unit_file_t:service all_service_perms;
+
@@ -30008,7 +30223,7 @@ index 35241ed..d972767 100644
## Inherit and use a file descriptor
## from the cron daemon.
## </summary>
-@@ -377,6 +410,47 @@ interface(`cron_read_pipes',`
+@@ -377,6 +409,47 @@ interface(`cron_read_pipes',`
########################################
## <summary>
@@ -30056,7 +30271,7 @@ index 35241ed..d972767 100644
## Do not audit attempts to write cron daemon unnamed pipes.
## </summary>
## <param name="domain">
-@@ -390,6 +464,7 @@ interface(`cron_dontaudit_write_pipes',`
+@@ -390,6 +463,7 @@ interface(`cron_dontaudit_write_pipes',`
type crond_t;
')
@@ -30064,7 +30279,7 @@ index 35241ed..d972767 100644
dontaudit $1 crond_t:fifo_file write;
')
-@@ -408,7 +483,43 @@ interface(`cron_rw_pipes',`
+@@ -408,7 +482,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
@@ -30109,7 +30324,7 @@ index 35241ed..d972767 100644
')
########################################
-@@ -468,6 +579,25 @@ interface(`cron_search_spool',`
+@@ -468,6 +578,25 @@ interface(`cron_search_spool',`
########################################
## <summary>
@@ -30135,7 +30350,7 @@ index 35241ed..d972767 100644
## Manage pid files used by cron
## </summary>
## <param name="domain">
-@@ -481,6 +611,7 @@ interface(`cron_manage_pid_files',`
+@@ -481,6 +610,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -30143,7 +30358,7 @@ index 35241ed..d972767 100644
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
-@@ -536,7 +667,7 @@ interface(`cron_write_system_job_pipes',`
+@@ -536,7 +666,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
@@ -30152,7 +30367,7 @@ index 35241ed..d972767 100644
')
########################################
-@@ -554,7 +685,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -554,7 +684,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
@@ -30161,7 +30376,7 @@ index 35241ed..d972767 100644
')
########################################
-@@ -587,11 +718,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -587,11 +717,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -30177,7 +30392,7 @@ index 35241ed..d972767 100644
')
########################################
-@@ -627,7 +761,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +760,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -30226,7 +30441,7 @@ index 35241ed..d972767 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..86ea0ba 100644
+index f7583ab..4100ff7 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -30591,7 +30806,7 @@ index f7583ab..86ea0ba 100644
ftp_read_log(system_cronjob_t)
')
-@@ -456,15 +545,24 @@ optional_policy(`
+@@ -456,15 +545,25 @@ optional_policy(`
')
optional_policy(`
@@ -30611,12 +30826,13 @@ index f7583ab..86ea0ba 100644
')
optional_policy(`
++ mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
+ mta_system_content(system_cron_spool_t)
')
optional_policy(`
-@@ -480,7 +578,7 @@ optional_policy(`
+@@ -480,7 +579,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -30625,7 +30841,7 @@ index f7583ab..86ea0ba 100644
')
optional_policy(`
-@@ -495,6 +593,7 @@ optional_policy(`
+@@ -495,6 +594,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -30633,7 +30849,7 @@ index f7583ab..86ea0ba 100644
')
optional_policy(`
-@@ -502,7 +601,13 @@ optional_policy(`
+@@ -502,7 +602,13 @@ optional_policy(`
')
optional_policy(`
@@ -30647,7 +30863,7 @@ index f7583ab..86ea0ba 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +700,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +701,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -31173,7 +31389,7 @@ index 305ddf4..173cd16 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..e6225d3 100644
+index 0f28095..825cafb 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -31224,7 +31440,15 @@ index 0f28095..e6225d3 100644
kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
-@@ -270,12 +274,6 @@ files_dontaudit_list_home(cupsd_t)
+@@ -211,6 +215,7 @@ mls_rangetrans_target(cupsd_t)
+ mls_socket_write_all_levels(cupsd_t)
+ mls_fd_use_all_levels(cupsd_t)
+
++term_use_usb_ttys(cupsd_t)
+ term_use_unallocated_ttys(cupsd_t)
+ term_search_ptys(cupsd_t)
+
+@@ -270,12 +275,6 @@ files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
@@ -31237,7 +31461,7 @@ index 0f28095..e6225d3 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
')
-@@ -297,8 +295,10 @@ optional_policy(`
+@@ -297,8 +296,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -31248,7 +31472,7 @@ index 0f28095..e6225d3 100644
')
')
-@@ -311,10 +311,22 @@ optional_policy(`
+@@ -311,10 +312,22 @@ optional_policy(`
')
optional_policy(`
@@ -31271,7 +31495,7 @@ index 0f28095..e6225d3 100644
mta_send_mail(cupsd_t)
')
-@@ -371,8 +383,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +384,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -31282,7 +31506,7 @@ index 0f28095..e6225d3 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -393,6 +406,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +407,10 @@ dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
dev_rw_generic_usb_dev(cupsd_config_t)
@@ -31293,7 +31517,7 @@ index 0f28095..e6225d3 100644
files_search_all_mountpoints(cupsd_config_t)
-@@ -425,11 +442,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +443,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -31307,7 +31531,7 @@ index 0f28095..e6225d3 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +470,10 @@ optional_policy(`
+@@ -453,6 +471,10 @@ optional_policy(`
')
optional_policy(`
@@ -31318,7 +31542,7 @@ index 0f28095..e6225d3 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +488,10 @@ optional_policy(`
+@@ -467,6 +489,10 @@ optional_policy(`
')
optional_policy(`
@@ -31329,7 +31553,7 @@ index 0f28095..e6225d3 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -587,13 +612,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,13 +613,17 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -31349,7 +31573,7 @@ index 0f28095..e6225d3 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +635,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -606,6 +636,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(cups_pdf_t)
')
@@ -31360,7 +31584,7 @@ index 0f28095..e6225d3 100644
########################################
#
# HPLIP local policy
-@@ -639,7 +672,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +673,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -31369,7 +31593,7 @@ index 0f28095..e6225d3 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +718,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +719,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -31377,7 +31601,7 @@ index 0f28095..e6225d3 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +730,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +731,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -31909,7 +32133,7 @@ index 1a1becd..843d5fd 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..9540fee 100644
+index 1bff6ee..f0266a9 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -31971,7 +32195,20 @@ index 1bff6ee..9540fee 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -141,6 +148,20 @@ optional_policy(`
+@@ -136,11 +143,33 @@ seutil_sigchld_newrole(system_dbusd_t)
+ userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
+ userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
+
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(system_dbusd_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(system_dbusd_t)
++')
++
+ optional_policy(`
+ bind_domtrans(system_dbusd_t)
')
optional_policy(`
@@ -31992,7 +32229,7 @@ index 1bff6ee..9540fee 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -151,12 +172,166 @@ optional_policy(`
+@@ -151,12 +180,166 @@ optional_policy(`
')
optional_policy(`
@@ -32048,9 +32285,9 @@ index 1bff6ee..9540fee 100644
+')
+
+########################################
-+#
-+# session_bus_type rules
#
++# session_bus_type rules
++#
+dontaudit session_bus_type self:capability sys_resource;
+allow session_bus_type self:process { getattr sigkill signal };
+dontaudit session_bus_type self:process { ptrace setrlimit };
@@ -32135,7 +32372,7 @@ index 1bff6ee..9540fee 100644
+ fs_manage_cifs_dirs(session_bus_type)
+ fs_manage_cifs_files(session_bus_type)
+')
-
++
+optional_policy(`
+ gnome_read_gconf_home_files(session_bus_type)
+')
@@ -32143,7 +32380,7 @@ index 1bff6ee..9540fee 100644
+optional_policy(`
+ hal_dbus_chat(session_bus_type)
+')
-+
+
+optional_policy(`
+ xserver_search_xdm_lib(session_bus_type)
+ xserver_use_xdm_fds(session_bus_type)
@@ -33825,10 +34062,10 @@ index b886676..ab3af9c 100644
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
-index 9bd812b..f3c2d82 100644
+index 9bd812b..1bef72c 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
-@@ -41,6 +41,30 @@ interface(`dnsmasq_initrc_domtrans',`
+@@ -41,6 +41,29 @@ interface(`dnsmasq_initrc_domtrans',`
########################################
## <summary>
@@ -33847,7 +34084,6 @@ index 9bd812b..f3c2d82 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 dnsmasq_unit_file_t:file read_file_perms;
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
+
@@ -33859,7 +34095,7 @@ index 9bd812b..f3c2d82 100644
## Send dnsmasq a signal
## </summary>
## <param name="domain">
-@@ -101,9 +125,9 @@ interface(`dnsmasq_kill',`
+@@ -101,9 +124,9 @@ interface(`dnsmasq_kill',`
## Read dnsmasq config files.
## </summary>
## <param name="domain">
@@ -33871,7 +34107,7 @@ index 9bd812b..f3c2d82 100644
## </param>
#
interface(`dnsmasq_read_config',`
-@@ -120,9 +144,9 @@ interface(`dnsmasq_read_config',`
+@@ -120,9 +143,9 @@ interface(`dnsmasq_read_config',`
## Write to dnsmasq config files.
## </summary>
## <param name="domain">
@@ -33883,7 +34119,7 @@ index 9bd812b..f3c2d82 100644
## </param>
#
interface(`dnsmasq_write_config',`
-@@ -144,12 +168,12 @@ interface(`dnsmasq_write_config',`
+@@ -144,12 +167,12 @@ interface(`dnsmasq_write_config',`
## </summary>
## </param>
#
@@ -33897,7 +34133,7 @@ index 9bd812b..f3c2d82 100644
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -163,17 +187,80 @@ interface(`dnsmasq_delete_pid_files',`
+@@ -163,17 +186,80 @@ interface(`dnsmasq_delete_pid_files',`
## </summary>
## </param>
#
@@ -33979,7 +34215,7 @@ index 9bd812b..f3c2d82 100644
## All of the rules required to administrate
## an dnsmasq environment
## </summary>
-@@ -208,4 +295,6 @@ interface(`dnsmasq_admin',`
+@@ -208,4 +294,6 @@ interface(`dnsmasq_admin',`
files_list_pids($1)
admin_pattern($1, dnsmasq_var_run_t)
@@ -35889,10 +36125,10 @@ index 69dcd2a..80eefd3 100644
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
-index 9d3201b..a8ad41e 100644
+index 9d3201b..7da7267 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
-@@ -1,5 +1,67 @@
+@@ -1,5 +1,66 @@
## <summary>File transfer protocol service</summary>
+######################################
@@ -35950,7 +36186,6 @@ index 9d3201b..a8ad41e 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 ftpd_unit_file_t:file read_file_perms;
+ allow $1 ftpd_unit_file_t:service all_service_perms;
+
@@ -35960,7 +36195,7 @@ index 9d3201b..a8ad41e 100644
#######################################
## <summary>
## Allow domain dyntransition to sftpd_anon domain.
-@@ -203,4 +265,6 @@ interface(`ftp_admin',`
+@@ -203,4 +264,6 @@ interface(`ftp_admin',`
logging_list_logs($1)
admin_pattern($1, xferlog_t)
@@ -37482,10 +37717,10 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..95d52e4 100644
+index 4fde46b..86ba356 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -15,18 +15,25 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+@@ -15,18 +15,23 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
#
allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
@@ -37504,16 +37739,15 @@ index 4fde46b..95d52e4 100644
+files_read_etc_runtime_files(gnomeclock_t)
files_read_usr_files(gnomeclock_t)
+-auth_use_nsswitch(gnomeclock_t)
+fs_getattr_xattr_fs(gnomeclock_t)
-+
- auth_use_nsswitch(gnomeclock_t)
-clock_domtrans(gnomeclock_t)
-+init_stream_send(gnomeclock_t)
++auth_use_nsswitch(gnomeclock_t)
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +42,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +40,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -39767,10 +40001,10 @@ index c62f23e..f8a4301 100644
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
-index 3aa8fa7..2a407cd 100644
+index 3aa8fa7..40b10fa 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
-@@ -1,5 +1,65 @@
+@@ -1,5 +1,64 @@
## <summary>OpenLDAP directory server</summary>
+#######################################
@@ -39826,7 +40060,6 @@ index 3aa8fa7..2a407cd 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 slapd_unit_file_t:file read_file_perms;
+ allow $1 slapd_unit_file_t:service all_service_perms;
+
@@ -39836,7 +40069,7 @@ index 3aa8fa7..2a407cd 100644
########################################
## <summary>
## Read the contents of the OpenLDAP
-@@ -21,6 +81,25 @@ interface(`ldap_list_db',`
+@@ -21,6 +80,25 @@ interface(`ldap_list_db',`
########################################
## <summary>
@@ -39862,7 +40095,7 @@ index 3aa8fa7..2a407cd 100644
## Read the OpenLDAP configuration files.
## </summary>
## <param name="domain">
-@@ -69,8 +148,7 @@ interface(`ldap_stream_connect',`
+@@ -69,8 +147,7 @@ interface(`ldap_stream_connect',`
')
files_search_pids($1)
@@ -39872,7 +40105,7 @@ index 3aa8fa7..2a407cd 100644
')
########################################
-@@ -110,6 +188,7 @@ interface(`ldap_admin',`
+@@ -110,6 +187,7 @@ interface(`ldap_admin',`
admin_pattern($1, slapd_lock_t)
@@ -39880,7 +40113,7 @@ index 3aa8fa7..2a407cd 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
-@@ -117,4 +196,6 @@ interface(`ldap_admin',`
+@@ -117,4 +195,6 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
@@ -42252,7 +42485,7 @@ index 256166a..6321a93 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..f6c92f9 100644
+index 343cee3..fff3a52 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -42488,7 +42721,33 @@ index 343cee3..f6c92f9 100644
')
#######################################
-@@ -697,8 +762,8 @@ interface(`mta_rw_spool',`
+@@ -680,6 +745,25 @@ interface(`mta_spool_filetrans',`
+ filetrans_pattern($1, mail_spool_t, $2, $3)
+ ')
+
++#######################################
++## <summary>
++## Read the mail spool.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_read_spool',`
++ gen_require(`
++ type mail_spool_t;
++ ')
++
++ files_search_spool($1)
++ read_files_pattern($1, mail_spool_t, mail_spool_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write the mail spool.
+@@ -697,8 +781,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -42499,7 +42758,7 @@ index 343cee3..f6c92f9 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +903,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +922,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -42508,7 +42767,7 @@ index 343cee3..f6c92f9 100644
')
########################################
-@@ -899,3 +964,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +983,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -43882,7 +44141,7 @@ index 386543b..47e1b41 100644
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
-index 2324d9e..ac2e779 100644
+index 2324d9e..8666a3c 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
@@ -43898,7 +44157,7 @@ index 2324d9e..ac2e779 100644
## </param>
#
interface(`networkmanager_attach_tun_iface',`
-@@ -116,6 +116,30 @@ interface(`networkmanager_initrc_domtrans',`
+@@ -116,6 +116,29 @@ interface(`networkmanager_initrc_domtrans',`
########################################
## <summary>
@@ -43917,7 +44176,6 @@ index 2324d9e..ac2e779 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 NetworkManager_unit_file_t:file read_file_perms;
+ allow $1 NetworkManager_unit_file_t:service all_service_perms;
+
@@ -43929,7 +44187,7 @@ index 2324d9e..ac2e779 100644
## Send and receive messages from
## NetworkManager over dbus.
## </summary>
-@@ -137,6 +161,28 @@ interface(`networkmanager_dbus_chat',`
+@@ -137,6 +160,28 @@ interface(`networkmanager_dbus_chat',`
########################################
## <summary>
@@ -43958,7 +44216,7 @@ index 2324d9e..ac2e779 100644
## Send a generic signal to NetworkManager
## </summary>
## <param name="domain">
-@@ -191,3 +237,77 @@ interface(`networkmanager_read_pid_files',`
+@@ -191,3 +236,77 @@ interface(`networkmanager_read_pid_files',`
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
@@ -44284,7 +44542,7 @@ index 15448d5..3587f6a 100644
+/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
-index abe3f7f..9e96501 100644
+index abe3f7f..2214d71 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
@@ -44338,7 +44596,7 @@ index abe3f7f..9e96501 100644
## Read ypserv configuration files.
## </summary>
## <param name="domain">
-@@ -337,6 +318,57 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -337,6 +318,55 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
## <summary>
@@ -44357,7 +44615,6 @@ index abe3f7f..9e96501 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 ypbind_unit_file_t:file read_file_perms;
+ allow $1 ypbind_unit_file_t:service all_service_perms;
+
@@ -44381,7 +44638,6 @@ index abe3f7f..9e96501 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 nis_unit_file_t:file read_file_perms;
+ allow $1 nis_unit_file_t:service all_service_perms;
+
@@ -44396,7 +44652,7 @@ index abe3f7f..9e96501 100644
## All of the rules required to administrate
## an nis environment
## </summary>
-@@ -354,10 +386,10 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -354,10 +384,10 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
@@ -44409,7 +44665,7 @@ index abe3f7f..9e96501 100644
')
allow $1 ypbind_t:process { ptrace signal_perms };
-@@ -384,6 +416,7 @@ interface(`nis_admin',`
+@@ -384,6 +414,7 @@ interface(`nis_admin',`
files_list_pids($1)
admin_pattern($1, ypbind_var_run_t)
@@ -44417,7 +44673,7 @@ index abe3f7f..9e96501 100644
admin_pattern($1, yppasswdd_var_run_t)
-@@ -393,4 +426,5 @@ interface(`nis_admin',`
+@@ -393,4 +424,5 @@ interface(`nis_admin',`
admin_pattern($1, ypserv_tmp_t)
admin_pattern($1, ypserv_var_run_t)
@@ -44497,7 +44753,7 @@ index 4876cae..eabed96 100644
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
-index 85188dc..891d4ab 100644
+index 85188dc..56dd1f0 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -116,7 +116,26 @@ interface(`nscd_socket_use',`
@@ -44563,7 +44819,7 @@ index 85188dc..891d4ab 100644
#
interface(`nscd_run',`
gen_require(`
-@@ -254,6 +277,30 @@ interface(`nscd_initrc_domtrans',`
+@@ -254,6 +277,29 @@ interface(`nscd_initrc_domtrans',`
########################################
## <summary>
@@ -44582,7 +44838,6 @@ index 85188dc..891d4ab 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 nscd_unit_file_t:file read_file_perms;
+ allow $1 nscd_unit_file_t:service all_service_perms;
+
@@ -44594,7 +44849,7 @@ index 85188dc..891d4ab 100644
## All of the rules required to administrate
## an nscd environment
## </summary>
-@@ -288,4 +335,6 @@ interface(`nscd_admin',`
+@@ -288,4 +334,6 @@ interface(`nscd_admin',`
files_list_pids($1)
admin_pattern($1, nscd_var_run_t)
@@ -44795,10 +45050,10 @@ index e79dccc..50202ef 100644
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..c58528f 100644
+index e80f8c0..9e9091c 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
-@@ -98,6 +98,49 @@ interface(`ntp_initrc_domtrans',`
+@@ -98,6 +98,48 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
@@ -44838,7 +45093,6 @@ index e80f8c0..c58528f 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 ntpd_unit_file_t:file read_file_perms;
+ allow $1 ntpd_unit_file_t:service all_service_perms;
+
@@ -44848,7 +45102,7 @@ index e80f8c0..c58528f 100644
########################################
## <summary>
## Read and write ntpd shared memory.
-@@ -122,6 +165,25 @@ interface(`ntp_rw_shm',`
+@@ -122,6 +164,25 @@ interface(`ntp_rw_shm',`
########################################
## <summary>
@@ -44874,7 +45128,7 @@ index e80f8c0..c58528f 100644
## All of the rules required to administrate
## an ntp environment
## </summary>
-@@ -140,11 +202,10 @@ interface(`ntp_rw_shm',`
+@@ -140,11 +201,10 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@@ -44888,7 +45142,7 @@ index e80f8c0..c58528f 100644
ps_process_pattern($1, ntpd_t)
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
-@@ -162,4 +223,6 @@ interface(`ntp_admin',`
+@@ -162,4 +222,6 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
@@ -48521,7 +48775,7 @@ index 2d82c6d..adf5731 100644
-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
-index b524673..d3f932f 100644
+index b524673..921a60f 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
@@ -48560,7 +48814,7 @@ index b524673..d3f932f 100644
allow $1 pppd_var_run_t:file manage_file_perms;
')
-@@ -340,6 +340,30 @@ interface(`ppp_initrc_domtrans',`
+@@ -340,6 +340,29 @@ interface(`ppp_initrc_domtrans',`
########################################
## <summary>
@@ -48579,7 +48833,6 @@ index b524673..d3f932f 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 pppd_unit_file_t:file read_file_perms;
+ allow $1 pppd_unit_file_t:service all_service_perms;
+
@@ -48591,7 +48844,7 @@ index b524673..d3f932f 100644
## All of the rules required to administrate
## an ppp environment
## </summary>
-@@ -348,21 +372,27 @@ interface(`ppp_initrc_domtrans',`
+@@ -348,21 +371,27 @@ interface(`ppp_initrc_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -48624,7 +48877,7 @@ index b524673..d3f932f 100644
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pppd_initrc_exec_t system_r;
-@@ -374,6 +404,7 @@ interface(`ppp_admin',`
+@@ -374,6 +403,7 @@ interface(`ppp_admin',`
logging_list_logs($1)
admin_pattern($1, pppd_log_t)
@@ -48632,7 +48885,7 @@ index b524673..d3f932f 100644
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
-@@ -386,10 +417,9 @@ interface(`ppp_admin',`
+@@ -386,10 +416,9 @@ interface(`ppp_admin',`
files_list_pids($1)
admin_pattern($1, pppd_var_run_t)
@@ -48646,7 +48899,7 @@ index b524673..d3f932f 100644
+ ppp_systemctl($1)
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..392bc4b 100644
+index 2af42e7..605815a 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -48730,7 +48983,15 @@ index 2af42e7..392bc4b 100644
allow pppd_t pptp_t:process signal;
-@@ -166,6 +170,8 @@ init_dontaudit_write_utmp(pppd_t)
+@@ -143,6 +147,7 @@ fs_getattr_all_fs(pppd_t)
+ fs_search_auto_mountpoints(pppd_t)
+
+ term_use_unallocated_ttys(pppd_t)
++term_use_usb_ttys(pppd_t)
+ term_setattr_unallocated_ttys(pppd_t)
+ term_ioctl_generic_ptys(pppd_t)
+ # for pppoe
+@@ -166,6 +171,8 @@ init_dontaudit_write_utmp(pppd_t)
init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
@@ -48739,7 +49000,7 @@ index 2af42e7..392bc4b 100644
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-@@ -176,7 +182,7 @@ sysnet_exec_ifconfig(pppd_t)
+@@ -176,7 +183,7 @@ sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
@@ -48748,7 +49009,7 @@ index 2af42e7..392bc4b 100644
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
-@@ -187,13 +193,15 @@ optional_policy(`
+@@ -187,13 +194,15 @@ optional_policy(`
')
optional_policy(`
@@ -48765,7 +49026,7 @@ index 2af42e7..392bc4b 100644
')
optional_policy(`
-@@ -243,14 +251,17 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,14 +252,17 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -48784,6 +49045,14 @@ index 2af42e7..392bc4b 100644
dev_read_sysfs(pptp_t)
+@@ -266,6 +278,7 @@ corenet_raw_sendrecv_generic_node(pptp_t)
+ corenet_tcp_sendrecv_all_ports(pptp_t)
+ corenet_tcp_bind_generic_node(pptp_t)
+ corenet_tcp_connect_generic_port(pptp_t)
++corenet_tcp_connect_unreserved_ports(pptp_t)
+ corenet_tcp_connect_all_reserved_ports(pptp_t)
+ corenet_sendrecv_generic_client_packets(pptp_t)
+
diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if
index 2316653..77ef768 100644
--- a/policy/modules/services/prelude.if
@@ -52825,7 +53094,7 @@ index 5c70c0c..f9f0f54 100644
+
+/var/tmp/nfs_0 -- gen_context(system_u:object_r:gssd_tmp_t,s0)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
-index cda37bb..41b106f 100644
+index cda37bb..617e83f 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -32,7 +32,11 @@ interface(`rpc_stub',`
@@ -52859,7 +53128,7 @@ index cda37bb..41b106f 100644
')
########################################
-@@ -229,6 +233,30 @@ interface(`rpc_initrc_domtrans_nfsd',`
+@@ -229,6 +233,29 @@ interface(`rpc_initrc_domtrans_nfsd',`
########################################
## <summary>
@@ -52878,7 +53147,6 @@ index cda37bb..41b106f 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 nfsd_unit_file_t:file read_file_perms;
+ allow $1 nfsd_unit_file_t:service all_service_perms;
+
@@ -52890,7 +53158,7 @@ index cda37bb..41b106f 100644
## Execute domain in rpcd domain.
## </summary>
## <param name="domain">
-@@ -246,6 +274,32 @@ interface(`rpc_domtrans_rpcd',`
+@@ -246,6 +273,32 @@ interface(`rpc_domtrans_rpcd',`
allow rpcd_t $1:process signal;
')
@@ -52923,7 +53191,7 @@ index cda37bb..41b106f 100644
#######################################
## <summary>
## Execute domain in rpcd domain.
-@@ -266,6 +320,30 @@ interface(`rpc_initrc_domtrans_rpcd',`
+@@ -266,6 +319,29 @@ interface(`rpc_initrc_domtrans_rpcd',`
########################################
## <summary>
@@ -52942,7 +53210,6 @@ index cda37bb..41b106f 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 rpcd_unit_file_t:file read_file_perms;
+ allow $1 rpcd_unit_file_t:service all_service_perms;
+
@@ -52954,7 +53221,7 @@ index cda37bb..41b106f 100644
## Read NFS exported content.
## </summary>
## <param name="domain">
-@@ -282,7 +360,7 @@ interface(`rpc_read_nfs_content',`
+@@ -282,7 +358,7 @@ interface(`rpc_read_nfs_content',`
allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
@@ -52963,7 +53230,7 @@ index cda37bb..41b106f 100644
')
########################################
-@@ -375,7 +453,7 @@ interface(`rpc_search_nfs_state_data',`
+@@ -375,7 +451,7 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
@@ -52972,7 +53239,7 @@ index cda37bb..41b106f 100644
')
########################################
-@@ -414,4 +492,5 @@ interface(`rpc_manage_nfs_state_data',`
+@@ -414,4 +490,5 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
@@ -53563,10 +53830,10 @@ index 69a6074..596dbb3 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
-index 82cb169..87d1eec 100644
+index 82cb169..0a29f68 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
-@@ -60,6 +60,30 @@ interface(`samba_initrc_domtrans',`
+@@ -60,6 +60,29 @@ interface(`samba_initrc_domtrans',`
########################################
## <summary>
@@ -53585,7 +53852,6 @@ index 82cb169..87d1eec 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 samba_unit_file_t:file read_file_perms;
+ allow $1 samba_unit_file_t:service all_service_perms;
+
@@ -53597,7 +53863,7 @@ index 82cb169..87d1eec 100644
## Execute samba net in the samba_net domain.
## </summary>
## <param name="domain">
-@@ -79,6 +103,25 @@ interface(`samba_domtrans_net',`
+@@ -79,6 +102,25 @@ interface(`samba_domtrans_net',`
########################################
## <summary>
@@ -53623,7 +53889,7 @@ index 82cb169..87d1eec 100644
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
-@@ -103,6 +146,51 @@ interface(`samba_run_net',`
+@@ -103,6 +145,51 @@ interface(`samba_run_net',`
role $2 types samba_net_t;
')
@@ -53675,7 +53941,7 @@ index 82cb169..87d1eec 100644
########################################
## <summary>
## Execute smbmount in the smbmount domain.
-@@ -327,7 +415,6 @@ interface(`samba_search_var',`
+@@ -327,7 +414,6 @@ interface(`samba_search_var',`
type samba_var_t;
')
@@ -53683,7 +53949,7 @@ index 82cb169..87d1eec 100644
files_search_var_lib($1)
allow $1 samba_var_t:dir search_dir_perms;
')
-@@ -348,7 +435,6 @@ interface(`samba_read_var_files',`
+@@ -348,7 +434,6 @@ interface(`samba_read_var_files',`
type samba_var_t;
')
@@ -53691,7 +53957,7 @@ index 82cb169..87d1eec 100644
files_search_var_lib($1)
read_files_pattern($1, samba_var_t, samba_var_t)
')
-@@ -388,7 +474,6 @@ interface(`samba_rw_var_files',`
+@@ -388,7 +473,6 @@ interface(`samba_rw_var_files',`
type samba_var_t;
')
@@ -53699,7 +53965,7 @@ index 82cb169..87d1eec 100644
files_search_var_lib($1)
rw_files_pattern($1, samba_var_t, samba_var_t)
')
-@@ -409,9 +494,9 @@ interface(`samba_manage_var_files',`
+@@ -409,9 +493,9 @@ interface(`samba_manage_var_files',`
type samba_var_t;
')
@@ -53710,7 +53976,7 @@ index 82cb169..87d1eec 100644
')
########################################
-@@ -419,15 +504,14 @@ interface(`samba_manage_var_files',`
+@@ -419,15 +503,14 @@ interface(`samba_manage_var_files',`
## Execute a domain transition to run smbcontrol.
## </summary>
## <param name="domain">
@@ -53729,7 +53995,7 @@ index 82cb169..87d1eec 100644
')
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
-@@ -564,6 +648,7 @@ interface(`samba_domtrans_winbind_helper',`
+@@ -564,6 +647,7 @@ interface(`samba_domtrans_winbind_helper',`
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@@ -53737,7 +54003,7 @@ index 82cb169..87d1eec 100644
')
########################################
-@@ -644,6 +729,37 @@ interface(`samba_stream_connect_winbind',`
+@@ -644,6 +728,37 @@ interface(`samba_stream_connect_winbind',`
########################################
## <summary>
@@ -53775,7 +54041,7 @@ index 82cb169..87d1eec 100644
## All of the rules required to administrate
## an samba environment
## </summary>
-@@ -661,21 +777,12 @@ interface(`samba_stream_connect_winbind',`
+@@ -661,21 +776,12 @@ interface(`samba_stream_connect_winbind',`
#
interface(`samba_admin',`
gen_require(`
@@ -53803,7 +54069,7 @@ index 82cb169..87d1eec 100644
')
allow $1 smbd_t:process { ptrace signal_perms };
-@@ -684,6 +791,9 @@ interface(`samba_admin',`
+@@ -684,6 +790,9 @@ interface(`samba_admin',`
allow $1 nmbd_t:process { ptrace signal_perms };
ps_process_pattern($1, nmbd_t)
@@ -53813,7 +54079,7 @@ index 82cb169..87d1eec 100644
samba_run_smbcontrol($1, $2, $3)
samba_run_winbind_helper($1, $2, $3)
samba_run_smbmount($1, $2, $3)
-@@ -709,9 +819,6 @@ interface(`samba_admin',`
+@@ -709,9 +818,6 @@ interface(`samba_admin',`
admin_pattern($1, samba_var_t)
files_list_var($1)
@@ -53823,7 +54089,7 @@ index 82cb169..87d1eec 100644
admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
-@@ -727,4 +834,7 @@ interface(`samba_admin',`
+@@ -727,4 +833,7 @@ interface(`samba_admin',`
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
@@ -55617,7 +55883,7 @@ index c954f31..c7cadcb 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..f056f5f 100644
+index ec1eb1e..a370364 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0)
@@ -56022,7 +56288,7 @@ index ec1eb1e..f056f5f 100644
')
optional_policy(`
-@@ -451,3 +558,44 @@ optional_policy(`
+@@ -451,3 +558,51 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -56044,6 +56310,13 @@ index ec1eb1e..f056f5f 100644
+manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
+
++allow spamd_update_t spamd_tmp_t:file read_file_perms;
++
++kernel_read_system_state(spamd_update_t)
++
++# for updating rules
++corenet_tcp_connect_http_port(spamd_update_t)
++
+corecmd_exec_bin(spamd_update_t)
+corecmd_exec_shell(spamd_update_t)
+
@@ -56652,7 +56925,7 @@ index 22adaca..8e3e9de 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..d81a09f 100644
+index 2dad3c8..02e70c9 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
@@ -57051,7 +57324,7 @@ index 2dad3c8..d81a09f 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,15 +422,83 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,15 +422,91 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -57125,6 +57398,10 @@ index 2dad3c8..d81a09f 100644
+ fs_manage_cifs_symlinks(chroot_user_t)
+')
+
++tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',`
++ fs_manage_fusefs_files(chroot_user_t)
++')
++
+tunable_policy(`use_samba_home_dirs',`
+ fs_read_cifs_files(chroot_user_t)
+ fs_read_cifs_symlinks(chroot_user_t)
@@ -57135,6 +57412,10 @@ index 2dad3c8..d81a09f 100644
+ fs_read_nfs_symlinks(chroot_user_t)
+')
+
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_read_fusefs_files(chroot_user_t)
++')
++
+optional_policy(`
+ ssh_rw_dgram_sockets(chroot_user_t)
')
@@ -59218,7 +59499,7 @@ index 7c5d8d8..d711fd5 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..812f226 100644
+index 3eca020..75d8556 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,74 @@ policy_module(virt, 1.4.0)
@@ -59600,9 +59881,9 @@ index 3eca020..812f226 100644
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-
-+selinux_validate_context(virtd_t)
+
++selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -59746,12 +60027,12 @@ index 3eca020..812f226 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -59762,7 +60043,7 @@ index 3eca020..812f226 100644
logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
-@@ -457,8 +635,320 @@ optional_policy(`
+@@ -457,8 +635,324 @@ optional_policy(`
')
optional_policy(`
@@ -59955,6 +60236,10 @@ index 3eca020..812f226 100644
+
+sysnet_domtrans_ifconfig(virtd_lxc_t)
+
++optional_policy(`
++ execmem_exec(virtd_lxc_t)
++')
++
+#optional_policy(`
+# unconfined_shell_domtrans(virtd_lxc_t)
+# unconfined_signal(virtd_t)
@@ -65151,7 +65436,7 @@ index 94fd8dd..b5e5c70 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..53f3bfe 100644
+index 29a9565..f69ea00 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -65304,7 +65589,7 @@ index 29a9565..53f3bfe 100644
# Run init scripts.
init_domtrans_script(init_t)
-@@ -162,12 +219,16 @@ init_domtrans_script(init_t)
+@@ -162,23 +219,29 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
@@ -65321,7 +65606,12 @@ index 29a9565..53f3bfe 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -178,7 +239,7 @@ ifdef(`distro_redhat',`
+
+ ifdef(`distro_redhat',`
++ fs_manage_tmpfs_files(init_t)
++ fs_exec_tmpfs_files(init_t)
+ fs_read_tmpfs_symlinks(init_t)
+ fs_rw_tmpfs_chr_files(init_t)
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -65330,7 +65620,7 @@ index 29a9565..53f3bfe 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,16 +247,138 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +249,138 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -65471,7 +65761,7 @@ index 29a9565..53f3bfe 100644
')
optional_policy(`
-@@ -203,6 +386,17 @@ optional_policy(`
+@@ -203,6 +388,17 @@ optional_policy(`
')
optional_policy(`
@@ -65489,7 +65779,7 @@ index 29a9565..53f3bfe 100644
unconfined_domain(init_t)
')
-@@ -212,7 +406,7 @@ optional_policy(`
+@@ -212,7 +408,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -65498,7 +65788,7 @@ index 29a9565..53f3bfe 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +435,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +437,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -65514,7 +65804,7 @@ index 29a9565..53f3bfe 100644
init_write_initctl(initrc_t)
-@@ -258,20 +455,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +457,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -65551,7 +65841,7 @@ index 29a9565..53f3bfe 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +488,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +490,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -65559,7 +65849,7 @@ index 29a9565..53f3bfe 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +499,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +501,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -65570,7 +65860,7 @@ index 29a9565..53f3bfe 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +510,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +512,14 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -65587,7 +65877,7 @@ index 29a9565..53f3bfe 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +529,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +531,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -65595,7 +65885,7 @@ index 29a9565..53f3bfe 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +537,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +539,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -65607,7 +65897,7 @@ index 29a9565..53f3bfe 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +556,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +558,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -65621,7 +65911,7 @@ index 29a9565..53f3bfe 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +571,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +573,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -65630,7 +65920,7 @@ index 29a9565..53f3bfe 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +585,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +587,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -65638,7 +65928,7 @@ index 29a9565..53f3bfe 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +597,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +599,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -65646,7 +65936,7 @@ index 29a9565..53f3bfe 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +618,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +620,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -65668,7 +65958,7 @@ index 29a9565..53f3bfe 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +681,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +683,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -65679,7 +65969,7 @@ index 29a9565..53f3bfe 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +705,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +707,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -65688,7 +65978,7 @@ index 29a9565..53f3bfe 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +720,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +722,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -65696,7 +65986,7 @@ index 29a9565..53f3bfe 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +750,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +752,33 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -65730,7 +66020,7 @@ index 29a9565..53f3bfe 100644
')
optional_policy(`
-@@ -531,10 +784,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +786,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -65753,7 +66043,7 @@ index 29a9565..53f3bfe 100644
')
optional_policy(`
-@@ -549,6 +814,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +816,39 @@ ifdef(`distro_suse',`
')
')
@@ -65793,7 +66083,7 @@ index 29a9565..53f3bfe 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +859,8 @@ optional_policy(`
+@@ -561,6 +861,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -65802,7 +66092,7 @@ index 29a9565..53f3bfe 100644
')
optional_policy(`
-@@ -577,6 +877,7 @@ optional_policy(`
+@@ -577,6 +879,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -65810,7 +66100,7 @@ index 29a9565..53f3bfe 100644
')
optional_policy(`
-@@ -589,6 +890,17 @@ optional_policy(`
+@@ -589,6 +892,17 @@ optional_policy(`
')
optional_policy(`
@@ -65828,7 +66118,7 @@ index 29a9565..53f3bfe 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +917,13 @@ optional_policy(`
+@@ -605,9 +919,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -65842,7 +66132,7 @@ index 29a9565..53f3bfe 100644
')
optional_policy(`
-@@ -632,6 +948,10 @@ optional_policy(`
+@@ -632,6 +950,10 @@ optional_policy(`
')
optional_policy(`
@@ -65853,7 +66143,7 @@ index 29a9565..53f3bfe 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +969,11 @@ optional_policy(`
+@@ -649,6 +971,11 @@ optional_policy(`
')
optional_policy(`
@@ -65865,7 +66155,7 @@ index 29a9565..53f3bfe 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1014,7 @@ optional_policy(`
+@@ -689,6 +1016,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -65873,7 +66163,7 @@ index 29a9565..53f3bfe 100644
')
optional_policy(`
-@@ -706,7 +1032,13 @@ optional_policy(`
+@@ -706,7 +1034,13 @@ optional_policy(`
')
optional_policy(`
@@ -65887,7 +66177,7 @@ index 29a9565..53f3bfe 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1061,10 @@ optional_policy(`
+@@ -729,6 +1063,10 @@ optional_policy(`
')
optional_policy(`
@@ -65898,7 +66188,7 @@ index 29a9565..53f3bfe 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1074,20 @@ optional_policy(`
+@@ -738,10 +1076,20 @@ optional_policy(`
')
optional_policy(`
@@ -65919,7 +66209,7 @@ index 29a9565..53f3bfe 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1096,10 @@ optional_policy(`
+@@ -750,6 +1098,10 @@ optional_policy(`
')
optional_policy(`
@@ -65930,7 +66220,7 @@ index 29a9565..53f3bfe 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1121,6 @@ optional_policy(`
+@@ -771,8 +1123,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -65939,7 +66229,7 @@ index 29a9565..53f3bfe 100644
')
optional_policy(`
-@@ -790,10 +1138,12 @@ optional_policy(`
+@@ -790,10 +1140,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -65952,7 +66242,7 @@ index 29a9565..53f3bfe 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1155,6 @@ optional_policy(`
+@@ -805,7 +1157,6 @@ optional_policy(`
')
optional_policy(`
@@ -65960,7 +66250,7 @@ index 29a9565..53f3bfe 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1164,26 @@ optional_policy(`
+@@ -815,11 +1166,26 @@ optional_policy(`
')
optional_policy(`
@@ -65988,7 +66278,7 @@ index 29a9565..53f3bfe 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1193,25 @@ optional_policy(`
+@@ -829,6 +1195,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -66014,7 +66304,7 @@ index 29a9565..53f3bfe 100644
')
optional_policy(`
-@@ -844,6 +1227,10 @@ optional_policy(`
+@@ -844,6 +1229,10 @@ optional_policy(`
')
optional_policy(`
@@ -66025,7 +66315,7 @@ index 29a9565..53f3bfe 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1241,160 @@ optional_policy(`
+@@ -854,3 +1243,160 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -66261,7 +66551,7 @@ index 0d4c8d3..9d66bf7 100644
########################################
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 55a6cd8..fa17b89 100644
+index 55a6cd8..2af2952 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -80,6 +80,8 @@ allow ipsec_t self:udp_socket create_socket_perms;
@@ -66311,7 +66601,7 @@ index 55a6cd8..fa17b89 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -245,6 +251,17 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -245,6 +251,19 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -66324,12 +66614,14 @@ index 55a6cd8..fa17b89 100644
+dev_dontaudit_getattr_all_blk_files(ipsec_mgmt_t)
+dev_dontaudit_getattr_all_chr_files(ipsec_mgmt_t)
+
++dev_read_sysfs(ipsec_mgmt_t)
++
+files_dontaudit_getattr_all_files(ipsec_mgmt_t)
+files_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -277,9 +294,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -277,9 +296,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -66341,7 +66633,7 @@ index 55a6cd8..fa17b89 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -297,7 +315,7 @@ sysnet_manage_config(ipsec_mgmt_t)
+@@ -297,7 +317,7 @@ sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
sysnet_etc_filetrans_config(ipsec_mgmt_t)
@@ -66350,7 +66642,7 @@ index 55a6cd8..fa17b89 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -324,10 +342,6 @@ optional_policy(`
+@@ -324,10 +344,6 @@ optional_policy(`
modutils_domtrans_insmod(ipsec_mgmt_t)
')
@@ -66361,7 +66653,7 @@ index 55a6cd8..fa17b89 100644
ifdef(`TODO',`
# ideally it would not need this. It wants to write to /root/.rnd
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
-@@ -377,12 +391,12 @@ corecmd_exec_shell(racoon_t)
+@@ -377,12 +393,12 @@ corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
@@ -66380,7 +66672,7 @@ index 55a6cd8..fa17b89 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -411,6 +425,8 @@ miscfiles_read_localization(racoon_t)
+@@ -411,6 +427,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
@@ -66389,7 +66681,7 @@ index 55a6cd8..fa17b89 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -448,5 +464,6 @@ miscfiles_read_localization(setkey_t)
+@@ -448,5 +466,6 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
@@ -66423,7 +66715,7 @@ index 05fb364..c054118 100644
-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
-index 7ba53db..227887f 100644
+index 7ba53db..db118e3 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
@@ -66437,7 +66729,7 @@ index 7ba53db..227887f 100644
')
########################################
-@@ -92,6 +88,30 @@ interface(`iptables_initrc_domtrans',`
+@@ -92,6 +88,29 @@ interface(`iptables_initrc_domtrans',`
init_labeled_script_domtrans($1, iptables_initrc_exec_t)
')
@@ -66458,7 +66750,6 @@ index 7ba53db..227887f 100644
+ ')
+
+ systemd_exec_systemctl($1)
-+ systemd_search_unit_dirs($1)
+ allow $1 iptables_unit_file_t:file read_file_perms;
+ allow $1 iptables_unit_file_t:service all_service_perms;
+
@@ -66599,7 +66890,7 @@ index ddbd8be..ac8e814 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 560dc48..6673319 100644
+index 560dc48..5447ff6 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -37,17 +37,12 @@ ifdef(`distro_redhat',`
@@ -66890,7 +67181,7 @@ index 560dc48..6673319 100644
') dnl end distro_redhat
#
-@@ -312,17 +303,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -312,17 +303,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -66984,6 +67275,10 @@ index 560dc48..6673319 100644
+/usr/lib/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ifdef(`fixed',`
+/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -67001,9 +67296,6 @@ index 560dc48..6673319 100644
+/usr/lib/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+# Flash plugin, Macromedia
-+HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -70896,10 +71188,10 @@ index 0000000..9eaa38e
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..46a3ec0
+index 0000000..764084e
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,456 @@
+@@ -0,0 +1,477 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -70944,10 +71236,12 @@ index 0000000..46a3ec0
+ type systemd_systemctl_exec_t;
+ ')
+
-+ corecmd_search_bin($1)
-+ can_exec($1, systemd_systemctl_exec_t)
++ corecmd_search_bin($1)
++ can_exec($1, systemd_systemctl_exec_t)
+
++ systemd_list_unit_dirs($1)
+ init_read_state($1)
++ init_stream_send($1)
+')
+
+#######################################
@@ -70990,6 +71284,25 @@ index 0000000..46a3ec0
+
+######################################
+## <summary>
++## Allow domain to list systemd unit dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_list_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 systemd_unit_file_type:dir list_dir_perms;
++')
++
++######################################
++## <summary>
+## Allow domain to read all systemd unit files.
+## </summary>
+## <param name="domain">
@@ -72937,7 +73250,7 @@ index db75976..494ec08 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..e7a65ae 100644
+index 4b2878a..34d01ef 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -74844,50 +75157,83 @@ index 4b2878a..e7a65ae 100644
files_search_tmp($1)
')
-@@ -2435,13 +3019,14 @@ interface(`userdom_read_user_tmpfs_files',`
- ')
-
- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
+@@ -2419,24 +3003,23 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+ files_tmp_filetrans($1, user_tmp_t, $2)
')
- ########################################
+-########################################
++#######################################
## <summary>
-## Read user tmpfs files.
-+## Read/Write user tmpfs files.
++## Getattr user tmpfs files.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -2462,26 +3047,6 @@ interface(`userdom_rw_user_tmpfs_files',`
-
- ########################################
- ## <summary>
--## Create, read, write, and delete user tmpfs files.
--## </summary>
--## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
--## </param>
--#
--interface(`userdom_manage_user_tmpfs_files',`
++## <summary>
++## Domain allowed access.
++## </summary>
+ ## </param>
+ #
+-interface(`userdom_read_user_tmpfs_files',`
- gen_require(`
- type user_tmpfs_t;
- ')
--
-- manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++interface(`userdom_getattr_user_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
+
+- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
--')
--
--########################################
--## <summary>
- ## Get the attributes of a user domain tty.
++ getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ fs_search_tmpfs($1)
+ ')
+
+ ########################################
+@@ -2449,12 +3032,12 @@ interface(`userdom_read_user_tmpfs_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_rw_user_tmpfs_files',`
++interface(`userdom_read_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ allow $1 user_tmpfs_t:dir list_dir_perms;
+ fs_search_tmpfs($1)
+@@ -2462,7 +3045,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete user tmpfs files.
++## Read/Write user tmpfs files.
## </summary>
## <param name="domain">
-@@ -2572,7 +3137,7 @@ interface(`userdom_use_user_ttys',`
+ ## <summary>
+@@ -2470,12 +3053,13 @@ interface(`userdom_rw_user_tmpfs_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_manage_user_tmpfs_files',`
++interface(`userdom_rw_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+- manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ allow $1 user_tmpfs_t:dir list_dir_perms;
+ fs_search_tmpfs($1)
+ ')
+@@ -2572,7 +3156,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -74896,7 +75242,7 @@ index 4b2878a..e7a65ae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,70 +3145,138 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,70 +3164,138 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
@@ -75064,7 +75410,7 @@ index 4b2878a..e7a65ae 100644
########################################
## <summary>
## Execute a shell in all user domains. This
-@@ -2713,6 +3346,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,6 +3365,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -75089,7 +75435,7 @@ index 4b2878a..e7a65ae 100644
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2736,24 +3387,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3406,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -75114,7 +75460,7 @@ index 4b2878a..e7a65ae 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3405,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3424,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -75140,7 +75486,7 @@ index 4b2878a..e7a65ae 100644
########################################
## <summary>
## Manage unpriviledged user SysV shared
-@@ -2852,7 +3466,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3485,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -75149,7 +75495,7 @@ index 4b2878a..e7a65ae 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3482,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3501,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -75183,7 +75529,7 @@ index 4b2878a..e7a65ae 100644
')
########################################
-@@ -2972,7 +3570,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3589,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -75192,7 +75538,7 @@ index 4b2878a..e7a65ae 100644
')
########################################
-@@ -3027,7 +3625,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3644,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -75239,7 +75585,7 @@ index 4b2878a..e7a65ae 100644
')
########################################
-@@ -3064,6 +3700,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3719,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -75247,7 +75593,7 @@ index 4b2878a..e7a65ae 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3779,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3798,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -75272,7 +75618,7 @@ index 4b2878a..e7a65ae 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3160,6 +3815,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3834,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -75297,7 +75643,7 @@ index 4b2878a..e7a65ae 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3867,1076 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3886,1076 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/ptrace.patch b/ptrace.patch
index 219b5be..a78dd8c 100644
--- a/ptrace.patch
+++ b/ptrace.patch
@@ -1,6 +1,6 @@
diff -up serefpolicy-3.10.0/policy/global_tunables.ptrace serefpolicy-3.10.0/policy/global_tunables
---- serefpolicy-3.10.0/policy/global_tunables.ptrace 2011-10-05 14:34:03.252103292 -0400
-+++ serefpolicy-3.10.0/policy/global_tunables 2011-10-05 14:34:03.751103821 -0400
+--- serefpolicy-3.10.0/policy/global_tunables.ptrace 2011-10-11 16:42:15.566761738 -0400
++++ serefpolicy-3.10.0/policy/global_tunables 2011-10-11 16:42:16.082761591 -0400
@@ -6,6 +6,13 @@
## <desc>
@@ -8,7 +8,7 @@ diff -up serefpolicy-3.10.0/policy/global_tunables.ptrace serefpolicy-3.10.0/pol
+## Allow sysadm to debug or ptrace all processes.
+## </p>
+## </desc>
-+gen_tunable(allow_ptrace, false)
++gen_tunable(deny_ptrace, false)
+
+## <desc>
+## <p>
@@ -16,8 +16,8 @@ diff -up serefpolicy-3.10.0/policy/global_tunables.ptrace serefpolicy-3.10.0/pol
## </p>
## </desc>
diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kdump.if
---- serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace 2011-10-05 14:34:03.265103305 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/kdump.if 2011-10-05 14:34:03.752103823 -0400
+--- serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace 2011-10-11 16:42:15.581761733 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/kdump.if 2011-10-11 16:42:16.083761591 -0400
@@ -140,8 +140,11 @@ interface(`kdump_admin',`
type kdump_initrc_exec_t;
')
@@ -25,7 +25,7 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.1
- allow $1 kdump_t:process { ptrace signal_perms };
+ allow $1 kdump_t:process signal_perms;
ps_process_pattern($1, kdump_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 kdump_t:process ptrace;
+ ')
@@ -33,22 +33,22 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.1
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kismet.if
--- serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/kismet.if 2011-10-05 14:34:03.753103824 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/kismet.if 2011-10-11 16:42:16.083761591 -0400
@@ -239,7 +239,10 @@ interface(`kismet_admin',`
')
ps_process_pattern($1, kismet_t)
- allow $1 kismet_t:process { ptrace signal_perms };
+ allow $1 kismet_t:process signal_perms;
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 kismet_t:process ptrace;
+ ')
kismet_manage_pid_files($1)
kismet_manage_lib($1)
diff -up serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace serefpolicy-3.10.0/policy/modules/admin/kudzu.te
---- serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace 2011-10-05 14:34:03.267103307 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/kudzu.te 2011-10-05 14:34:03.753103824 -0400
+--- serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace 2011-10-11 16:42:15.582761733 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/kudzu.te 2011-10-11 16:42:16.084761591 -0400
@@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t)
# Local policy
#
@@ -59,68 +59,72 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace serefpolicy-3.1
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace serefpolicy-3.10.0/policy/modules/admin/logrotate.te
---- serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace 2011-10-05 14:34:03.268103309 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/logrotate.te 2011-10-05 14:34:03.754103825 -0400
-@@ -31,7 +31,7 @@ files_type(logrotate_var_lib_t)
+--- serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace 2011-10-11 16:42:15.583761733 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/logrotate.te 2011-10-11 16:42:16.084761591 -0400
+@@ -30,8 +30,6 @@ files_type(logrotate_var_lib_t)
+
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
- # for mailx
+-# for mailx
-dontaudit logrotate_t self:capability { sys_ptrace };
-+dontaudit logrotate_t self:capability sys_ptrace;
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
diff -up serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace serefpolicy-3.10.0/policy/modules/admin/ncftool.te
---- serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace 2011-10-05 14:34:03.273103314 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/ncftool.te 2011-10-05 14:34:03.754103825 -0400
-@@ -17,7 +17,11 @@ role system_r types ncftool_t;
+--- serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace 2011-10-11 16:42:15.586761731 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/ncftool.te 2011-10-11 16:42:16.085761591 -0400
+@@ -17,8 +17,7 @@ role system_r types ncftool_t;
# ncftool local policy
#
-allow ncftool_t self:capability { net_admin sys_ptrace };
+-
+allow ncftool_t self:capability net_admin;
-+tunable_policy(`allow_ptrace',`
-+ allow ncftool_t self:capability sys_ptrace;
-+')
-+
-
allow ncftool_t self:process signal;
+ allow ncftool_t self:fifo_file manage_fifo_file_perms;
+diff -up serefpolicy-3.10.0/policy/modules/admin/permissivedomains.te.ptrace serefpolicy-3.10.0/policy/modules/admin/permissivedomains.te
+--- serefpolicy-3.10.0/policy/modules/admin/permissivedomains.te.ptrace 2011-10-11 16:42:15.590761731 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/permissivedomains.te 2011-10-11 16:43:18.809744020 -0400
+@@ -266,3 +266,10 @@ optional_policy(`
+ permissive virt_qmf_t;
+ ')
+
++optional_policy(`
++ gen_require(`
++ attribute domain;
++ ')
++
++ dontaudit domain self:capability sys_ptrace;
++')
diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/rpm.te
---- serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace 2011-10-05 14:34:03.700103767 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-10-05 14:34:03.755103826 -0400
-@@ -248,7 +248,11 @@ optional_policy(`
+--- serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace 2011-10-11 16:42:16.020761610 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/rpm.te 2011-10-11 16:42:16.085761591 -0400
+@@ -248,7 +248,8 @@ optional_policy(`
# rpm-script Local policy
#
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
-+tunable_policy(`allow_ptrace',`
-+ allow rpm_script_t self:capability sys_ptrace;
-+')
+
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sectoolm.te
---- serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace 2011-10-05 14:34:03.288103330 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/sectoolm.te 2011-10-05 14:34:03.755103826 -0400
-@@ -23,7 +23,11 @@ files_tmp_file(sectool_tmp_t)
+--- serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace 2011-10-11 16:42:15.598761729 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/sectoolm.te 2011-10-11 16:42:16.086761591 -0400
+@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t)
# sectool local policy
#
-allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
+allow sectoolm_t self:capability { dac_override net_admin sys_nice };
-+tunable_policy(`allow_ptrace',`
-+ allow sectoolm_t self:capability sys_ptrace;
-+')
-+
allow sectoolm_t self:process { getcap getsched signull setsched };
dontaudit sectoolm_t self:process { execstack execmem };
allow sectoolm_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.if
---- serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace 2011-10-05 14:34:03.288103330 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.if 2011-10-05 14:34:03.756103827 -0400
+--- serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace 2011-10-11 16:42:15.598761729 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/shorewall.if 2011-10-11 16:42:16.087761591 -0400
@@ -139,8 +139,11 @@ interface(`shorewall_admin',`
type shorewall_tmp_t, shorewall_etc_t;
')
@@ -128,91 +132,64 @@ diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace serefpolicy
- allow $1 shorewall_t:process { ptrace signal_perms };
+ allow $1 shorewall_t:process signal_perms;
ps_process_pattern($1, shorewall_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 shorewall_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.te
---- serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace 2011-10-05 14:34:03.289103331 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.te 2011-10-05 14:34:03.757103828 -0400
-@@ -37,8 +37,8 @@ logging_log_file(shorewall_log_t)
+--- serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace 2011-10-11 16:42:15.599761728 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/shorewall.te 2011-10-11 16:42:16.087761591 -0400
+@@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t)
# shorewall local policy
#
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
--dontaudit shorewall_t self:capability sys_tty_config;
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice };
-+dontaudit shorewall_t self:capability { sys_tty_config sys_ptrace };
+ dontaudit shorewall_t self:capability sys_tty_config;
allow shorewall_t self:fifo_file rw_fifo_file_perms;
- read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
diff -up serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sosreport.te
---- serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace 2011-10-05 14:34:03.291103333 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/sosreport.te 2011-10-05 14:34:03.757103828 -0400
-@@ -21,7 +21,11 @@ files_tmpfs_file(sosreport_tmpfs_t)
+--- serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace 2011-10-11 16:42:15.602761727 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/sosreport.te 2011-10-11 16:42:16.088761590 -0400
+@@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t)
# sosreport local policy
#
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
-+tunable_policy(`allow_ptrace',`
-+ allow sosreport_t self:capability sys_ptrace;
-+')
-+
allow sosreport_t self:process { setsched signull };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket create_stream_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace serefpolicy-3.10.0/policy/modules/admin/usermanage.te
---- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace 2011-10-05 14:34:03.722103791 -0400
-+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-10-05 14:34:03.758103829 -0400
-@@ -433,7 +433,11 @@ optional_policy(`
+--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace 2011-10-11 16:42:16.044761602 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-10-11 16:42:16.088761590 -0400
+@@ -435,7 +435,8 @@ optional_policy(`
# Useradd local policy
#
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
-+tunable_policy(`allow_ptrace',`
-+ allow useradd_t self:capability sys_ptrace;
-+')
+
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
diff -up serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/chrome.te
---- serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace 2011-10-05 14:34:03.302103345 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/chrome.te 2011-10-05 14:34:03.758103829 -0400
-@@ -21,7 +21,9 @@ ubac_constrained(chrome_sandbox_tmpfs_t)
+--- serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace 2011-10-11 16:42:15.612761725 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/chrome.te 2011-10-11 16:42:16.089761589 -0400
+@@ -21,7 +21,7 @@ ubac_constrained(chrome_sandbox_tmpfs_t)
#
# chrome_sandbox local policy
#
-allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
-+dontaudit chrome_sandbox_t self:capability sys_ptrace;
-+
allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
allow chrome_sandbox_t self:process setsched;
allow chrome_sandbox_t self:fifo_file manage_file_perms;
-diff -up serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te.ptrace serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te
---- serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te.ptrace 2011-10-05 14:34:03.302103345 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/cpufreqselector.te 2011-10-05 14:34:03.759103830 -0400
-@@ -14,7 +14,11 @@ application_domain(cpufreqselector_t, cp
- # cpufreq-selector local policy
- #
-
--allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
-+allow cpufreqselector_t self:capability sys_nice;
-+tunable_policy(`allow_ptrace',`
-+ allow cpufreqselector_t self:capability sys_ptrace;
-+')
-+
- allow cpufreqselector_t self:process getsched;
- allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
- allow cpufreqselector_t self:process getsched;
diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace serefpolicy-3.10.0/policy/modules/apps/execmem.if
---- serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace 2011-10-05 14:34:03.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-10-05 14:35:10.651174871 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace 2011-10-11 16:42:16.044761602 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-10-11 16:42:16.089761589 -0400
@@ -59,7 +59,7 @@ template(`execmem_role_template',`
userdom_unpriv_usertype($1, $1_execmem_t)
@@ -223,8 +200,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace serefpolicy-3.
files_execmod_tmp($1_execmem_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.if
---- serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace 2011-10-05 14:34:03.307103350 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/gnome.if 2011-10-05 14:34:03.760103831 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace 2011-10-11 16:42:15.617761723 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/gnome.if 2011-10-11 16:42:16.090761589 -0400
@@ -91,8 +91,7 @@ interface(`gnome_role_gkeyringd',`
auth_use_nsswitch($1_gkeyringd_t)
@@ -235,37 +212,9 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace serefpolicy-3.10
dontaudit $3 gkeyringd_exec_t:file entrypoint;
stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
-diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.te
---- serefpolicy-3.10.0/policy/modules/apps/gnome.te.ptrace 2011-10-05 14:34:03.308103351 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/gnome.te 2011-10-05 14:34:03.761103832 -0400
-@@ -119,7 +119,11 @@ optional_policy(`
- # gconf-defaults-mechanisms local policy
- #
-
--allow gconfdefaultsm_t self:capability { dac_override sys_nice sys_ptrace };
-+allow gconfdefaultsm_t self:capability { dac_override sys_nice };
-+tunable_policy(`allow_ptrace',`
-+ allow gconfdefaultsm_t self:capability sys_ptrace;
-+')
-+
- allow gconfdefaultsm_t self:process getsched;
- allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
-
-@@ -168,7 +172,10 @@ tunable_policy(`use_samba_home_dirs',`
- # gnome-system-monitor-mechanisms local policy
- #
-
--allow gnomesystemmm_t self:capability { sys_nice sys_ptrace };
-+allow gnomesystemmm_t self:capability sys_nice;
-+tunable_policy(`allow_ptrace',`
-+ allow gnomesystemmm_t self:capability sys_ptrace;
-+')
- allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
-
- kernel_read_system_state(gnomesystemmm_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace serefpolicy-3.10.0/policy/modules/apps/irc.if
---- serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace 2011-10-05 14:34:03.311103354 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/irc.if 2011-10-05 14:34:03.761103832 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace 2011-10-11 16:42:15.620761723 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/irc.if 2011-10-11 16:42:16.091761589 -0400
@@ -33,7 +33,7 @@ interface(`irc_role',`
domtrans_pattern($2, irssi_exec_t, irssi_t)
@@ -276,8 +225,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace serefpolicy-3.10.0
manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace serefpolicy-3.10.0/policy/modules/apps/java.if
---- serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace 2011-10-05 14:34:03.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-10-05 14:35:00.396163979 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace 2011-10-11 16:42:16.045761602 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-10-11 16:42:16.091761589 -0400
@@ -76,11 +76,11 @@ template(`java_role_template',`
userdom_manage_tmpfs_role($2)
userdom_manage_tmpfs($1_java_t)
@@ -292,15 +241,28 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace serefpolicy-3.10.
domtrans_pattern($3, java_exec_t, $1_java_t)
+diff -up serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace serefpolicy-3.10.0/policy/modules/apps/kde.te
+--- serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace 2011-10-11 16:42:15.624761721 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/kde.te 2011-10-11 16:42:16.092761589 -0400
+@@ -13,9 +13,6 @@ dbus_system_domain(kdebacklighthelper_t,
+ #
+ # backlighthelper local policy
+ #
+-
+-dontaudit kdebacklighthelper_t self:capability sys_ptrace;
+-
+ allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms;
+
+ kernel_read_system_state(kdebacklighthelper_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace serefpolicy-3.10.0/policy/modules/apps/livecd.te
---- serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace 2011-10-05 14:34:03.315103358 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/livecd.te 2011-10-05 14:34:03.763103834 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace 2011-10-11 16:42:15.626761720 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/livecd.te 2011-10-11 16:42:16.092761589 -0400
@@ -20,7 +20,10 @@ files_tmp_file(livecd_tmp_t)
dontaudit livecd_t self:capability2 mac_admin;
-domain_ptrace_all_domains(livecd_t)
-+tunable_policy(`allow_ptrace',`
++tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(livecd_t)
+')
+
@@ -308,8 +270,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace serefpolicy-3.1
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.if
---- serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace 2011-10-05 14:34:03.724103793 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-10-05 14:34:03.764103835 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace 2011-10-11 16:42:16.045761602 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-10-11 16:42:16.093761589 -0400
@@ -40,8 +40,8 @@ template(`mono_role_template',`
domain_interactive_fd($1_mono_t)
application_type($1_mono_t)
@@ -323,7 +285,7 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace serefpolicy-3.10.
diff -up serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.te
--- serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/mono.te 2011-10-05 14:34:03.765103836 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/mono.te 2011-10-11 16:42:16.093761589 -0400
@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
# Local policy
#
@@ -334,8 +296,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace serefpolicy-3.10.
init_dbus_chat_script(mono_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.if
---- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace 2011-10-05 14:34:03.724103793 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-10-05 14:34:03.765103836 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace 2011-10-11 16:42:16.046761602 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-10-11 16:42:16.094761589 -0400
@@ -221,7 +221,7 @@ interface(`mozilla_domtrans_plugin',`
allow mozilla_plugin_t $1:sem create_sem_perms;
@@ -345,9 +307,22 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace serefpolicy-3.
')
########################################
+diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.te
+--- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace 2011-10-11 16:42:16.023761608 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te 2011-10-11 16:42:16.094761589 -0400
+@@ -300,9 +300,6 @@ optional_policy(`
+ #
+ # mozilla_plugin local policy
+ #
+-
+-dontaudit mozilla_plugin_t self:capability { sys_ptrace };
+-
+ allow mozilla_plugin_t self:process { setsched signal_perms execmem };
+ allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+ allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.if
---- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace 2011-10-05 14:34:03.726103795 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-10-05 14:34:03.766103837 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace 2011-10-11 16:42:16.047761602 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-10-11 16:42:16.095761589 -0400
@@ -93,7 +93,7 @@ ifdef(`hide_broken_symptoms', `
dontaudit nsplugin_t $2:shm destroy;
allow $2 nsplugin_t:sem rw_sem_perms;
@@ -358,8 +333,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace serefpolicy-3
# Connect to pulseaudit server
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.te
---- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace 2011-10-05 14:34:03.726103795 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-10-05 14:34:03.766103837 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace 2011-10-11 16:42:16.047761602 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-10-11 16:42:16.096761589 -0400
@@ -54,7 +54,7 @@ application_executable_file(nsplugin_con
#
dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
@@ -370,8 +345,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace serefpolicy-3
allow nsplugin_t self:sem create_sem_perms;
allow nsplugin_t self:shm create_shm_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace serefpolicy-3.10.0/policy/modules/apps/openoffice.if
---- serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace 2011-10-05 14:34:03.323103367 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/openoffice.if 2011-10-05 14:34:03.767103838 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace 2011-10-11 16:42:15.634761718 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/openoffice.if 2011-10-11 16:42:16.096761589 -0400
@@ -69,7 +69,7 @@ interface(`openoffice_role_template',`
allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
@@ -382,8 +357,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace serefpolicy
domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace serefpolicy-3.10.0/policy/modules/apps/podsleuth.te
---- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace 2011-10-05 14:34:03.705103773 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te 2011-10-05 14:34:03.768103840 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace 2011-10-11 16:42:16.023761608 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te 2011-10-11 16:42:16.097761589 -0400
@@ -27,7 +27,8 @@ ubac_constrained(podsleuth_tmpfs_t)
# podsleuth local policy
#
@@ -396,7 +371,7 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace serefpolicy-
allow podsleuth_t self:sem create_sem_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.if
--- serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/uml.if 2011-10-05 14:34:03.768103840 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/uml.if 2011-10-11 16:42:16.098761588 -0400
@@ -31,9 +31,9 @@ interface(`uml_role',`
allow $2 uml_t:unix_dgram_socket sendto;
allow uml_t $2:unix_dgram_socket sendto;
@@ -410,8 +385,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace serefpolicy-3.10.0
allow $2 uml_ro_t:dir list_dir_perms;
read_files_pattern($2, uml_ro_t, uml_ro_t)
diff -up serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.te
---- serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace 2011-10-05 14:34:03.335103380 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/uml.te 2011-10-05 14:34:03.769103841 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace 2011-10-11 16:42:15.645761715 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/uml.te 2011-10-11 16:42:16.098761588 -0400
@@ -53,7 +53,7 @@ files_pid_file(uml_switch_var_run_t)
#
@@ -421,25 +396,9 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace serefpolicy-3.10.0
allow uml_t self:unix_stream_socket create_stream_socket_perms;
allow uml_t self:unix_dgram_socket create_socket_perms;
# Use the network.
-diff -up serefpolicy-3.10.0/policy/modules/apps/vmware.te.ptrace serefpolicy-3.10.0/policy/modules/apps/vmware.te
---- serefpolicy-3.10.0/policy/modules/apps/vmware.te.ptrace 2011-10-05 14:34:03.338103383 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/vmware.te 2011-10-05 14:34:03.770103842 -0400
-@@ -72,7 +72,11 @@ ifdef(`enable_mcs',`
- # VMWare host local policy
- #
-
--allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
-+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override };
-+tunable_policy(`allow_ptrace',`
-+ allow vmware_host_t self:capability sys_ptrace;
-+')
-+
- dontaudit vmware_host_t self:capability sys_tty_config;
- allow vmware_host_t self:process { execstack execmem signal_perms };
- allow vmware_host_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace serefpolicy-3.10.0/policy/modules/apps/wine.if
---- serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace 2011-10-05 14:34:03.729103798 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-10-05 14:34:03.771103843 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace 2011-10-11 16:42:16.050761600 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-10-11 16:42:16.099761587 -0400
@@ -100,7 +100,7 @@ template(`wine_role_template',`
role $2 types $1_wine_t;
@@ -450,30 +409,36 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace serefpolicy-3.10.
corecmd_bin_domtrans($1_wine_t, $1_t)
diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/domain.te
---- serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace 2011-10-05 14:34:03.352103398 -0400
-+++ serefpolicy-3.10.0/policy/modules/kernel/domain.te 2011-10-05 14:34:03.771103843 -0400
+--- serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace 2011-10-11 16:42:15.662761711 -0400
++++ serefpolicy-3.10.0/policy/modules/kernel/domain.te 2011-10-11 16:42:16.225761551 -0400
@@ -181,7 +181,10 @@ allow unconfined_domain_type domain:fifo
allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
# Act upon any other process.
-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
+allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
-+tunable_policy(`allow_ptrace',`
++tunable_policy(`deny_ptrace',`',`
+ allow unconfined_domain_type domain:process ptrace;
+')
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
+@@ -312,3 +315,5 @@ optional_policy(`
+ optional_policy(`
+ seutil_dontaudit_read_config(domain)
+ ')
++
++dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
diff -up serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/kernel.te
---- serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace 2011-10-05 14:34:03.360103406 -0400
-+++ serefpolicy-3.10.0/policy/modules/kernel/kernel.te 2011-10-05 14:34:03.772103844 -0400
+--- serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace 2011-10-11 16:42:15.670761708 -0400
++++ serefpolicy-3.10.0/policy/modules/kernel/kernel.te 2011-10-11 16:42:16.101761586 -0400
@@ -191,7 +191,11 @@ sid tcp_socket gen_context(system_u:obj
# kernel local policy
#
-allow kernel_t self:capability *;
+allow kernel_t self:capability ~{ sys_ptrace };
-+tunable_policy(`allow_ptrace',`
++tunable_policy(`deny_ptrace',`',`
+ allow kernel_t self:capability sys_ptrace;
+')
+
@@ -490,8 +455,8 @@ diff -up serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace serefpolicy-3
gen_require(`
bool secure_mode_insmod;
diff -up serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/dbadm.te
---- serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace 2011-10-05 14:34:03.367103414 -0400
-+++ serefpolicy-3.10.0/policy/modules/roles/dbadm.te 2011-10-05 14:34:03.772103844 -0400
+--- serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace 2011-10-11 16:42:15.678761705 -0400
++++ serefpolicy-3.10.0/policy/modules/roles/dbadm.te 2011-10-11 16:42:16.102761586 -0400
@@ -28,7 +28,7 @@ userdom_base_user_template(dbadm)
# database admin local policy
#
@@ -503,7 +468,7 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace serefpolicy-3.1
files_delete_generic_locks(dbadm_t)
diff -up serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/logadm.te
--- serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/roles/logadm.te 2011-10-05 14:34:03.773103845 -0400
++++ serefpolicy-3.10.0/policy/modules/roles/logadm.te 2011-10-11 16:42:16.103761586 -0400
@@ -14,6 +14,5 @@ userdom_base_user_template(logadm)
# logadmin local policy
#
@@ -513,8 +478,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace serefpolicy-3.
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
logging_admin(logadm_t, logadm_r)
diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/sysadm.te
---- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace 2011-10-05 14:34:03.706103774 -0400
-+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-10-05 14:34:03.774103846 -0400
+--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace 2011-10-11 16:42:16.051761600 -0400
++++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-10-11 16:42:16.104761586 -0400
@@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1)
# Declarations
#
@@ -529,9 +494,18 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3.
role sysadm_r;
userdom_admin_user_template(sysadm)
+@@ -86,7 +79,7 @@ ifndef(`enable_mls',`
+ logging_stream_connect_syslog(sysadm_t)
+ ')
+
+-tunable_policy(`allow_ptrace',`
++tunable_policy(`deny_ptrace',`',`
+ domain_ptrace_all_domains(sysadm_t)
+ ')
+
diff -up serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/webadm.te
---- serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace 2011-10-05 14:34:03.372103419 -0400
-+++ serefpolicy-3.10.0/policy/modules/roles/webadm.te 2011-10-05 14:34:03.774103846 -0400
+--- serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace 2011-10-11 16:42:15.683761705 -0400
++++ serefpolicy-3.10.0/policy/modules/roles/webadm.te 2011-10-11 16:42:16.104761586 -0400
@@ -28,7 +28,7 @@ userdom_base_user_template(webadm)
# webadmin local policy
#
@@ -542,8 +516,8 @@ diff -up serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace serefpolicy-3.
files_dontaudit_search_all_dirs(webadm_t)
files_manage_generic_locks(webadm_t)
diff -up serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace serefpolicy-3.10.0/policy/modules/services/abrt.if
---- serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace 2011-10-05 14:34:03.374103421 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/abrt.if 2011-10-05 14:34:03.775103847 -0400
+--- serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace 2011-10-11 16:42:15.684761704 -0400
++++ serefpolicy-3.10.0/policy/modules/services/abrt.if 2011-10-11 16:42:16.106761585 -0400
@@ -333,9 +333,13 @@ interface(`abrt_admin',`
type abrt_initrc_exec_t;
')
@@ -552,7 +526,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace serefpolicy-3
+ allow $1 abrt_t:process { signal_perms };
ps_process_pattern($1, abrt_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 abrt_t:process ptrace;
+ ')
+
@@ -560,8 +534,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace serefpolicy-3
domain_system_change_exemption($1)
role_transition $2 abrt_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.if
---- serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace 2011-10-05 14:34:03.375103422 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/accountsd.if 2011-10-05 14:34:03.775103847 -0400
+--- serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace 2011-10-11 16:42:15.686761703 -0400
++++ serefpolicy-3.10.0/policy/modules/services/accountsd.if 2011-10-11 16:42:16.106761585 -0400
@@ -138,8 +138,12 @@ interface(`accountsd_admin',`
type accountsd_t;
')
@@ -570,16 +544,16 @@ diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace serefpol
+ allow $1 accountsd_t:process signal_perms;
ps_process_pattern($1, accountsd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 acountsd_t:process ptrace;
+ ')
+
accountsd_manage_lib_files($1)
')
diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.te
---- serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace 2011-10-05 14:34:03.376103423 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/accountsd.te 2011-10-05 14:34:03.776103848 -0400
-@@ -19,10 +19,14 @@ files_type(accountsd_var_lib_t)
+--- serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace 2011-10-11 16:42:15.686761703 -0400
++++ serefpolicy-3.10.0/policy/modules/services/accountsd.te 2011-10-11 16:42:16.107761584 -0400
+@@ -19,7 +19,7 @@ files_type(accountsd_var_lib_t)
# accountsd local policy
#
@@ -588,16 +562,9 @@ diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace serefpol
allow accountsd_t self:process signal;
allow accountsd_t self:fifo_file rw_fifo_file_perms;
-+tunable_policy(`allow_ptrace',`
-+ allow accountsd_t self:capability sys_ptrace;
-+')
-+
- manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
- manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
- files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, { file dir })
diff -up serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace serefpolicy-3.10.0/policy/modules/services/afs.if
---- serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace 2011-10-05 14:34:03.376103423 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/afs.if 2011-10-05 14:34:03.776103848 -0400
+--- serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace 2011-10-11 16:42:15.686761703 -0400
++++ serefpolicy-3.10.0/policy/modules/services/afs.if 2011-10-11 16:42:16.107761584 -0400
@@ -97,9 +97,13 @@ interface(`afs_admin',`
type afs_t, afs_initrc_exec_t;
')
@@ -606,7 +573,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace serefpolicy-3.
+ allow $1 afs_t:process signal_perms;
ps_process_pattern($1, afs_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 afs_t:process ptrace;
+ ')
+
@@ -615,7 +582,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace serefpolicy-3.
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace serefpolicy-3.10.0/policy/modules/services/aiccu.if
--- serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/aiccu.if 2011-10-05 14:34:03.777103849 -0400
++++ serefpolicy-3.10.0/policy/modules/services/aiccu.if 2011-10-11 16:42:16.108761584 -0400
@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
type aiccu_var_run_t;
')
@@ -624,7 +591,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace serefpolicy-
+ allow $1 aiccu_t:process signal_perms;
ps_process_pattern($1, aiccu_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 aiccu_t:process ptrace;
+ ')
+
@@ -632,8 +599,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace serefpolicy-
domain_system_change_exemption($1)
role_transition $2 aiccu_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace serefpolicy-3.10.0/policy/modules/services/aide.if
---- serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace 2011-10-05 14:34:03.378103425 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/aide.if 2011-10-05 14:34:03.778103850 -0400
+--- serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace 2011-10-11 16:42:15.689761703 -0400
++++ serefpolicy-3.10.0/policy/modules/services/aide.if 2011-10-11 16:42:16.108761584 -0400
@@ -61,9 +61,13 @@ interface(`aide_admin',`
type aide_t, aide_db_t, aide_log_t;
')
@@ -642,7 +609,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace serefpolicy-3
+ allow $1 aide_t:process signal_perms;
ps_process_pattern($1, aide_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 aide_t:process ptrace;
+ ')
+
@@ -650,8 +617,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace serefpolicy-3
admin_pattern($1, aide_db_t)
diff -up serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace serefpolicy-3.10.0/policy/modules/services/aisexec.if
---- serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace 2011-10-05 14:34:03.379103426 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/aisexec.if 2011-10-05 14:34:03.778103850 -0400
+--- serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace 2011-10-11 16:42:15.690761703 -0400
++++ serefpolicy-3.10.0/policy/modules/services/aisexec.if 2011-10-11 16:42:16.109761584 -0400
@@ -82,9 +82,13 @@ interface(`aisexecd_admin',`
type aisexec_initrc_exec_t;
')
@@ -660,7 +627,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace serefpolic
+ allow $1 aisexec_t:process signal_perms;
ps_process_pattern($1, aisexec_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 aisexec_t:process ptrace;
+ ')
+
@@ -668,8 +635,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace serefpolic
domain_system_change_exemption($1)
role_transition $2 aisexec_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace serefpolicy-3.10.0/policy/modules/services/ajaxterm.if
---- serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace 2011-10-05 14:34:03.381103429 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ajaxterm.if 2011-10-05 14:34:03.779103851 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace 2011-10-11 16:42:15.691761702 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ajaxterm.if 2011-10-11 16:42:16.109761584 -0400
@@ -76,9 +76,13 @@ interface(`ajaxterm_admin',`
type ajaxterm_t, ajaxterm_initrc_exec_t;
')
@@ -678,7 +645,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace serefpoli
+ allow $1 ajaxterm_t:process signal_perms;
ps_process_pattern($1, ajaxterm_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 ajaxterm_t:process ptrace;
+ ')
+
@@ -687,7 +654,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace serefpoli
role_transition $2 ajaxterm_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace serefpolicy-3.10.0/policy/modules/services/amavis.if
--- serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/amavis.if 2011-10-05 14:34:03.779103851 -0400
++++ serefpolicy-3.10.0/policy/modules/services/amavis.if 2011-10-11 16:42:16.110761584 -0400
@@ -231,9 +231,13 @@ interface(`amavis_admin',`
type amavis_initrc_exec_t;
')
@@ -696,7 +663,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace serefpolicy
+ allow $1 amavis_t:process signal_perms;
ps_process_pattern($1, amavis_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 amavis_t:process ptrace;
+ ')
+
@@ -704,9 +671,9 @@ diff -up serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace serefpolicy
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace serefpolicy-3.10.0/policy/modules/services/apache.if
---- serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace 2011-10-05 14:34:03.744103814 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/apache.if 2011-10-05 14:34:03.780103852 -0400
-@@ -1301,9 +1301,13 @@ interface(`apache_admin',`
+--- serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace 2011-10-11 16:42:16.076761593 -0400
++++ serefpolicy-3.10.0/policy/modules/services/apache.if 2011-10-11 16:42:16.111761584 -0400
+@@ -1297,9 +1297,13 @@ interface(`apache_admin',`
type httpd_unit_file_t;
')
@@ -714,7 +681,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace serefpolicy
+ allow $1 httpd_t:process signal_perms;
ps_process_pattern($1, httpd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 httpd_t:process ptrace;
+ ')
+
@@ -723,7 +690,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace serefpolicy
role_transition $2 httpd_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/apcupsd.if
--- serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/apcupsd.if 2011-10-05 14:34:03.781103853 -0400
++++ serefpolicy-3.10.0/policy/modules/services/apcupsd.if 2011-10-11 16:42:16.111761584 -0400
@@ -146,9 +146,13 @@ interface(`apcupsd_admin',`
type apcupsd_initrc_exec_t;
')
@@ -732,16 +699,28 @@ diff -up serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace serefpolic
+ allow $1 apcupsd_t:process signal_perms;
ps_process_pattern($1, apcupsd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 apcupsd_t:process ptrace;
+ ')
+
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
+diff -up serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace serefpolicy-3.10.0/policy/modules/services/apm.te
+--- serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace 2011-10-11 16:42:15.697761701 -0400
++++ serefpolicy-3.10.0/policy/modules/services/apm.te 2011-10-11 16:42:16.112761584 -0400
+@@ -60,7 +60,7 @@ logging_send_syslog_msg(apm_t)
+ # mknod: controlling an orderly resume of PCMCIA requires creating device
+ # nodes 254,{0,1,2} for some reason.
+ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
++dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
+ allow apmd_t self:process { signal_perms getsession };
+ allow apmd_t self:fifo_file rw_fifo_file_perms;
+ allow apmd_t self:netlink_socket create_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace serefpolicy-3.10.0/policy/modules/services/arpwatch.if
---- serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace 2011-10-05 14:34:03.387103435 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/arpwatch.if 2011-10-05 14:34:03.781103853 -0400
+--- serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace 2011-10-11 16:42:15.698761701 -0400
++++ serefpolicy-3.10.0/policy/modules/services/arpwatch.if 2011-10-11 16:42:16.113761583 -0400
@@ -137,9 +137,13 @@ interface(`arpwatch_admin',`
type arpwatch_initrc_exec_t;
')
@@ -750,7 +729,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace serefpoli
+ allow $1 arpwatch_t:process signal_perms;
ps_process_pattern($1, arpwatch_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 arpwatch_t:process ptrace;
+ ')
+
@@ -758,8 +737,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace serefpoli
domain_system_change_exemption($1)
role_transition $2 arpwatch_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace serefpolicy-3.10.0/policy/modules/services/asterisk.if
---- serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace 2011-10-05 14:34:03.389103437 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/asterisk.if 2011-10-05 14:34:03.782103854 -0400
+--- serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace 2011-10-11 16:42:15.699761701 -0400
++++ serefpolicy-3.10.0/policy/modules/services/asterisk.if 2011-10-11 16:42:16.113761583 -0400
@@ -64,9 +64,13 @@ interface(`asterisk_admin',`
type asterisk_initrc_exec_t;
')
@@ -768,7 +747,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace serefpoli
+ allow $1 asterisk_t:process signal_perms;
ps_process_pattern($1, asterisk_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 asterisk_t:process ptrace;
+ ')
+
@@ -776,8 +755,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace serefpoli
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace serefpolicy-3.10.0/policy/modules/services/automount.if
---- serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace 2011-10-05 14:34:03.390103438 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/automount.if 2011-10-05 14:34:03.783103855 -0400
+--- serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace 2011-10-11 16:42:15.700761701 -0400
++++ serefpolicy-3.10.0/policy/modules/services/automount.if 2011-10-11 16:42:16.114761582 -0400
@@ -150,9 +150,13 @@ interface(`automount_admin',`
type automount_var_run_t, automount_initrc_exec_t;
')
@@ -786,7 +765,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace serefpol
+ allow $1 automount_t:process signal_perms;
ps_process_pattern($1, automount_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 automount_t:process ptrace;
+ ')
+
@@ -794,8 +773,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace serefpol
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace serefpolicy-3.10.0/policy/modules/services/avahi.if
---- serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace 2011-10-05 14:34:03.391103439 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/avahi.if 2011-10-05 14:34:03.783103855 -0400
+--- serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace 2011-10-11 16:42:15.701761700 -0400
++++ serefpolicy-3.10.0/policy/modules/services/avahi.if 2011-10-11 16:42:16.114761582 -0400
@@ -154,9 +154,13 @@ interface(`avahi_admin',`
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
')
@@ -804,7 +783,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace serefpolicy-
+ allow $1 avahi_t:process signal_perms;
ps_process_pattern($1, avahi_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 avahi_t:process ptrace;
+ ')
+
@@ -812,9 +791,9 @@ diff -up serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace serefpolicy-
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace serefpolicy-3.10.0/policy/modules/services/bind.if
---- serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace 2011-10-05 14:34:03.393103441 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/bind.if 2011-10-05 14:34:03.784103857 -0400
-@@ -409,12 +409,20 @@ interface(`bind_admin',`
+--- serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace 2011-10-11 16:42:15.702761699 -0400
++++ serefpolicy-3.10.0/policy/modules/services/bind.if 2011-10-11 16:42:16.115761582 -0400
+@@ -408,12 +408,20 @@ interface(`bind_admin',`
type dnssec_t, ndc_t, named_keytab_t;
')
@@ -823,14 +802,14 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace serefpolicy-3
ps_process_pattern($1, named_t)
- allow $1 ndc_t:process { ptrace signal_perms };
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 named_t:process ptrace;
+ ')
+
+ allow $1 ndc_t:process signal_perms;
ps_process_pattern($1, ndc_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 ndc_t:process ptrace;
+ ')
+
@@ -839,7 +818,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace serefpolicy-3
init_labeled_script_domtrans($1, named_initrc_exec_t)
diff -up serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace serefpolicy-3.10.0/policy/modules/services/bitlbee.if
--- serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/bitlbee.if 2011-10-05 14:34:03.784103857 -0400
++++ serefpolicy-3.10.0/policy/modules/services/bitlbee.if 2011-10-11 16:42:16.116761582 -0400
@@ -43,9 +43,13 @@ interface(`bitlbee_admin',`
type bitlbee_initrc_exec_t;
')
@@ -848,7 +827,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace serefpolic
+ allow $1 bitlbee_t:process signal_perms;
ps_process_pattern($1, bitlbee_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 bitlbee_t:process ptrace;
+ ')
+
@@ -856,8 +835,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace serefpolic
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpolicy-3.10.0/policy/modules/services/bluetooth.if
---- serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace 2011-10-05 14:34:03.395103443 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/bluetooth.if 2011-10-05 14:34:03.785103858 -0400
+--- serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace 2011-10-11 16:42:15.705761698 -0400
++++ serefpolicy-3.10.0/policy/modules/services/bluetooth.if 2011-10-11 16:42:16.116761582 -0400
@@ -28,7 +28,11 @@ interface(`bluetooth_role',`
# allow ps to show cdrecord and allow the user to kill it
@@ -865,7 +844,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpol
- allow $2 bluetooth_helper_t:process { ptrace signal_perms };
+ allow $2 bluetooth_helper_t:process signal_perms;
+
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $2 bluetooth_helper_t:process ptrace;
+ ')
@@ -879,7 +858,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpol
+ allow $1 bluetooth_t:process signal_perms;
ps_process_pattern($1, bluetooth_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 bluetooth_t:process ptrace;
+ ')
+
@@ -887,8 +866,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpol
domain_system_change_exemption($1)
role_transition $2 bluetooth_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.if
---- serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace 2011-10-05 14:34:03.396103444 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/boinc.if 2011-10-05 14:34:03.785103858 -0400
+--- serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace 2011-10-11 16:42:15.706761698 -0400
++++ serefpolicy-3.10.0/policy/modules/services/boinc.if 2011-10-11 16:42:16.117761582 -0400
@@ -137,9 +137,13 @@ interface(`boinc_admin',`
type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
')
@@ -897,7 +876,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace serefpolicy-
+ allow $1 boinc_t:process signal_perms;
ps_process_pattern($1, boinc_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 boic_t:process ptrace;
+ ')
+
@@ -905,8 +884,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace serefpolicy-
domain_system_change_exemption($1)
role_transition $2 boinc_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.te
---- serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace 2011-10-05 14:34:03.709103777 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/boinc.te 2011-10-05 14:34:03.786103859 -0400
+--- serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace 2011-10-11 16:42:16.027761608 -0400
++++ serefpolicy-3.10.0/policy/modules/services/boinc.te 2011-10-11 16:42:16.117761582 -0400
@@ -121,9 +121,13 @@ mta_send_mail(boinc_t)
domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
allow boinc_t boinc_project_t:process sigkill;
@@ -915,7 +894,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace serefpolicy-
+allow boinc_project_t self:process { setpgid setsched signal signull sigkill sigstop };
allow boinc_project_t self:process { execmem execstack };
-+tunable_policy(`allow_ptrace',`
++tunable_policy(`deny_ptrace',`',`
+ allow boinc_project_t self:process ptrace;
+')
+
@@ -923,8 +902,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace serefpolicy-
allow boinc_project_t self:sem create_sem_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace serefpolicy-3.10.0/policy/modules/services/bugzilla.if
---- serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace 2011-10-05 14:34:03.398103447 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/bugzilla.if 2011-10-05 14:34:03.787103860 -0400
+--- serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace 2011-10-11 16:42:15.707761698 -0400
++++ serefpolicy-3.10.0/policy/modules/services/bugzilla.if 2011-10-11 16:42:16.118761582 -0400
@@ -62,9 +62,13 @@ interface(`bugzilla_admin',`
type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
')
@@ -933,7 +912,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace serefpoli
+ allow $1 httpd_bugzilla_script_t:process signal_perms;
ps_process_pattern($1, httpd_bugzilla_script_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 httpd_bugzilla_script_t:process ptrace;
+ ')
+
@@ -941,8 +920,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace serefpoli
admin_pattern($1, httpd_bugzilla_tmp_t)
diff -up serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace serefpolicy-3.10.0/policy/modules/services/callweaver.if
---- serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace 2011-10-05 14:34:03.400103449 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/callweaver.if 2011-10-05 14:34:03.787103860 -0400
+--- serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace 2011-10-11 16:42:15.710761696 -0400
++++ serefpolicy-3.10.0/policy/modules/services/callweaver.if 2011-10-11 16:42:16.119761582 -0400
@@ -336,9 +336,13 @@ interface(`callweaver_admin',`
type callweaver_spool_t;
')
@@ -951,7 +930,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace serefpo
+ allow $1 callweaver_t:process signal_perms;
ps_process_pattern($1, callweaver_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 callweaver_t:process ptrace;
+ ')
+
@@ -960,7 +939,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace serefpo
role_transition $2 callweaver_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace serefpolicy-3.10.0/policy/modules/services/canna.if
--- serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/canna.if 2011-10-05 14:34:03.788103861 -0400
++++ serefpolicy-3.10.0/policy/modules/services/canna.if 2011-10-11 16:42:16.119761582 -0400
@@ -42,9 +42,13 @@ interface(`canna_admin',`
type canna_var_run_t, canna_initrc_exec_t;
')
@@ -969,7 +948,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace serefpolicy-
+ allow $1 canna_t:process signal_perms;
ps_process_pattern($1, canna_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 canna_t:process ptrace;
+ ')
+
@@ -977,8 +956,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace serefpolicy-
domain_system_change_exemption($1)
role_transition $2 canna_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmaster.if
---- serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace 2011-10-05 14:34:03.403103452 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/certmaster.if 2011-10-05 14:34:03.788103861 -0400
+--- serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace 2011-10-11 16:42:15.713761696 -0400
++++ serefpolicy-3.10.0/policy/modules/services/certmaster.if 2011-10-11 16:42:16.120761581 -0400
@@ -119,9 +119,13 @@ interface(`certmaster_admin',`
type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
')
@@ -987,7 +966,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace serefpo
+ allow $1 certmaster_t:process signal_perms;
ps_process_pattern($1, certmaster_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 certmaster_t:process ptrace;
+ ')
+
@@ -995,8 +974,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace serefpo
domain_system_change_exemption($1)
role_transition $2 certmaster_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmonger.if
---- serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace 2011-10-05 14:34:03.405103454 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/certmonger.if 2011-10-05 14:34:03.790103863 -0400
+--- serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace 2011-10-11 16:42:15.714761696 -0400
++++ serefpolicy-3.10.0/policy/modules/services/certmonger.if 2011-10-11 16:42:16.120761581 -0400
@@ -158,7 +158,11 @@ interface(`certmonger_admin',`
')
@@ -1004,15 +983,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace serefpo
- allow $1 certmonger_t:process { ptrace signal_perms };
+ allow $1 certmonger_t:process signal_perms;
+
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 certmonger_t:process ptrace;
+ ')
# Allow certmonger_t to restart the apache service
certmonger_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.if
---- serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace 2011-10-05 14:34:03.407103456 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cgroup.if 2011-10-05 14:34:03.790103863 -0400
+--- serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace 2011-10-11 16:42:15.716761695 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cgroup.if 2011-10-11 16:42:16.121761580 -0400
@@ -171,15 +171,27 @@ interface(`cgroup_admin',`
type cgrules_etc_t, cgclear_t;
')
@@ -1022,7 +1001,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy
ps_process_pattern($1, cgclear_t)
- allow $1 cgconfig_t:process { ptrace signal_perms };
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 cglear_t:process ptrace;
+ ')
+
@@ -1030,14 +1009,14 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy
ps_process_pattern($1, cgconfig_t)
- allow $1 cgred_t:process { ptrace signal_perms };
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgconfig_t:process ptrace;
+ ')
+
+ allow $1 cgred_t:process signal_perms;
ps_process_pattern($1, cgred_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 cgred_t:process ptrace;
+ ')
+
@@ -1045,25 +1024,22 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy
admin_pattern($1, cgrules_etc_t)
files_list_etc($1)
diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.te
---- serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace 2011-10-05 14:34:03.407103456 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cgroup.te 2011-10-05 14:34:03.791103864 -0400
-@@ -76,7 +76,11 @@ fs_unmount_cgroup(cgconfig_t)
+--- serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace 2011-10-11 16:42:15.717761694 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cgroup.te 2011-10-11 16:42:16.121761580 -0400
+@@ -76,7 +76,8 @@ fs_unmount_cgroup(cgconfig_t)
# cgred personal policy.
#
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override };
-+tunable_policy(`allow_ptrace',`
-+ allow cgred_t self:capability sys_ptrace;
-+')
+
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
diff -up serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/chronyd.if
---- serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace 2011-10-05 14:34:03.408103457 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/chronyd.if 2011-10-05 14:34:03.791103864 -0400
-@@ -218,9 +218,13 @@ interface(`chronyd_admin',`
+--- serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace 2011-10-11 16:42:15.718761694 -0400
++++ serefpolicy-3.10.0/policy/modules/services/chronyd.if 2011-10-11 16:42:16.122761580 -0400
+@@ -217,9 +217,13 @@ interface(`chronyd_admin',`
type chronyd_keys_t;
')
@@ -1071,7 +1047,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace serefpolic
+ allow $1 chronyd_t:process signal_perms;
ps_process_pattern($1, chronyd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 chronyd_t:process ptrace;
+ ')
+
@@ -1079,8 +1055,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace serefpolic
domain_system_change_exemption($1)
role_transition $2 chronyd_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace serefpolicy-3.10.0/policy/modules/services/clamav.if
---- serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace 2011-10-05 14:34:03.410103459 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/clamav.if 2011-10-05 14:34:03.792103865 -0400
+--- serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace 2011-10-11 16:42:15.720761694 -0400
++++ serefpolicy-3.10.0/policy/modules/services/clamav.if 2011-10-11 16:42:16.123761580 -0400
@@ -176,13 +176,19 @@ interface(`clamav_admin',`
type freshclam_t, freshclam_var_log_t;
')
@@ -1090,7 +1066,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace serefpolicy
ps_process_pattern($1, clamd_t)
- allow $1 clamscan_t:process { ptrace signal_perms };
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 clamd_t:process ptrace;
+ allow $1 clamscan_t:process ptrace;
+ allow $1 freshclam_t:process ptrace;
@@ -1105,8 +1081,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace serefpolicy
init_labeled_script_domtrans($1, clamd_initrc_exec_t)
diff -up serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace serefpolicy-3.10.0/policy/modules/services/cmirrord.if
---- serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace 2011-10-05 14:34:03.413103463 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cmirrord.if 2011-10-05 14:34:03.792103865 -0400
+--- serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace 2011-10-11 16:42:15.723761693 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cmirrord.if 2011-10-11 16:42:16.123761580 -0400
@@ -101,9 +101,13 @@ interface(`cmirrord_admin',`
type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
')
@@ -1115,7 +1091,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace serefpoli
+ allow $1 cmirrord_t:process signal_perms;
ps_process_pattern($1, cmirrord_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 cmorrord_t:process ptrace;
+ ')
+
@@ -1123,8 +1099,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace serefpoli
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.if
---- serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace 2011-10-05 14:34:03.414103464 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cobbler.if 2011-10-05 14:34:03.793103866 -0400
+--- serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace 2011-10-11 16:42:15.724761692 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cobbler.if 2011-10-11 16:42:16.124761580 -0400
@@ -189,9 +189,13 @@ interface(`cobblerd_admin',`
type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
')
@@ -1133,16 +1109,28 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace serefpolic
+ allow $1 cobblerd_t:process signal_perms;
ps_process_pattern($1, cobblerd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 cobblerd_t:process ptrace;
+ ')
+
files_list_etc($1)
admin_pattern($1, cobbler_etc_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.te
+--- serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace 2011-10-11 16:42:15.724761692 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cobbler.te 2011-10-11 16:42:16.124761580 -0400
+@@ -60,7 +60,7 @@ files_tmp_file(cobbler_tmp_t)
+ #
+
+ allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
+-dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config };
++dontaudit cobblerd_t self:capability sys_tty_config;
+
+ allow cobblerd_t self:process { getsched setsched signal };
+ allow cobblerd_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace serefpolicy-3.10.0/policy/modules/services/collectd.if
---- serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace 2011-10-05 14:34:03.416103466 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/collectd.if 2011-10-05 14:34:03.794103867 -0400
+--- serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace 2011-10-11 16:42:15.725761692 -0400
++++ serefpolicy-3.10.0/policy/modules/services/collectd.if 2011-10-11 16:42:16.125761580 -0400
@@ -142,9 +142,13 @@ interface(`collectd_admin',`
type collectd_var_lib_t;
')
@@ -1151,7 +1139,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace serefpoli
+ allow $1 collectd_t:process signal_perms;
ps_process_pattern($1, collectd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 collectd_t:process ptrace;
+ ')
+
@@ -1159,35 +1147,31 @@ diff -up serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace serefpoli
domain_system_change_exemption($1)
role_transition $2 collectd_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/consolekit.te
---- serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace 2011-10-05 14:34:03.418103468 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/consolekit.te 2011-10-05 14:34:03.794103867 -0400
-@@ -23,7 +23,12 @@ files_tmpfs_file(consolekit_tmpfs_t)
+--- serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace 2011-10-11 16:42:15.727761692 -0400
++++ serefpolicy-3.10.0/policy/modules/services/consolekit.te 2011-10-11 16:42:16.125761580 -0400
+@@ -23,7 +23,8 @@ files_tmpfs_file(consolekit_tmpfs_t)
# consolekit local policy
#
-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice };
+
-+tunable_policy(`allow_ptrace',`
-+ allow consolekit_t self:capability sys_ptrace;
-+')
-+
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
-@@ -144,6 +149,8 @@ optional_policy(`
+@@ -144,6 +145,8 @@ optional_policy(`
optional_policy(`
#reading .Xauthity
- unconfined_ptrace(consolekit_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ unconfined_ptrace(consolekit_t)
+ ')
unconfined_stream_connect(consolekit_t)
')
diff -up serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.if
---- serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace 2011-10-05 14:34:03.419103469 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/corosync.if 2011-10-05 14:34:03.795103868 -0400
+--- serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace 2011-10-11 16:42:15.728761692 -0400
++++ serefpolicy-3.10.0/policy/modules/services/corosync.if 2011-10-11 16:42:16.126761580 -0400
@@ -101,9 +101,13 @@ interface(`corosyncd_admin',`
type corosync_initrc_exec_t;
')
@@ -1196,7 +1180,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace serefpoli
+ allow $1 corosync_t:process signal_perms;
ps_process_pattern($1, corosync_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 corosync_t:process ptrace;
+ ')
+
@@ -1204,9 +1188,9 @@ diff -up serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace serefpoli
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.te
---- serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace 2011-10-05 14:34:03.419103469 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/corosync.te 2011-10-05 14:34:03.795103868 -0400
-@@ -32,9 +32,13 @@ files_pid_file(corosync_var_run_t)
+--- serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace 2011-10-11 16:42:15.729761692 -0400
++++ serefpolicy-3.10.0/policy/modules/services/corosync.te 2011-10-11 16:42:16.126761580 -0400
+@@ -32,7 +32,7 @@ files_pid_file(corosync_var_run_t)
# corosync local policy
#
@@ -1214,16 +1198,10 @@ diff -up serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace serefpoli
+allow corosync_t self:capability { dac_override setuid sys_nice sys_resource ipc_lock };
allow corosync_t self:process { setpgid setrlimit setsched signal signull };
-+tunable_policy(`allow_ptrace',`
-+ allow corosync_t self:capability sys_ptrace;
-+')
-+
allow corosync_t self:fifo_file rw_fifo_file_perms;
- allow corosync_t self:sem create_sem_perms;
- allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto };
diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3.10.0/policy/modules/services/cron.if
---- serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace 2011-10-05 14:34:03.423103473 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cron.if 2011-10-05 14:34:03.796103869 -0400
+--- serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace 2011-10-11 16:42:15.732761690 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cron.if 2011-10-11 16:42:16.127761579 -0400
@@ -140,7 +140,11 @@ interface(`cron_role',`
# crontab shows up in user ps
@@ -1231,7 +1209,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3
- allow $2 crontab_t:process { ptrace signal_perms };
+ allow $2 crontab_t:process signal_perms;
+
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $2 crontab_t:process ptrace;
+ ')
@@ -1243,7 +1221,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3
ps_process_pattern($2, unconfined_cronjob_t)
- allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
+ allow $2 unconfined_cronjob_t:process signal_perms;
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $2 unconfined_cronjob_t:process ptrace;
+ ')
@@ -1255,15 +1233,26 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3
ps_process_pattern($2, admin_crontab_t)
- allow $2 admin_crontab_t:process { ptrace signal_perms };
+ allow $2 admin_crontab_t:process signal_perms;
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $2 admin_crontab_t:process ptrace;
+ ')
# Run helper programs as the user domain
#corecmd_bin_domtrans(admin_crontab_t, $2)
+diff -up serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace serefpolicy-3.10.0/policy/modules/services/cron.te
+--- serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace 2011-10-11 16:42:16.027761608 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cron.te 2011-10-11 16:42:16.128761578 -0400
+@@ -350,7 +350,6 @@ optional_policy(`
+ #
+
+ allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+-dontaudit system_cronjob_t self:capability sys_ptrace;
+
+ allow system_cronjob_t self:process { signal_perms getsched setsched };
+ allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.if
---- serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace 2011-10-05 14:34:03.424103474 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ctdbd.if 2011-10-05 14:34:03.797103870 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace 2011-10-11 16:42:15.734761690 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ctdbd.if 2011-10-11 16:42:16.128761578 -0400
@@ -236,8 +236,11 @@ interface(`ctdbd_admin',`
type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
')
@@ -1271,16 +1260,16 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace serefpolicy-
- allow $1 ctdbd_t:process { ptrace signal_perms };
+ allow $1 ctdbd_t:process signal_perms;
ps_process_pattern($1, ctdbd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 ctdbd_t:process ptrace;
+ ')
ctdbd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.te
---- serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace 2011-10-05 14:34:03.425103475 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ctdbd.te 2011-10-05 14:34:03.797103870 -0400
-@@ -33,9 +33,13 @@ files_pid_file(ctdbd_var_run_t)
+--- serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace 2011-10-11 16:42:15.734761690 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ctdbd.te 2011-10-11 16:42:16.129761578 -0400
+@@ -33,7 +33,7 @@ files_pid_file(ctdbd_var_run_t)
# ctdbd local policy
#
@@ -1288,16 +1277,10 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace serefpolicy-
+allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
allow ctdbd_t self:process { setpgid signal_perms setsched };
-+tunable_policy(`allow_ptrace',`
-+ allow ctdbd_t self:capability sys_ptrace;
-+')
-+
allow ctdbd_t self:fifo_file rw_fifo_file_perms;
- allow ctdbd_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace serefpolicy-3.10.0/policy/modules/services/cups.if
---- serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace 2011-10-05 14:34:03.426103476 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cups.if 2011-10-05 14:34:03.798103871 -0400
+--- serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace 2011-10-11 16:42:15.735761690 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cups.if 2011-10-11 16:42:16.130761578 -0400
@@ -327,9 +327,13 @@ interface(`cups_admin',`
type ptal_var_run_t;
')
@@ -1306,7 +1289,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace serefpolicy-3
+ allow $1 cupsd_t:process signal_perms;
ps_process_pattern($1, cupsd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 cupsd_t:process ptrace;
+ ')
+
@@ -1314,8 +1297,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace serefpolicy-3
domain_system_change_exemption($1)
role_transition $2 cupsd_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace serefpolicy-3.10.0/policy/modules/services/cvs.if
---- serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace 2011-10-05 14:34:03.427103477 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cvs.if 2011-10-05 14:34:03.798103871 -0400
+--- serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace 2011-10-11 16:42:15.737761690 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cvs.if 2011-10-11 16:42:16.131761578 -0400
@@ -80,9 +80,13 @@ interface(`cvs_admin',`
type cvs_data_t, cvs_var_run_t;
')
@@ -1324,7 +1307,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace serefpolicy-3.
+ allow $1 cvs_t:process signal_perms;
ps_process_pattern($1, cvs_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 cvs_t:process ptrace;
+ ')
+
@@ -1333,7 +1316,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace serefpolicy-3.
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace serefpolicy-3.10.0/policy/modules/services/cyrus.if
--- serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/cyrus.if 2011-10-05 14:34:03.799103872 -0400
++++ serefpolicy-3.10.0/policy/modules/services/cyrus.if 2011-10-11 16:42:16.131761578 -0400
@@ -62,9 +62,13 @@ interface(`cyrus_admin',`
type cyrus_var_run_t, cyrus_initrc_exec_t;
')
@@ -1342,7 +1325,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace serefpolicy-
+ allow $1 cyrus_t:process signal_perms;
ps_process_pattern($1, cyrus_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 cyrus_t:process ptrace;
+ ')
+
@@ -1350,8 +1333,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace serefpolicy-
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace serefpolicy-3.10.0/policy/modules/services/dbus.if
---- serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace 2011-10-05 14:34:03.431103482 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/dbus.if 2011-10-05 14:34:03.800103874 -0400
+--- serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace 2011-10-11 16:42:15.740761689 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dbus.if 2011-10-11 16:42:16.132761578 -0400
@@ -71,7 +71,11 @@ template(`dbus_role_template',`
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
@@ -1359,15 +1342,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace serefpolicy-3
- allow $3 $1_dbusd_t:process { ptrace signal_perms };
+ allow $3 $1_dbusd_t:process signal_perms;
+
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $3 $1_dbusd_t:process ptrace;
+ ')
# cjp: this seems very broken
corecmd_bin_domtrans($1_dbusd_t, $1_t)
diff -up serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace serefpolicy-3.10.0/policy/modules/services/ddclient.if
---- serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace 2011-10-05 14:34:03.433103484 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ddclient.if 2011-10-05 14:34:03.800103874 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace 2011-10-11 16:42:15.742761687 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ddclient.if 2011-10-11 16:42:16.132761578 -0400
@@ -68,9 +68,13 @@ interface(`ddclient_admin',`
type ddclient_var_run_t;
')
@@ -1376,7 +1359,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace serefpoli
+ allow $1 ddclient_t:process signal_perms;
ps_process_pattern($1, ddclient_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 ddclient_t:process ptrace;
+ ')
+
@@ -1384,8 +1367,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace serefpoli
domain_system_change_exemption($1)
role_transition $2 ddclient_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace serefpolicy-3.10.0/policy/modules/services/denyhosts.if
---- serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace 2011-10-05 14:34:03.434103485 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/denyhosts.if 2011-10-05 14:34:03.801103875 -0400
+--- serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace 2011-10-11 16:42:15.744761687 -0400
++++ serefpolicy-3.10.0/policy/modules/services/denyhosts.if 2011-10-11 16:42:16.133761578 -0400
@@ -67,9 +67,13 @@ interface(`denyhosts_admin',`
type denyhosts_var_log_t, denyhosts_initrc_exec_t;
')
@@ -1394,7 +1377,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace serefpol
+ allow $1 denyhosts_t:process signal_perms;
ps_process_pattern($1, denyhosts_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 denyhosts_t:process ptrace;
+ ')
+
@@ -1402,8 +1385,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace serefpol
domain_system_change_exemption($1)
role_transition $2 denyhosts_initrc_exec_t system_r;
diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.if
---- serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace 2011-10-05 14:34:03.436103487 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/devicekit.if 2011-10-05 14:34:03.802103876 -0400
+--- serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace 2011-10-11 16:42:15.745761687 -0400
++++ serefpolicy-3.10.0/policy/modules/services/devicekit.if 2011-10-11 16:42:16.133761578 -0400
@@ -308,13 +308,18 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -1411,7 +1394,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace serefpol
- allow $1 devicekit_t:process { ptrace signal_perms };
+ allow $1 devicekit_t:process signal_perms;
ps_process_pattern($1, devicekit_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 devicekit_t:process ptrace;
+ allow $1 devicekit_disk_t:process ptrace;
+ allow $1 devicekit_power_t:process ptrace;
@@ -1427,35 +1410,30 @@ diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace serefpol
admin_pattern($1, devicekit_tmp_t)
diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.te
---- serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace 2011-10-05 14:34:03.437103488 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/devicekit.te 2011-10-05 14:34:03.802103876 -0400
-@@ -65,7 +65,10 @@ optional_policy(`
+--- serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace 2011-10-11 16:42:15.746761687 -0400
++++ serefpolicy-3.10.0/policy/modules/services/devicekit.te 2011-10-11 16:42:16.134761577 -0400
+@@ -65,7 +65,8 @@ optional_policy(`
# DeviceKit disk local policy
#
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio };
-+tunable_policy(`allow_ptrace',`
-+ allow devicekit_disk_t self:capability sys_ptrace;
-+')
++
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -199,7 +202,10 @@ optional_policy(`
+@@ -199,7 +200,7 @@ optional_policy(`
# DeviceKit-Power local policy
#
-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
-+tunable_policy(`allow_ptrace',`
-+ allow devicekit_power_t self:capability sys_ptrace;
-+')
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace serefpolicy-3.10.0/policy/modules/services/dhcp.if
---- serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace 2011-10-05 14:34:03.438103489 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/dhcp.if 2011-10-05 14:34:03.803103877 -0400
+--- serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace 2011-10-11 16:42:15.747761687 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dhcp.if 2011-10-11 16:42:16.135761576 -0400
@@ -105,8 +105,11 @@ interface(`dhcpd_admin',`
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
')
@@ -1463,7 +1441,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace serefpolicy-3
- allow $1 dhcpd_t:process { ptrace signal_perms };
+ allow $1 dhcpd_t:process signal_perms;
ps_process_pattern($1, dhcpd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 dhcpd_t:process ptrace;
+ ')
@@ -1471,7 +1449,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace serefpolicy-3
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace serefpolicy-3.10.0/policy/modules/services/dictd.if
--- serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/dictd.if 2011-10-05 14:34:03.803103877 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dictd.if 2011-10-11 16:42:16.135761576 -0400
@@ -38,8 +38,11 @@ interface(`dictd_admin',`
type dictd_var_run_t, dictd_initrc_exec_t;
')
@@ -1479,31 +1457,31 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace serefpolicy-
- allow $1 dictd_t:process { ptrace signal_perms };
+ allow $1 dictd_t:process signal_perms;
ps_process_pattern($1, dictd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 dictd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, dictd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace serefpolicy-3.10.0/policy/modules/services/dnsmasq.if
---- serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace 2011-10-05 14:34:03.443103494 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/dnsmasq.if 2011-10-05 14:34:03.804103878 -0400
-@@ -282,8 +282,11 @@ interface(`dnsmasq_admin',`
+--- serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace 2011-10-11 16:42:15.752761685 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dnsmasq.if 2011-10-11 16:42:16.136761576 -0400
+@@ -281,8 +281,11 @@ interface(`dnsmasq_admin',`
type dnsmasq_initrc_exec_t;
')
- allow $1 dnsmasq_t:process { ptrace signal_perms };
+ allow $1 dnsmasq_t:process signal_perms;
ps_process_pattern($1, dnsmasq_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 dnsmasq_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace serefpolicy-3.10.0/policy/modules/services/dovecot.if
---- serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace 2011-10-05 14:34:03.445103496 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/dovecot.if 2011-10-05 14:34:03.805103879 -0400
+--- serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace 2011-10-11 16:42:15.754761685 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dovecot.if 2011-10-11 16:42:16.136761576 -0400
@@ -119,8 +119,11 @@ interface(`dovecot_admin',`
type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
')
@@ -1511,15 +1489,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace serefpolic
- allow $1 dovecot_t:process { ptrace signal_perms };
+ allow $1 dovecot_t:process signal_perms;
ps_process_pattern($1, dovecot_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 dovecot_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/drbd.if
---- serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace 2011-10-05 14:34:03.446103498 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/drbd.if 2011-10-05 14:34:03.806103880 -0400
+--- serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace 2011-10-11 16:42:15.755761684 -0400
++++ serefpolicy-3.10.0/policy/modules/services/drbd.if 2011-10-11 16:42:16.137761576 -0400
@@ -120,8 +120,11 @@ interface(`drbd_admin',`
type drbd_var_lib_t;
')
@@ -1527,15 +1505,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace serefpolicy-3
- allow $1 drbd_t:process { ptrace signal_perms };
+ allow $1 drbd_t:process signal_perms;
ps_process_pattern($1, drbd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 drbd_t:process ptrace;
+ ')
files_search_var_lib($1)
admin_pattern($1, drbd_var_lib_t)
diff -up serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace serefpolicy-3.10.0/policy/modules/services/dspam.if
---- serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace 2011-10-05 14:34:03.447103499 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/dspam.if 2011-10-05 14:34:03.806103880 -0400
+--- serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace 2011-10-11 16:42:15.756761683 -0400
++++ serefpolicy-3.10.0/policy/modules/services/dspam.if 2011-10-11 16:42:16.138761576 -0400
@@ -244,8 +244,11 @@ interface(`dspam_admin',`
type dspam_var_run_t;
')
@@ -1543,15 +1521,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace serefpolicy-
- allow $1 dspam_t:process { ptrace signal_perms };
+ allow $1 dspam_t:process signal_perms;
ps_process_pattern($1, dspam_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 dspam_t:process ptrace;
+ ')
dspam_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace serefpolicy-3.10.0/policy/modules/services/exim.if
---- serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace 2011-10-05 14:34:03.449103501 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/exim.if 2011-10-05 14:34:03.807103881 -0400
+--- serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace 2011-10-11 16:42:15.758761683 -0400
++++ serefpolicy-3.10.0/policy/modules/services/exim.if 2011-10-11 16:42:16.139761576 -0400
@@ -260,8 +260,11 @@ interface(`exim_admin',`
type exim_tmp_t, exim_spool_t, exim_var_run_t;
')
@@ -1559,15 +1537,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace serefpolicy-3
- allow $1 exim_t:process { ptrace signal_perms };
+ allow $1 exim_t:process signal_perms;
ps_process_pattern($1, exim_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 exim_t:process ptrace;
+ ')
exim_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace serefpolicy-3.10.0/policy/modules/services/fail2ban.if
---- serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace 2011-10-05 14:34:03.450103502 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/fail2ban.if 2011-10-05 14:34:03.807103881 -0400
+--- serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace 2011-10-11 16:42:15.760761683 -0400
++++ serefpolicy-3.10.0/policy/modules/services/fail2ban.if 2011-10-11 16:42:16.139761576 -0400
@@ -199,8 +199,11 @@ interface(`fail2ban_admin',`
type fail2ban_client_t;
')
@@ -1575,15 +1553,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace serefpoli
- allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
+ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
+ ')
init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace serefpolicy-3.10.0/policy/modules/services/fcoemon.if
---- serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace 2011-10-05 14:34:03.452103504 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/fcoemon.if 2011-10-05 14:34:03.808103882 -0400
+--- serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace 2011-10-11 16:42:15.761761683 -0400
++++ serefpolicy-3.10.0/policy/modules/services/fcoemon.if 2011-10-11 16:42:16.140761576 -0400
@@ -81,8 +81,11 @@ interface(`fcoemon_admin',`
type fcoemon_var_run_t;
')
@@ -1591,15 +1569,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace serefpolic
- allow $1 fcoemon_t:process { ptrace signal_perms };
+ allow $1 fcoemon_t:process signal_perms;
ps_process_pattern($1, fcoemon_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 fcoemon_t:process ptrace;
+ ')
files_search_pids($1)
admin_pattern($1, fcoemon_var_run_t)
diff -up serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/fetchmail.if
---- serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace 2011-10-05 14:34:03.453103505 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/fetchmail.if 2011-10-05 14:34:03.809103883 -0400
+--- serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace 2011-10-11 16:42:15.762761682 -0400
++++ serefpolicy-3.10.0/policy/modules/services/fetchmail.if 2011-10-11 16:42:16.140761576 -0400
@@ -18,8 +18,11 @@ interface(`fetchmail_admin',`
type fetchmail_var_run_t;
')
@@ -1607,15 +1585,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace serefpol
- allow $1 fetchmail_t:process { ptrace signal_perms };
+ allow $1 fetchmail_t:process signal_perms;
ps_process_pattern($1, fetchmail_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 fetchmail_t:process ptrace;
+ ')
files_list_etc($1)
admin_pattern($1, fetchmail_etc_t)
diff -up serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace serefpolicy-3.10.0/policy/modules/services/firewalld.if
---- serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace 2011-10-05 14:34:03.454103506 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/firewalld.if 2011-10-05 14:34:03.809103883 -0400
+--- serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace 2011-10-11 16:42:15.763761681 -0400
++++ serefpolicy-3.10.0/policy/modules/services/firewalld.if 2011-10-11 16:42:16.141761575 -0400
@@ -62,8 +62,11 @@ interface(`firewalld_admin',`
type firewalld_initrc_exec_t;
')
@@ -1623,47 +1601,44 @@ diff -up serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace serefpol
- allow $1 firewalld_t:process { ptrace signal_perms };
+ allow $1 firewalld_t:process signal_perms;
ps_process_pattern($1, firewalld_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 firewalld_t:process ptrace;
+ ')
firewalld_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace serefpolicy-3.10.0/policy/modules/services/fprintd.te
---- serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace 2011-10-05 14:34:03.456103508 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/fprintd.te 2011-10-05 14:34:03.810103884 -0400
-@@ -17,7 +17,11 @@ files_type(fprintd_var_lib_t)
+--- serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace 2011-10-11 16:42:15.765761681 -0400
++++ serefpolicy-3.10.0/policy/modules/services/fprintd.te 2011-10-11 16:42:16.141761575 -0400
+@@ -17,7 +17,8 @@ files_type(fprintd_var_lib_t)
# Local policy
#
-allow fprintd_t self:capability { sys_nice sys_ptrace };
+allow fprintd_t self:capability sys_nice;
-+tunable_policy(`allow_ptrace',`
-+ allow fprintd_t self:capability sys_ptrace;
-+')
+
allow fprintd_t self:fifo_file rw_fifo_file_perms;
allow fprintd_t self:process { getsched setsched signal };
diff -up serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ftp.if
---- serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace 2011-10-05 14:34:03.457103509 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ftp.if 2011-10-05 14:34:03.810103884 -0400
-@@ -238,8 +238,11 @@ interface(`ftp_admin',`
+--- serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace 2011-10-11 16:42:15.766761681 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ftp.if 2011-10-11 16:42:16.142761574 -0400
+@@ -237,8 +237,11 @@ interface(`ftp_admin',`
type ftpd_initrc_exec_t;
')
- allow $1 ftpd_t:process { ptrace signal_perms };
+ allow $1 ftpd_t:process signal_perms;
ps_process_pattern($1, ftpd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 ftpd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/git.if.ptrace serefpolicy-3.10.0/policy/modules/services/git.if
---- serefpolicy-3.10.0/policy/modules/services/git.if.ptrace 2011-10-05 14:34:03.459103511 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/git.if 2011-10-05 14:34:03.811103885 -0400
+--- serefpolicy-3.10.0/policy/modules/services/git.if.ptrace 2011-10-11 16:42:15.768761681 -0400
++++ serefpolicy-3.10.0/policy/modules/services/git.if 2011-10-11 16:42:16.142761574 -0400
@@ -42,8 +42,11 @@ interface(`git_session_role',`
domtrans_pattern($2, gitd_exec_t, git_session_t)
@@ -1671,15 +1646,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/git.if.ptrace serefpolicy-3.
- allow $2 git_session_t:process { ptrace signal_perms };
+ allow $2 git_session_t:process signal_perms;
ps_process_pattern($2, git_session_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $2 git_session_t:process ptrace;
+ ')
')
########################################
diff -up serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace serefpolicy-3.10.0/policy/modules/services/glance.if
---- serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace 2011-10-05 14:34:03.461103513 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/glance.if 2011-10-05 14:34:03.811103885 -0400
+--- serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace 2011-10-11 16:42:15.770761679 -0400
++++ serefpolicy-3.10.0/policy/modules/services/glance.if 2011-10-11 16:42:16.143761574 -0400
@@ -245,10 +245,14 @@ interface(`glance_admin',`
type glance_api_initrc_exec_t;
')
@@ -1687,7 +1662,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace serefpolicy
- allow $1 glance_registry_t:process { ptrace signal_perms };
+ allow $1 glance_registry_t:process signal_perms;
ps_process_pattern($1, glance_registry_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 glance_registry_t:process ptrace;
+ allow $1 glance_api_t:process ptrace;
+ ')
@@ -1698,23 +1673,32 @@ diff -up serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace serefpolicy
init_labeled_script_domtrans($1, glance_registry_initrc_exec_t)
diff -up serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace serefpolicy-3.10.0/policy/modules/services/gnomeclock.te
---- serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace 2011-10-05 14:34:03.463103516 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/gnomeclock.te 2011-10-05 14:34:03.812103886 -0400
-@@ -16,7 +16,10 @@ systemd_systemctl_domain(gnomeclock)
+--- serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace 2011-10-11 16:42:15.771761679 -0400
++++ serefpolicy-3.10.0/policy/modules/services/gnomeclock.te 2011-10-11 16:42:16.144761574 -0400
+@@ -14,7 +14,7 @@ dbus_system_domain(gnomeclock_t, gnomecl
# gnomeclock local policy
#
-allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
+allow gnomeclock_t self:capability { sys_nice sys_time };
-+tunable_policy(`allow_ptrace',`
-+ allow gnomeclock_t self:capability sys_ptrace;
-+')
allow gnomeclock_t self:process { getattr getsched signal };
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
+diff -up serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/gpsd.te
+--- serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace 2011-10-11 16:42:15.773761679 -0400
++++ serefpolicy-3.10.0/policy/modules/services/gpsd.te 2011-10-11 16:42:16.144761574 -0400
+@@ -25,7 +25,7 @@ files_pid_file(gpsd_var_run_t)
+ #
+
+ allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
+-dontaudit gpsd_t self:capability { dac_read_search dac_override sys_ptrace };
++dontaudit gpsd_t self:capability { dac_read_search dac_override };
+ allow gpsd_t self:process { setsched signal_perms };
+ allow gpsd_t self:shm create_shm_perms;
+ allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy-3.10.0/policy/modules/services/hadoop.if
---- serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace 2011-10-05 14:34:03.711103779 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/hadoop.if 2011-10-05 14:34:03.813103887 -0400
+--- serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace 2011-10-11 16:42:16.028761607 -0400
++++ serefpolicy-3.10.0/policy/modules/services/hadoop.if 2011-10-11 16:42:16.145761574 -0400
@@ -222,14 +222,21 @@ interface(`hadoop_role',`
hadoop_domtrans($2)
role $1 types hadoop_t;
@@ -1722,7 +1706,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy
- allow $2 hadoop_t:process { ptrace signal_perms };
+ allow $2 hadoop_t:process signal_perms;
ps_process_pattern($2, hadoop_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $2 hadoop_t:process ptrace;
+ ')
@@ -1732,7 +1716,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy
- allow $2 zookeeper_t:process { ptrace signal_perms };
+ allow $2 zookeeper_t:process signal_perms;
ps_process_pattern($2, zookeeper_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $2 zookeeper_t:process ptrace;
+ ')
+
@@ -1740,22 +1724,34 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy
########################################
diff -up serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace serefpolicy-3.10.0/policy/modules/services/hal.if
---- serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace 2011-10-05 14:34:03.466103519 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/hal.if 2011-10-05 14:34:03.814103888 -0400
+--- serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace 2011-10-11 16:42:15.776761679 -0400
++++ serefpolicy-3.10.0/policy/modules/services/hal.if 2011-10-11 16:42:16.146761574 -0400
@@ -70,7 +70,9 @@ interface(`hal_ptrace',`
type hald_t;
')
- allow $1 hald_t:process ptrace;
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 hald_t:process ptrace;
+ ')
')
########################################
+diff -up serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace serefpolicy-3.10.0/policy/modules/services/hal.te
+--- serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace 2011-10-11 16:42:15.776761679 -0400
++++ serefpolicy-3.10.0/policy/modules/services/hal.te 2011-10-11 16:42:16.146761574 -0400
+@@ -64,7 +64,7 @@ typealias hald_var_run_t alias pmtools_v
+
+ # execute openvt which needs setuid
+ allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+-dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
++dontaudit hald_t self:capability sys_tty_config;
+ allow hald_t self:process { getsched getattr signal_perms };
+ allow hald_t self:fifo_file rw_fifo_file_perms;
+ allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
diff -up serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace serefpolicy-3.10.0/policy/modules/services/hddtemp.if
---- serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace 2011-10-05 14:34:03.467103520 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/hddtemp.if 2011-10-05 14:34:03.814103888 -0400
+--- serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace 2011-10-11 16:42:15.777761679 -0400
++++ serefpolicy-3.10.0/policy/modules/services/hddtemp.if 2011-10-11 16:42:16.147761574 -0400
@@ -60,8 +60,11 @@ interface(`hddtemp_admin',`
type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
')
@@ -1763,15 +1759,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace serefpolic
- allow $1 hddtemp_t:process { ptrace signal_perms };
+ allow $1 hddtemp_t:process signal_perms;
ps_process_pattern($1, hddtemp_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 hddtemp_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace serefpolicy-3.10.0/policy/modules/services/icecast.if
---- serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace 2011-10-05 14:34:03.469103522 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/icecast.if 2011-10-05 14:34:03.815103889 -0400
+--- serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace 2011-10-11 16:42:15.778761679 -0400
++++ serefpolicy-3.10.0/policy/modules/services/icecast.if 2011-10-11 16:42:16.148761574 -0400
@@ -173,8 +173,11 @@ interface(`icecast_admin',`
type icecast_t, icecast_initrc_exec_t;
')
@@ -1779,15 +1775,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace serefpolic
- allow $1 icecast_t:process { ptrace signal_perms };
+ allow $1 icecast_t:process signal_perms;
ps_process_pattern($1, icecast_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 icecast_t:process ptrace;
+ ')
# Allow icecast_t to restart the apache service
icecast_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.if
---- serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace 2011-10-05 14:34:03.470103523 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ifplugd.if 2011-10-05 14:34:03.815103889 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace 2011-10-11 16:42:15.779761678 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ifplugd.if 2011-10-11 16:42:16.148761574 -0400
@@ -117,7 +117,7 @@ interface(`ifplugd_admin',`
type ifplugd_initrc_exec_t;
')
@@ -1797,9 +1793,21 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace serefpolic
ps_process_pattern($1, ifplugd_t)
init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
+diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.te
+--- serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace 2011-10-11 16:42:15.779761678 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ifplugd.te 2011-10-11 16:42:16.149761574 -0400
+@@ -26,7 +26,7 @@ files_pid_file(ifplugd_var_run_t)
+ #
+
+ allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
+-dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace };
++dontaudit ifplugd_t self:capability sys_tty_config;
+ allow ifplugd_t self:process { signal signull };
+ allow ifplugd_t self:fifo_file rw_fifo_file_perms;
+ allow ifplugd_t self:tcp_socket create_stream_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace serefpolicy-3.10.0/policy/modules/services/inn.if
---- serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace 2011-10-05 14:34:03.472103525 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/inn.if 2011-10-05 14:34:03.816103890 -0400
+--- serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace 2011-10-11 16:42:15.781761676 -0400
++++ serefpolicy-3.10.0/policy/modules/services/inn.if 2011-10-11 16:42:16.149761574 -0400
@@ -202,8 +202,11 @@ interface(`inn_admin',`
type innd_initrc_exec_t;
')
@@ -1807,15 +1815,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace serefpolicy-3.
- allow $1 innd_t:process { ptrace signal_perms };
+ allow $1 innd_t:process signal_perms;
ps_process_pattern($1, innd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 innd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, innd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace serefpolicy-3.10.0/policy/modules/services/jabber.if
---- serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace 2011-10-05 14:34:03.474103527 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/jabber.if 2011-10-05 14:34:03.816103890 -0400
+--- serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace 2011-10-11 16:42:15.784761676 -0400
++++ serefpolicy-3.10.0/policy/modules/services/jabber.if 2011-10-11 16:42:16.150761573 -0400
@@ -143,10 +143,14 @@ interface(`jabber_admin',`
type jabberd_initrc_exec_t, jabberd_router_t;
')
@@ -1823,7 +1831,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace serefpolicy
- allow $1 jabberd_t:process { ptrace signal_perms };
+ allow $1 jabberd_t:process signal_perms;
ps_process_pattern($1, jabberd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 jabberd_t:process ptrace;
+ allow $1 jabberd_router_t:process ptrace;
+ ')
@@ -1834,8 +1842,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace serefpolicy
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
diff -up serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerberos.if
---- serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace 2011-10-05 14:34:03.476103529 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/kerberos.if 2011-10-05 14:34:03.817103892 -0400
+--- serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace 2011-10-11 16:42:15.785761676 -0400
++++ serefpolicy-3.10.0/policy/modules/services/kerberos.if 2011-10-11 16:42:16.150761573 -0400
@@ -340,13 +340,18 @@ interface(`kerberos_admin',`
type krb5kdc_var_run_t, krb5_host_rcache_t;
')
@@ -1843,7 +1851,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace serefpoli
- allow $1 kadmind_t:process { ptrace signal_perms };
+ allow $1 kadmind_t:process signal_perms;
ps_process_pattern($1, kadmind_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 kadmind_t:process ptrace;
+ allow $1 krb5kdc_t:process ptrace;
+ allow $1 kpropd_t:process ptrace;
@@ -1859,8 +1867,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace serefpoli
init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
diff -up serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerneloops.if
---- serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace 2011-10-05 14:34:03.477103530 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/kerneloops.if 2011-10-05 14:34:03.818103893 -0400
+--- serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace 2011-10-11 16:42:15.786761676 -0400
++++ serefpolicy-3.10.0/policy/modules/services/kerneloops.if 2011-10-11 16:42:16.151761573 -0400
@@ -101,8 +101,11 @@ interface(`kerneloops_admin',`
type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
')
@@ -1868,15 +1876,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace serefpo
- allow $1 kerneloops_t:process { ptrace signal_perms };
+ allow $1 kerneloops_t:process signal_perms;
ps_process_pattern($1, kerneloops_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 kerneloops_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.if
---- serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace 2011-10-05 14:34:03.479103533 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.if 2011-10-05 14:34:03.818103893 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace 2011-10-11 16:42:15.788761674 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.if 2011-10-11 16:42:16.151761573 -0400
@@ -58,8 +58,11 @@ interface(`ksmtuned_admin',`
type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t;
')
@@ -1884,31 +1892,27 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace serefpoli
- allow $1 ksmtuned_t:process { ptrace signal_perms };
+ allow $1 ksmtuned_t:process signal_perms;
ps_process_pattern($1, ksmtuned_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 ksmtuned_t:process ptrace;
+ ')
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.te
---- serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace 2011-10-05 14:34:03.480103534 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.te 2011-10-05 14:34:03.819103894 -0400
-@@ -23,7 +23,11 @@ files_pid_file(ksmtuned_var_run_t)
+--- serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace 2011-10-11 16:42:15.789761674 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.te 2011-10-11 16:42:16.152761572 -0400
+@@ -23,7 +23,7 @@ files_pid_file(ksmtuned_var_run_t)
# ksmtuned local policy
#
-allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
+allow ksmtuned_t self:capability sys_tty_config;
-+tunable_policy(`allow_ptrace',`
-+ allow ksmtuned_t self:capability sys_ptrace;
-+')
-+
allow ksmtuned_t self:fifo_file rw_file_perms;
manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
diff -up serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/l2tpd.if
---- serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace 2011-10-05 14:34:03.481103535 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/l2tpd.if 2011-10-05 14:34:03.819103894 -0400
+--- serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace 2011-10-11 16:42:15.790761674 -0400
++++ serefpolicy-3.10.0/policy/modules/services/l2tpd.if 2011-10-11 16:42:16.152761572 -0400
@@ -101,8 +101,11 @@ interface(`l2tpd_admin',`
type l2tpd_var_run_t;
')
@@ -1916,23 +1920,23 @@ diff -up serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace serefpolicy-
- allow $1 l2tpd_t:process { ptrace signal_perms };
+ allow $1 l2tpd_t:process signal_perms;
ps_process_pattern($1, l2tpd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 l2tpd_t:process ptrace;
+ ')
l2tpd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace serefpolicy-3.10.0/policy/modules/services/ldap.if
---- serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace 2011-10-05 14:34:03.482103536 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ldap.if 2011-10-05 14:34:03.820103895 -0400
-@@ -175,8 +175,11 @@ interface(`ldap_admin',`
+--- serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace 2011-10-11 16:42:15.792761674 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ldap.if 2011-10-11 16:42:16.153761571 -0400
+@@ -174,8 +174,11 @@ interface(`ldap_admin',`
type slapd_initrc_exec_t;
')
- allow $1 slapd_t:process { ptrace signal_perms };
+ allow $1 slapd_t:process signal_perms;
ps_process_pattern($1, slapd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 slapd_t:process ptrace;
+ ')
@@ -1940,7 +1944,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace serefpolicy-3
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lircd.if
--- serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/lircd.if 2011-10-05 14:34:03.821103896 -0400
++++ serefpolicy-3.10.0/policy/modules/services/lircd.if 2011-10-11 16:42:16.154761571 -0400
@@ -80,8 +80,11 @@ interface(`lircd_admin',`
type lircd_initrc_exec_t, lircd_etc_t;
')
@@ -1948,15 +1952,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace serefpolicy-
- allow $1 lircd_t:process { ptrace signal_perms };
+ allow $1 lircd_t:process signal_perms;
ps_process_pattern($1, lircd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 lircd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace serefpolicy-3.10.0/policy/modules/services/lldpad.if
---- serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace 2011-10-05 14:34:03.486103540 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/lldpad.if 2011-10-05 14:34:03.821103896 -0400
+--- serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace 2011-10-11 16:42:15.795761672 -0400
++++ serefpolicy-3.10.0/policy/modules/services/lldpad.if 2011-10-11 16:42:16.154761571 -0400
@@ -180,8 +180,11 @@ interface(`lldpad_admin',`
type lldpad_var_run_t;
')
@@ -1964,30 +1968,30 @@ diff -up serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace serefpolicy
- allow $1 lldpad_t:process { ptrace signal_perms };
+ allow $1 lldpad_t:process signal_perms;
ps_process_pattern($1, lldpad_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 lldpad_t:process ptrace;
+ ')
lldpad_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lpd.if
---- serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace 2011-10-05 14:34:03.487103541 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/lpd.if 2011-10-05 14:34:03.822103897 -0400
+--- serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace 2011-10-11 16:42:15.796761672 -0400
++++ serefpolicy-3.10.0/policy/modules/services/lpd.if 2011-10-11 16:42:16.155761571 -0400
@@ -28,7 +28,10 @@ interface(`lpd_role',`
dontaudit lpr_t $2:unix_stream_socket { read write };
ps_process_pattern($2, lpr_t)
- allow $2 lpr_t:process { ptrace signal_perms };
+ allow $2 lpr_t:process signal_perms;
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $2 lpr_t:process ptrace;
+ ')
optional_policy(`
cups_read_config($2)
diff -up serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace serefpolicy-3.10.0/policy/modules/services/mailscanner.if
---- serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace 2011-10-05 14:34:03.490103544 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/mailscanner.if 2011-10-05 14:34:03.823103898 -0400
+--- serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace 2011-10-11 16:42:15.799761672 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mailscanner.if 2011-10-11 16:42:16.155761571 -0400
@@ -47,8 +47,11 @@ interface(`mailscanner_admin',`
role_transition $2 mscan_initrc_exec_t system_r;
allow $2 system_r;
@@ -1995,15 +1999,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace serefp
- allow $1 mscan_t:process { ptrace signal_perms };
+ allow $1 mscan_t:process signal_perms;
ps_process_pattern($1, mscan_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 mscan_t:process ptrace;
+ ')
admin_pattern($1, mscan_etc_t)
files_list_etc($1)
diff -up serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.if
---- serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace 2011-10-05 14:34:03.491103545 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/matahari.if 2011-10-05 14:34:03.823103898 -0400
+--- serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace 2011-10-11 16:42:15.800761672 -0400
++++ serefpolicy-3.10.0/policy/modules/services/matahari.if 2011-10-11 16:42:16.156761571 -0400
@@ -229,13 +229,18 @@ interface(`matahari_admin',`
role_transition $2 matahari_initrc_exec_t system_r;
allow $2 system_r;
@@ -2011,7 +2015,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace serefpoli
- allow $1 matahari_netd_t:process { ptrace signal_perms };
+ allow $1 matahari_netd_t:process signal_perms;
ps_process_pattern($1, matahari_netd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 matahari_netd_t:process ptrace;
+ allow $1 matahari_hostd_t:process ptrace;
+ allow $1 matahari_serviced_t:process ptrace;
@@ -2027,23 +2031,21 @@ diff -up serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace serefpoli
files_search_var_lib($1)
diff -up serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.te
---- serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace 2011-10-05 14:34:03.491103545 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/matahari.te 2011-10-05 14:34:03.824103899 -0400
-@@ -24,8 +24,9 @@ files_pid_file(matahari_var_run_t)
+--- serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace 2011-10-11 16:42:15.800761672 -0400
++++ serefpolicy-3.10.0/policy/modules/services/matahari.te 2011-10-11 16:42:16.156761571 -0400
+@@ -24,9 +24,6 @@ files_pid_file(matahari_var_run_t)
#
# matahari_hostd local policy
#
-
-allow matahari_hostd_t self:capability sys_ptrace;
-+tunable_policy(`allow_ptrace',`
-+ allow matahari_hostd_t self:capability sys_ptrace;
-+')
-
+-
kernel_read_network_state(matahari_hostd_t)
+ dev_read_sysfs(matahari_hostd_t)
diff -up serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace serefpolicy-3.10.0/policy/modules/services/memcached.if
---- serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace 2011-10-05 14:34:03.493103547 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/memcached.if 2011-10-05 14:34:03.824103899 -0400
+--- serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace 2011-10-11 16:42:15.801761671 -0400
++++ serefpolicy-3.10.0/policy/modules/services/memcached.if 2011-10-11 16:42:16.157761571 -0400
@@ -59,8 +59,11 @@ interface(`memcached_admin',`
type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
')
@@ -2051,22 +2053,22 @@ diff -up serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace serefpol
- allow $1 memcached_t:process { ptrace signal_perms };
+ allow $1 memcached_t:process signal_perms;
ps_process_pattern($1, memcached_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 memcached_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, memcached_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace serefpolicy-3.10.0/policy/modules/services/mock.if
---- serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace 2011-10-05 14:34:03.495103550 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/mock.if 2011-10-05 14:34:03.825103900 -0400
+--- serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace 2011-10-11 16:42:15.804761670 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mock.if 2011-10-11 16:42:16.158761571 -0400
@@ -245,7 +245,10 @@ interface(`mock_role',`
mock_run($2, $1)
ps_process_pattern($2, mock_t)
- allow $2 mock_t:process { ptrace signal_perms };
+ allow $2 mock_t:process signal_perms;
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $2 mock_t:process ptrace;
+ ')
')
@@ -2079,7 +2081,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace serefpolicy-3
- allow $1 mock_t:process { ptrace signal_perms };
+ allow $1 mock_t:process signal_perms;
ps_process_pattern($1, mock_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 mock_t:process ptrace;
+ allow $1 mock_build_t:process ptrace;
+ ')
@@ -2090,8 +2092,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace serefpolicy-3
files_list_var_lib($1)
diff -up serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace serefpolicy-3.10.0/policy/modules/services/mock.te
---- serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace 2011-10-05 14:34:03.496103551 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/mock.te 2011-10-05 14:34:03.825103900 -0400
+--- serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace 2011-10-11 16:42:15.805761670 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mock.te 2011-10-11 16:42:16.158761571 -0400
@@ -41,7 +41,7 @@ files_config_file(mock_etc_t)
# mock local policy
#
@@ -2111,8 +2113,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace serefpolicy-3
allow mock_build_t self:process { fork setsched setpgid signal_perms };
allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
diff -up serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace serefpolicy-3.10.0/policy/modules/services/mojomojo.if
---- serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace 2011-10-05 14:34:03.497103552 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/mojomojo.if 2011-10-05 14:34:03.826103901 -0400
+--- serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace 2011-10-11 16:42:15.806761670 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mojomojo.if 2011-10-11 16:42:16.159761570 -0400
@@ -24,8 +24,11 @@ interface(`mojomojo_admin',`
type httpd_mojomojo_script_exec_t;
')
@@ -2120,7 +2122,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace serefpoli
- allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
+ allow $1 httpd_mojomojo_script_t:process signal_perms;
ps_process_pattern($1, httpd_mojomojo_script_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 httpd_mojomo_script_t:process ptrace;
+ ')
@@ -2128,7 +2130,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace serefpoli
admin_pattern($1, httpd_mojomojo_tmp_t)
diff -up serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/mpd.if
--- serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/mpd.if 2011-10-05 14:34:03.827103902 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mpd.if 2011-10-11 16:42:16.159761570 -0400
@@ -244,8 +244,11 @@ interface(`mpd_admin',`
type mpd_tmpfs_t;
')
@@ -2136,15 +2138,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace serefpolicy-3.
- allow $1 mpd_t:process { ptrace signal_perms };
+ allow $1 mpd_t:process signal_perms;
ps_process_pattern($1, mpd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 mpd_t:process ptrace;
+ ')
mpd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace serefpolicy-3.10.0/policy/modules/services/munin.if
---- serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace 2011-10-05 14:34:03.502103557 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/munin.if 2011-10-05 14:34:03.827103902 -0400
+--- serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace 2011-10-11 16:42:15.811761668 -0400
++++ serefpolicy-3.10.0/policy/modules/services/munin.if 2011-10-11 16:42:16.160761569 -0400
@@ -183,8 +183,11 @@ interface(`munin_admin',`
type httpd_munin_content_t, munin_initrc_exec_t;
')
@@ -2152,15 +2154,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace serefpolicy-
- allow $1 munin_t:process { ptrace signal_perms };
+ allow $1 munin_t:process signal_perms;
ps_process_pattern($1, munin_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 munin_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.if
---- serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace 2011-10-05 14:34:03.503103558 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/mysql.if 2011-10-05 14:34:03.828103903 -0400
+--- serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace 2011-10-11 16:42:15.812761668 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mysql.if 2011-10-11 16:42:16.160761569 -0400
@@ -389,8 +389,11 @@ interface(`mysql_admin',`
type mysqld_etc_t;
')
@@ -2168,15 +2170,26 @@ diff -up serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace serefpolicy-
- allow $1 mysqld_t:process { ptrace signal_perms };
+ allow $1 mysqld_t:process signal_perms;
ps_process_pattern($1, mysqld_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 mysqld_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.te
+--- serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace 2011-10-11 16:42:15.813761668 -0400
++++ serefpolicy-3.10.0/policy/modules/services/mysql.te 2011-10-11 16:42:16.161761569 -0400
+@@ -158,7 +158,6 @@ optional_policy(`
+ #
+
+ allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+-dontaudit mysqld_safe_t self:capability sys_ptrace;
+ allow mysqld_safe_t self:process { setsched getsched setrlimit };
+ allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+
diff -up serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace serefpolicy-3.10.0/policy/modules/services/nagios.if
---- serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace 2011-10-05 14:34:03.505103560 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/nagios.if 2011-10-05 14:34:03.829103904 -0400
+--- serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace 2011-10-11 16:42:15.814761668 -0400
++++ serefpolicy-3.10.0/policy/modules/services/nagios.if 2011-10-11 16:42:16.162761569 -0400
@@ -225,8 +225,11 @@ interface(`nagios_admin',`
type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
')
@@ -2184,29 +2197,30 @@ diff -up serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace serefpolicy
- allow $1 nagios_t:process { ptrace signal_perms };
+ allow $1 nagios_t:process signal_perms;
ps_process_pattern($1, nagios_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 nagios_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/networkmanager.te
---- serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace 2011-10-05 14:34:03.507103562 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/networkmanager.te 2011-10-05 14:34:03.830103905 -0400
+--- serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace 2011-10-11 16:42:15.817761668 -0400
++++ serefpolicy-3.10.0/policy/modules/services/networkmanager.te 2011-10-11 16:42:16.162761569 -0400
@@ -44,13 +44,17 @@ init_system_domain(wpa_cli_t, wpa_cli_ex
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
+-dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
- dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
++dontaudit NetworkManager_t self:capability sys_tty_config;
ifdef(`hide_broken_symptoms',`
# caused by some bogus kernel code
dontaudit NetworkManager_t self:capability sys_module;
')
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
+allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
-+tunable_policy(`allow_ptrace',`
++tunable_policy(`deny_ptrace',`',`
+ allow NetworkManager_t self:process ptrace;
+')
+
@@ -2214,16 +2228,16 @@ diff -up serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace ser
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace serefpolicy-3.10.0/policy/modules/services/nis.if
---- serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace 2011-10-05 14:34:03.509103564 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/nis.if 2011-10-05 14:34:03.830103905 -0400
-@@ -392,16 +392,22 @@ interface(`nis_admin',`
+--- serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace 2011-10-11 16:42:15.818761667 -0400
++++ serefpolicy-3.10.0/policy/modules/services/nis.if 2011-10-11 16:42:16.163761569 -0400
+@@ -390,16 +390,22 @@ interface(`nis_admin',`
type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
')
- allow $1 ypbind_t:process { ptrace signal_perms };
+ allow $1 ypbind_t:process signal_perms;
ps_process_pattern($1, ypbind_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 ypbind_t:process ptrace;
+ allow $1 yppasswdd_t:process ptrace;
+ allow $1 ypserv_t:process ptrace;
@@ -2244,71 +2258,67 @@ diff -up serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace serefpolicy-3.
nis_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.if
---- serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace 2011-10-05 14:34:03.510103566 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/nscd.if 2011-10-05 14:34:03.831103906 -0400
-@@ -322,8 +322,11 @@ interface(`nscd_admin',`
+--- serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace 2011-10-11 16:42:15.819761666 -0400
++++ serefpolicy-3.10.0/policy/modules/services/nscd.if 2011-10-11 16:42:16.164761569 -0400
+@@ -321,8 +321,11 @@ interface(`nscd_admin',`
type nscd_initrc_exec_t;
')
- allow $1 nscd_t:process { ptrace signal_perms };
+ allow $1 nscd_t:process signal_perms;
ps_process_pattern($1, nscd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 nscd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.te
---- serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace 2011-10-05 14:34:03.511103567 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/nscd.te 2011-10-05 14:34:03.831103906 -0400
-@@ -40,7 +40,11 @@ logging_log_file(nscd_log_t)
+--- serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace 2011-10-11 16:42:15.820761665 -0400
++++ serefpolicy-3.10.0/policy/modules/services/nscd.te 2011-10-11 16:42:16.164761569 -0400
+@@ -40,7 +40,7 @@ logging_log_file(nscd_log_t)
# Local policy
#
-allow nscd_t self:capability { kill setgid setuid sys_ptrace };
+allow nscd_t self:capability { kill setgid setuid };
-+tunable_policy(`allow_ptrace',`
-+ allow nscd_t self:capability sys_ptrace;
-+')
-+
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nslcd.if
---- serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace 2011-10-05 14:34:03.511103567 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/nslcd.if 2011-10-05 14:34:03.832103907 -0400
+--- serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace 2011-10-11 16:42:15.820761665 -0400
++++ serefpolicy-3.10.0/policy/modules/services/nslcd.if 2011-10-11 16:42:16.165761569 -0400
@@ -98,7 +98,10 @@ interface(`nslcd_admin',`
')
ps_process_pattern($1, nslcd_t)
- allow $1 nslcd_t:process { ptrace signal_perms };
+ allow $1 nslcd_t:process signal_perms;
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 nslcd_t:process ptrace;
+ ')
# Allow nslcd_t to restart the apache service
nslcd_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ntp.if
---- serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace 2011-10-05 14:34:03.513103569 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ntp.if 2011-10-05 14:34:03.832103907 -0400
-@@ -205,8 +205,11 @@ interface(`ntp_admin',`
+--- serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace 2011-10-11 16:42:15.822761665 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ntp.if 2011-10-11 16:42:16.165761569 -0400
+@@ -204,8 +204,11 @@ interface(`ntp_admin',`
type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
')
- allow $1 ntpd_t:process { ptrace signal_perms };
+ allow $1 ntpd_t:process signal_perms;
ps_process_pattern($1, ntpd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 ntpd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace serefpolicy-3.10.0/policy/modules/services/oident.if
---- serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace 2011-10-05 14:34:03.518103574 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/oident.if 2011-10-05 14:34:03.833103909 -0400
+--- serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace 2011-10-11 16:42:15.827761663 -0400
++++ serefpolicy-3.10.0/policy/modules/services/oident.if 2011-10-11 16:42:16.166761568 -0400
@@ -89,8 +89,11 @@ interface(`oident_admin',`
type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
')
@@ -2316,7 +2326,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace serefpolicy
- allow $1 oidentd_t:process { ptrace signal_perms };
+ allow $1 oidentd_t:process signal_perms;
ps_process_pattern($1, oidentd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 oidentd_t:process ptrace;
+ ')
@@ -2324,7 +2334,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace serefpolicy
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace serefpolicy-3.10.0/policy/modules/services/openvpn.if
--- serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/openvpn.if 2011-10-05 14:34:03.834103910 -0400
++++ serefpolicy-3.10.0/policy/modules/services/openvpn.if 2011-10-11 16:42:16.167761567 -0400
@@ -144,8 +144,11 @@ interface(`openvpn_admin',`
type openvpn_var_run_t, openvpn_initrc_exec_t;
')
@@ -2332,15 +2342,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace serefpolic
- allow $1 openvpn_t:process { ptrace signal_perms };
+ allow $1 openvpn_t:process signal_perms;
ps_process_pattern($1, openvpn_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 openvpn_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace serefpolicy-3.10.0/policy/modules/services/pads.if
---- serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace 2011-10-05 14:34:03.521103577 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/pads.if 2011-10-05 14:34:03.834103910 -0400
+--- serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace 2011-10-11 16:42:15.830761663 -0400
++++ serefpolicy-3.10.0/policy/modules/services/pads.if 2011-10-11 16:42:16.167761567 -0400
@@ -31,8 +31,11 @@ interface(`pads_admin',`
type pads_var_run_t;
')
@@ -2348,15 +2358,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace serefpolicy-3
- allow $1 pads_t:process { ptrace signal_perms };
+ allow $1 pads_t:process signal_perms;
ps_process_pattern($1, pads_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 pads_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, pads_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace serefpolicy-3.10.0/policy/modules/services/pingd.if
---- serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace 2011-10-05 14:34:03.524103580 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/pingd.if 2011-10-05 14:34:03.835103911 -0400
+--- serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace 2011-10-11 16:42:15.833761662 -0400
++++ serefpolicy-3.10.0/policy/modules/services/pingd.if 2011-10-11 16:42:16.168761567 -0400
@@ -80,8 +80,11 @@ interface(`pingd_admin',`
type pingd_initrc_exec_t;
')
@@ -2364,22 +2374,22 @@ diff -up serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace serefpolicy-
- allow $1 pingd_t:process { ptrace signal_perms };
+ allow $1 pingd_t:process signal_perms;
ps_process_pattern($1, pingd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 pingd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, pingd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace serefpolicy-3.10.0/policy/modules/services/piranha.te
---- serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace 2011-10-05 14:34:03.526103583 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/piranha.te 2011-10-05 14:34:03.835103911 -0400
+--- serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace 2011-10-11 16:42:15.835761661 -0400
++++ serefpolicy-3.10.0/policy/modules/services/piranha.te 2011-10-11 16:42:16.168761567 -0400
@@ -65,7 +65,11 @@ init_domtrans_script(piranha_fos_t)
#
allow piranha_web_t self:capability { setuid sys_nice kill setgid };
-allow piranha_web_t self:process { getsched setsched signal signull ptrace };
+allow piranha_web_t self:process { getsched setsched signal signull };
-+tunable_policy(`allow_ptrace',`
++tunable_policy(`deny_ptrace',`',`
+ allow piranha_web_t self:process ptrace;
+')
+
@@ -2387,8 +2397,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace serefpolic
allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
allow piranha_web_t self:sem create_sem_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace serefpolicy-3.10.0/policy/modules/services/plymouthd.if
---- serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace 2011-10-05 14:34:03.527103584 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/plymouthd.if 2011-10-05 14:34:03.836103912 -0400
+--- serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace 2011-10-11 16:42:15.836761661 -0400
++++ serefpolicy-3.10.0/policy/modules/services/plymouthd.if 2011-10-11 16:42:16.169761567 -0400
@@ -291,8 +291,11 @@ interface(`plymouthd_admin',`
type plymouthd_var_run_t;
')
@@ -2396,44 +2406,36 @@ diff -up serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace serefpol
- allow $1 plymouthd_t:process { ptrace signal_perms };
+ allow $1 plymouthd_t:process signal_perms;
ps_process_pattern($1, plymouthd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 plymouthd_t:process ptrace;
+ ')
files_list_var_lib($1)
admin_pattern($1, plymouthd_spool_t)
diff -up serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace serefpolicy-3.10.0/policy/modules/services/policykit.te
---- serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace 2011-10-05 14:34:03.529103586 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/policykit.te 2011-10-05 14:34:03.837103913 -0400
-@@ -38,7 +38,11 @@ files_pid_file(policykit_var_run_t)
+--- serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace 2011-10-11 16:42:15.838761661 -0400
++++ serefpolicy-3.10.0/policy/modules/services/policykit.te 2011-10-11 16:42:16.170761567 -0400
+@@ -38,7 +38,7 @@ files_pid_file(policykit_var_run_t)
# policykit local policy
#
-allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace };
+allow policykit_t self:capability { dac_override dac_read_search setgid setuid };
-+tunable_policy(`allow_ptrace',`
-+ allow policykit_t self:capability sys_ptrace;
-+')
-+
allow policykit_t self:process { getsched getattr signal };
allow policykit_t self:fifo_file rw_fifo_file_perms;
allow policykit_t self:unix_dgram_socket create_socket_perms;
-@@ -233,7 +237,11 @@ optional_policy(`
+@@ -233,7 +233,7 @@ optional_policy(`
# polkit_resolve local policy
#
-allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
+allow policykit_resolve_t self:capability { setuid sys_nice };
-+tunable_policy(`allow_ptrace',`
-+ allow policykit_resolve_t self:capability sys_ptrace;
-+')
-+
allow policykit_resolve_t self:process getattr;
allow policykit_resolve_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy-3.10.0/policy/modules/services/polipo.if
---- serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace 2011-10-05 14:34:03.530103587 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/polipo.if 2011-10-05 14:34:03.838103914 -0400
+--- serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace 2011-10-11 16:42:15.839761661 -0400
++++ serefpolicy-3.10.0/policy/modules/services/polipo.if 2011-10-11 16:42:16.171761567 -0400
@@ -32,8 +32,11 @@ template(`polipo_role',`
# Policy
#
@@ -2441,7 +2443,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy
- allow $2 polipo_session_t:process { ptrace signal_perms };
+ allow $2 polipo_session_t:process signal_perms;
ps_process_pattern($2, polipo_session_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $2 polipo_session_t:process ptrace;
+ ')
@@ -2454,7 +2456,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy
- allow $1 polipo_t:process { ptrace signal_perms };
+ allow $1 polipo_t:process signal_perms;
ps_process_pattern($1, polipo_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 polipo_t:process ptrace;
+ ')
@@ -2462,7 +2464,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace serefpolicy-3.10.0/policy/modules/services/portreserve.if
--- serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/portreserve.if 2011-10-05 14:34:03.838103914 -0400
++++ serefpolicy-3.10.0/policy/modules/services/portreserve.if 2011-10-11 16:42:16.171761567 -0400
@@ -104,8 +104,11 @@ interface(`portreserve_admin',`
type portreserve_initrc_exec_t;
')
@@ -2470,15 +2472,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace serefp
- allow $1 portreserve_t:process { ptrace signal_perms };
+ allow $1 portreserve_t:process signal_perms;
ps_process_pattern($1, portreserve_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 portreserve_t:process ptrace;
+ ')
portreserve_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfix.if
---- serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace 2011-10-05 14:34:03.534103591 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/postfix.if 2011-10-05 14:34:03.839103915 -0400
+--- serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace 2011-10-11 16:42:15.843761659 -0400
++++ serefpolicy-3.10.0/policy/modules/services/postfix.if 2011-10-11 16:42:16.172761567 -0400
@@ -729,25 +729,36 @@ interface(`postfix_admin',`
type postfix_smtpd_t, postfix_var_run_t;
')
@@ -2486,14 +2488,14 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace serefpolic
- allow $1 postfix_bounce_t:process { ptrace signal_perms };
+ allow $1 postfix_bounce_t:process signal_perms;
ps_process_pattern($1, postfix_bounce_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 postfix_bounce_t:process ptrace;
+ ')
- allow $1 postfix_cleanup_t:process { ptrace signal_perms };
+ allow $1 postfix_cleanup_t:process signal_perms;
ps_process_pattern($1, postfix_cleanup_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 postfix_cleanup_t:process ptrace;
+ allow $1 postfix_local_t:process ptrace;
+ allow $1 postfix_master_t:process ptrace;
@@ -2524,8 +2526,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace serefpolic
postfix_run_map($1, $2)
diff -up serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if
---- serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace 2011-10-05 14:34:03.535103592 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if 2011-10-05 14:34:03.840103916 -0400
+--- serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace 2011-10-11 16:42:15.844761659 -0400
++++ serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if 2011-10-11 16:42:16.172761567 -0400
@@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',`
type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
')
@@ -2533,15 +2535,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace ser
- allow $1 postfix_policyd_t:process { ptrace signal_perms };
+ allow $1 postfix_policyd_t:process signal_perms;
ps_process_pattern($1, postfix_policyd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 postfix_policyd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgresql.if
---- serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace 2011-10-05 14:34:03.537103594 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/postgresql.if 2011-10-05 14:34:03.840103916 -0400
+--- serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace 2011-10-11 16:42:15.846761659 -0400
++++ serefpolicy-3.10.0/policy/modules/services/postgresql.if 2011-10-11 16:42:16.173761566 -0400
@@ -541,8 +541,11 @@ interface(`postgresql_admin',`
typeattribute $1 sepgsql_admin_type;
@@ -2549,15 +2551,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace serefpo
- allow $1 postgresql_t:process { ptrace signal_perms };
+ allow $1 postgresql_t:process signal_perms;
ps_process_pattern($1, postgresql_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 postgresql_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgrey.if
---- serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace 2011-10-05 14:34:03.538103595 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/postgrey.if 2011-10-05 14:34:03.841103917 -0400
+--- serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace 2011-10-11 16:42:15.848761657 -0400
++++ serefpolicy-3.10.0/policy/modules/services/postgrey.if 2011-10-11 16:42:16.174761565 -0400
@@ -62,8 +62,11 @@ interface(`postgrey_admin',`
type postgrey_var_lib_t, postgrey_var_run_t;
')
@@ -2565,23 +2567,23 @@ diff -up serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace serefpoli
- allow $1 postgrey_t:process { ptrace signal_perms };
+ allow $1 postgrey_t:process signal_perms;
ps_process_pattern($1, postgrey_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 postgrey_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ppp.if
---- serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace 2011-10-05 14:34:03.539103596 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ppp.if 2011-10-05 14:34:03.841103917 -0400
-@@ -387,10 +387,14 @@ interface(`ppp_admin',`
+--- serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace 2011-10-11 16:42:15.849761657 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ppp.if 2011-10-11 16:42:16.174761565 -0400
+@@ -386,10 +386,14 @@ interface(`ppp_admin',`
type pppd_initrc_exec_t, pppd_etc_rw_t;
')
- allow $1 pppd_t:process { ptrace signal_perms };
+ allow $1 pppd_t:process signal_perms;
ps_process_pattern($1, pppd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 pppd_t:process ptrace;
+ allow $1 pptp_t:process ptrace;
+ ')
@@ -2592,8 +2594,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace serefpolicy-3.
ppp_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace serefpolicy-3.10.0/policy/modules/services/prelude.if
---- serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace 2011-10-05 14:34:03.541103598 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/prelude.if 2011-10-05 14:34:03.842103918 -0400
+--- serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace 2011-10-11 16:42:15.850761657 -0400
++++ serefpolicy-3.10.0/policy/modules/services/prelude.if 2011-10-11 16:42:16.175761565 -0400
@@ -118,13 +118,18 @@ interface(`prelude_admin',`
type prelude_lml_t;
')
@@ -2601,7 +2603,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace serefpolic
- allow $1 prelude_t:process { ptrace signal_perms };
+ allow $1 prelude_t:process signal_perms;
ps_process_pattern($1, prelude_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 prelude_t:process ptrace;
+ allow $1 prelude_audisp_t:process ptrace;
+ allow $1 prelude_lml_t:process ptrace;
@@ -2618,7 +2620,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace serefpolic
init_labeled_script_domtrans($1, prelude_initrc_exec_t)
diff -up serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace serefpolicy-3.10.0/policy/modules/services/privoxy.if
--- serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/privoxy.if 2011-10-05 14:34:03.843103919 -0400
++++ serefpolicy-3.10.0/policy/modules/services/privoxy.if 2011-10-11 16:42:16.175761565 -0400
@@ -23,8 +23,11 @@ interface(`privoxy_admin',`
type privoxy_etc_rw_t, privoxy_var_run_t;
')
@@ -2626,15 +2628,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace serefpolic
- allow $1 privoxy_t:process { ptrace signal_perms };
+ allow $1 privoxy_t:process signal_perms;
ps_process_pattern($1, privoxy_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 privoxy_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace serefpolicy-3.10.0/policy/modules/services/psad.if
---- serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace 2011-10-05 14:34:03.544103602 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/psad.if 2011-10-05 14:34:03.843103919 -0400
+--- serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace 2011-10-11 16:42:15.853761657 -0400
++++ serefpolicy-3.10.0/policy/modules/services/psad.if 2011-10-11 16:42:16.176761565 -0400
@@ -295,8 +295,11 @@ interface(`psad_admin',`
type psad_tmp_t;
')
@@ -2642,38 +2644,34 @@ diff -up serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace serefpolicy-3
- allow $1 psad_t:process { ptrace signal_perms };
+ allow $1 psad_t:process signal_perms;
ps_process_pattern($1, psad_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 psad_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, psad_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace serefpolicy-3.10.0/policy/modules/services/puppet.te
---- serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace 2011-10-05 14:34:03.546103604 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/puppet.te 2011-10-05 14:34:03.844103920 -0400
-@@ -62,7 +62,11 @@ files_tmp_file(puppetmaster_tmp_t)
+--- serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace 2011-10-11 16:42:15.856761655 -0400
++++ serefpolicy-3.10.0/policy/modules/services/puppet.te 2011-10-11 16:42:16.177761565 -0400
+@@ -62,7 +62,7 @@ files_tmp_file(puppetmaster_tmp_t)
# Puppet personal policy
#
-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
-+tunable_policy(`allow_ptrace',`
-+ allow puppet_t self:capability sys_ptrace;
-+')
-+
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace serefpolicy-3.10.0/policy/modules/services/pyzor.if
---- serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace 2011-10-05 14:34:03.548103606 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/pyzor.if 2011-10-05 14:34:03.845103921 -0400
+--- serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace 2011-10-11 16:42:15.857761655 -0400
++++ serefpolicy-3.10.0/policy/modules/services/pyzor.if 2011-10-11 16:42:16.178761565 -0400
@@ -29,7 +29,10 @@ interface(`pyzor_role',`
# allow ps to show pyzor and allow the user to kill it
ps_process_pattern($2, pyzor_t)
- allow $2 pyzor_t:process { ptrace signal_perms };
+ allow $2 pyzor_t:process signal_perms;
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $2 pyzor_t:process ptrace;
+ ')
')
@@ -2686,15 +2684,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace serefpolicy-
- allow $1 pyzord_t:process { ptrace signal_perms };
+ allow $1 pyzord_t:process signal_perms;
ps_process_pattern($1, pyzord_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 pyzord_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace serefpolicy-3.10.0/policy/modules/services/qpid.if
---- serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace 2011-10-05 14:34:03.551103609 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/qpid.if 2011-10-05 14:34:03.845103921 -0400
+--- serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace 2011-10-11 16:42:15.860761655 -0400
++++ serefpolicy-3.10.0/policy/modules/services/qpid.if 2011-10-11 16:42:16.178761565 -0400
@@ -177,8 +177,11 @@ interface(`qpidd_admin',`
type qpidd_t, qpidd_initrc_exec_t;
')
@@ -2702,7 +2700,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace serefpolicy-3
- allow $1 qpidd_t:process { ptrace signal_perms };
+ allow $1 qpidd_t:process signal_perms;
ps_process_pattern($1, qpidd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 qpidd_t:process ptrace;
+ ')
@@ -2710,7 +2708,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace serefpolicy-3
qpidd_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace serefpolicy-3.10.0/policy/modules/services/radius.if
--- serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/radius.if 2011-10-05 14:34:03.846103922 -0400
++++ serefpolicy-3.10.0/policy/modules/services/radius.if 2011-10-11 16:42:16.179761565 -0400
@@ -38,8 +38,11 @@ interface(`radius_admin',`
type radiusd_initrc_exec_t;
')
@@ -2718,15 +2716,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace serefpolicy
- allow $1 radiusd_t:process { ptrace signal_perms };
+ allow $1 radiusd_t:process signal_perms;
ps_process_pattern($1, radiusd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 radiusd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace serefpolicy-3.10.0/policy/modules/services/radvd.if
---- serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace 2011-10-05 14:34:03.553103611 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/radvd.if 2011-10-05 14:34:03.846103922 -0400
+--- serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace 2011-10-11 16:42:15.862761655 -0400
++++ serefpolicy-3.10.0/policy/modules/services/radvd.if 2011-10-11 16:42:16.179761565 -0400
@@ -23,8 +23,11 @@ interface(`radvd_admin',`
type radvd_var_run_t;
')
@@ -2734,30 +2732,30 @@ diff -up serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace serefpolicy-
- allow $1 radvd_t:process { ptrace signal_perms };
+ allow $1 radvd_t:process signal_perms;
ps_process_pattern($1, radvd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 radvd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace serefpolicy-3.10.0/policy/modules/services/razor.if
---- serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace 2011-10-05 14:34:03.554103612 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/razor.if 2011-10-05 14:34:03.847103923 -0400
+--- serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace 2011-10-11 16:42:15.863761655 -0400
++++ serefpolicy-3.10.0/policy/modules/services/razor.if 2011-10-11 16:42:16.180761564 -0400
@@ -132,7 +132,10 @@ interface(`razor_role',`
# allow ps to show razor and allow the user to kill it
ps_process_pattern($2, razor_t)
- allow $2 razor_t:process { ptrace signal_perms };
+ allow $2 razor_t:process signal_perms;
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $2 razor_t:process ptrace;
+ ')
manage_dirs_pattern($2, razor_home_t, razor_home_t)
manage_files_pattern($2, razor_home_t, razor_home_t)
diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.if
---- serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace 2011-10-05 14:34:03.557103615 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/rgmanager.if 2011-10-05 14:34:03.848103924 -0400
+--- serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace 2011-10-11 16:42:15.866761652 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rgmanager.if 2011-10-11 16:42:16.181761563 -0400
@@ -117,8 +117,11 @@ interface(`rgmanager_admin',`
type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
')
@@ -2765,15 +2763,26 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace serefpol
- allow $1 rgmanager_t:process { ptrace signal_perms };
+ allow $1 rgmanager_t:process signal_perms;
ps_process_pattern($1, rgmanager_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 rgmanager_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.te
+--- serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace 2011-10-11 16:42:15.866761652 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rgmanager.te 2011-10-11 16:42:16.181761563 -0400
+@@ -37,7 +37,6 @@ files_pid_file(rgmanager_var_run_t)
+ #
+
+ allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+-dontaudit rgmanager_t self:capability { sys_ptrace };
+ allow rgmanager_t self:process { setsched signal };
+ dontaudit rgmanager_t self:process ptrace;
+
diff -up serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if
---- serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace 2011-10-05 14:34:03.562103621 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if 2011-10-05 14:34:03.848103924 -0400
+--- serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace 2011-10-11 16:42:15.871761652 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if 2011-10-11 16:42:16.182761563 -0400
@@ -284,8 +284,11 @@ interface(`rhsmcertd_admin',`
type rhsmcertd_var_run_t;
')
@@ -2781,15 +2790,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace serefpol
- allow $1 rhsmcertd_t:process { ptrace signal_perms };
+ allow $1 rhsmcertd_t:process signal_perms;
ps_process_pattern($1, rhsmcertd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 rhsmcertd_t:process ptrace;
+ ')
rhsmcertd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace serefpolicy-3.10.0/policy/modules/services/ricci.if
---- serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace 2011-10-05 14:34:03.563103622 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ricci.if 2011-10-05 14:34:03.849103926 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace 2011-10-11 16:42:15.873761650 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ricci.if 2011-10-11 16:42:16.182761563 -0400
@@ -245,8 +245,11 @@ interface(`ricci_admin',`
type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
')
@@ -2797,7 +2806,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace serefpolicy-
- allow $1 ricci_t:process { ptrace signal_perms };
+ allow $1 ricci_t:process signal_perms;
ps_process_pattern($1, ricci_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 ricci_t:process ptrace;
+ ')
@@ -2805,7 +2814,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace serefpolicy-
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace serefpolicy-3.10.0/policy/modules/services/roundup.if
--- serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/roundup.if 2011-10-05 14:34:03.849103926 -0400
++++ serefpolicy-3.10.0/policy/modules/services/roundup.if 2011-10-11 16:42:16.183761563 -0400
@@ -23,8 +23,11 @@ interface(`roundup_admin',`
type roundup_initrc_exec_t;
')
@@ -2813,15 +2822,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace serefpolic
- allow $1 roundup_t:process { ptrace signal_perms };
+ allow $1 roundup_t:process signal_perms;
ps_process_pattern($1, roundup_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 roundup_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace serefpolicy-3.10.0/policy/modules/services/rpcbind.if
---- serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace 2011-10-05 14:34:03.568103627 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/rpcbind.if 2011-10-05 14:34:03.850103927 -0400
+--- serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace 2011-10-11 16:42:15.878761650 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rpcbind.if 2011-10-11 16:42:16.184761563 -0400
@@ -155,8 +155,11 @@ interface(`rpcbind_admin',`
type rpcbind_initrc_exec_t;
')
@@ -2829,30 +2838,27 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace serefpolic
- allow $1 rpcbind_t:process { ptrace signal_perms };
+ allow $1 rpcbind_t:process signal_perms;
ps_process_pattern($1, rpcbind_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 rpcbind_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace serefpolicy-3.10.0/policy/modules/services/rtkit.te
---- serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace 2011-10-05 14:34:03.571103630 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/rtkit.te 2011-10-05 14:34:03.851103928 -0400
-@@ -15,7 +15,10 @@ init_system_domain(rtkit_daemon_t, rtkit
+--- serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace 2011-10-11 16:42:15.881761648 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rtkit.te 2011-10-11 16:42:16.184761563 -0400
+@@ -15,7 +15,7 @@ init_system_domain(rtkit_daemon_t, rtkit
# rtkit_daemon local policy
#
-allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
+allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice };
-+tunable_policy(`allow_ptrace',`
-+ allow rtkit_daemon_t self:capability sys_ptrace;
-+')
allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
kernel_read_system_state(rtkit_daemon_t)
diff -up serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace serefpolicy-3.10.0/policy/modules/services/rwho.if
---- serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace 2011-10-05 14:34:03.572103631 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/rwho.if 2011-10-05 14:34:03.851103928 -0400
+--- serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace 2011-10-11 16:42:15.881761648 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rwho.if 2011-10-11 16:42:16.185761563 -0400
@@ -138,8 +138,11 @@ interface(`rwho_admin',`
type rwho_initrc_exec_t;
')
@@ -2860,23 +2866,23 @@ diff -up serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace serefpolicy-3
- allow $1 rwho_t:process { ptrace signal_perms };
+ allow $1 rwho_t:process signal_perms;
ps_process_pattern($1, rwho_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 rwho_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, rwho_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace serefpolicy-3.10.0/policy/modules/services/samba.if
---- serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace 2011-10-05 14:34:03.574103633 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/samba.if 2011-10-05 14:34:03.852103929 -0400
-@@ -785,13 +785,18 @@ interface(`samba_admin',`
+--- serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace 2011-10-11 16:42:15.883761648 -0400
++++ serefpolicy-3.10.0/policy/modules/services/samba.if 2011-10-11 16:42:16.186761563 -0400
+@@ -784,13 +784,18 @@ interface(`samba_admin',`
type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
')
- allow $1 smbd_t:process { ptrace signal_perms };
+ allow $1 smbd_t:process signal_perms;
ps_process_pattern($1, smbd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 smbd_t:process ptrace;
+ allow $1 nmbd_t:process ptrace;
+ allow $1 samba_unconfined_script_t:process ptrace;
@@ -2893,7 +2899,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace serefpolicy-
samba_run_smbcontrol($1, $2, $3)
diff -up serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace serefpolicy-3.10.0/policy/modules/services/samhain.if
--- serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/samhain.if 2011-10-05 14:34:03.853103930 -0400
++++ serefpolicy-3.10.0/policy/modules/services/samhain.if 2011-10-11 16:42:16.187761563 -0400
@@ -271,10 +271,14 @@ interface(`samhain_admin',`
type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
')
@@ -2901,7 +2907,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace serefpolic
- allow $1 samhain_t:process { ptrace signal_perms };
+ allow $1 samhain_t:process signal_perms;
ps_process_pattern($1, samhain_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 samhain_t:process ptrace;
+ allow $1 samhaind_t:process ptrace;
+ ')
@@ -2912,8 +2918,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace serefpolic
files_list_var_lib($1)
diff -up serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace serefpolicy-3.10.0/policy/modules/services/sanlock.if
---- serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace 2011-10-05 14:34:03.576103636 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/sanlock.if 2011-10-05 14:34:03.854103931 -0400
+--- serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace 2011-10-11 16:42:15.885761648 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sanlock.if 2011-10-11 16:42:16.187761563 -0400
@@ -99,8 +99,11 @@ interface(`sanlock_admin',`
type sanlock_initrc_exec_t;
')
@@ -2921,15 +2927,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace serefpolic
- allow $1 sanlock_t:process { ptrace signal_perms };
+ allow $1 sanlock_t:process signal_perms;
ps_process_pattern($1, sanlock_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 sanlock_t:process ptrace;
+ ')
sanlock_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace serefpolicy-3.10.0/policy/modules/services/sasl.if
---- serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace 2011-10-05 14:34:03.577103637 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/sasl.if 2011-10-05 14:34:03.854103931 -0400
+--- serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace 2011-10-11 16:42:15.886761647 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sasl.if 2011-10-11 16:42:16.188761563 -0400
@@ -42,8 +42,11 @@ interface(`sasl_admin',`
type saslauthd_initrc_exec_t;
')
@@ -2937,15 +2943,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace serefpolicy-3
- allow $1 saslauthd_t:process { ptrace signal_perms };
+ allow $1 saslauthd_t:process signal_perms;
ps_process_pattern($1, saslauthd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 saslauthd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.if
---- serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace 2011-10-05 14:34:03.578103638 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/sblim.if 2011-10-05 14:34:03.855103932 -0400
+--- serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace 2011-10-11 16:42:15.888761646 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sblim.if 2011-10-11 16:42:16.188761563 -0400
@@ -65,11 +65,15 @@ interface(`sblim_admin',`
type sblim_var_run_t;
')
@@ -2953,7 +2959,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace serefpolicy-
- allow $1 sblim_gatherd_t:process { ptrace signal_perms };
+ allow $1 sblim_gatherd_t:process signal_perms;
ps_process_pattern($1, sblim_gatherd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 sblim_gatherd_t:process ptrace;
+ allow $1 sblim_reposd_t:process ptrace;
+ ')
@@ -2966,21 +2972,20 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace serefpolicy-
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff -up serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.te
---- serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace 2011-10-05 14:34:03.578103638 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/sblim.te 2011-10-05 14:34:03.855103932 -0400
-@@ -24,7 +24,8 @@ files_pid_file(sblim_var_run_t)
+--- serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace 2011-10-11 16:42:15.888761646 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sblim.te 2011-10-11 16:42:16.189761562 -0400
+@@ -24,7 +24,7 @@ files_pid_file(sblim_var_run_t)
#
#needed by ps
-allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override };
+allow sblim_gatherd_t self:capability { kill dac_override };
-+dontaudit sblim_gatherd_t self:capability sys_ptrace;
allow sblim_gatherd_t self:process signal;
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/sendmail.if
---- serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace 2011-10-05 14:34:03.579103639 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/sendmail.if 2011-10-05 14:34:03.856103933 -0400
+--- serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace 2011-10-11 16:42:15.889761646 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sendmail.if 2011-10-11 16:42:16.189761562 -0400
@@ -334,10 +334,14 @@ interface(`sendmail_admin',`
type mail_spool_t;
')
@@ -2988,7 +2993,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace serefpoli
- allow $1 sendmail_t:process { ptrace signal_perms };
+ allow $1 sendmail_t:process signal_perms;
ps_process_pattern($1, sendmail_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 sendmail_t:process ptrace;
+ allow $1 unconfined_sendmail_t:process ptrace;
+ ')
@@ -2999,8 +3004,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace serefpoli
sendmail_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if
---- serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace 2011-10-05 14:34:03.581103641 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if 2011-10-05 14:34:03.856103933 -0400
+--- serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace 2011-10-11 16:42:15.890761646 -0400
++++ serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if 2011-10-11 16:42:16.190761562 -0400
@@ -140,8 +140,11 @@ interface(`setroubleshoot_admin',`
type setroubleshoot_var_lib_t;
')
@@ -3008,15 +3013,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace ser
- allow $1 setroubleshootd_t:process { ptrace signal_perms };
+ allow $1 setroubleshootd_t:process signal_perms;
ps_process_pattern($1, setroubleshootd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 setroubleshootd_t:process ptrace;
+ ')
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff -up serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace serefpolicy-3.10.0/policy/modules/services/smartmon.if
---- serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace 2011-10-05 14:34:03.582103642 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/smartmon.if 2011-10-05 14:34:03.857103934 -0400
+--- serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace 2011-10-11 16:42:15.892761646 -0400
++++ serefpolicy-3.10.0/policy/modules/services/smartmon.if 2011-10-11 16:42:16.190761562 -0400
@@ -42,8 +42,11 @@ interface(`smartmon_admin',`
type fsdaemon_initrc_exec_t;
')
@@ -3024,7 +3029,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace serefpoli
- allow $1 fsdaemon_t:process { ptrace signal_perms };
+ allow $1 fsdaemon_t:process signal_perms;
ps_process_pattern($1, fsdaemon_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 smartmon_t:process ptrace;
+ ')
@@ -3032,7 +3037,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace serefpoli
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace serefpolicy-3.10.0/policy/modules/services/smokeping.if
--- serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/smokeping.if 2011-10-05 14:34:03.857103934 -0400
++++ serefpolicy-3.10.0/policy/modules/services/smokeping.if 2011-10-11 16:42:16.191761561 -0400
@@ -153,8 +153,11 @@ interface(`smokeping_admin',`
type smokeping_t, smokeping_initrc_exec_t;
')
@@ -3040,15 +3045,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace serefpol
- allow $1 smokeping_t:process { ptrace signal_perms };
+ allow $1 smokeping_t:process signal_perms;
ps_process_pattern($1, smokeping_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 smokeping_t:process ptrace;
+ ')
smokeping_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.if
---- serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace 2011-10-05 14:34:03.584103644 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/snmp.if 2011-10-05 14:34:03.858103935 -0400
+--- serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace 2011-10-11 16:42:15.893761645 -0400
++++ serefpolicy-3.10.0/policy/modules/services/snmp.if 2011-10-11 16:42:16.192761560 -0400
@@ -168,8 +168,11 @@ interface(`snmp_admin',`
type snmpd_var_lib_t, snmpd_var_run_t;
')
@@ -3056,31 +3061,28 @@ diff -up serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace serefpolicy-3
- allow $1 snmpd_t:process { ptrace signal_perms };
+ allow $1 snmpd_t:process signal_perms;
ps_process_pattern($1, snmpd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 snmpd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.te
---- serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace 2011-10-05 14:34:03.585103645 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/snmp.te 2011-10-05 14:34:03.858103935 -0400
-@@ -26,7 +26,11 @@ files_type(snmpd_var_lib_t)
+--- serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace 2011-10-11 16:42:15.894761644 -0400
++++ serefpolicy-3.10.0/policy/modules/services/snmp.te 2011-10-11 16:42:16.192761560 -0400
+@@ -26,7 +26,8 @@ files_type(snmpd_var_lib_t)
# Local policy
#
-allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config };
-+tunable_policy(`allow_ptrace',`
-+ allow snmpd_t self:capability sys_ptrace;
-+')
+
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace serefpolicy-3.10.0/policy/modules/services/snort.if
---- serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace 2011-10-05 14:34:03.585103645 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/snort.if 2011-10-05 14:34:03.859103936 -0400
+--- serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace 2011-10-11 16:42:15.894761644 -0400
++++ serefpolicy-3.10.0/policy/modules/services/snort.if 2011-10-11 16:42:16.193761560 -0400
@@ -41,8 +41,11 @@ interface(`snort_admin',`
type snort_etc_t, snort_initrc_exec_t;
')
@@ -3088,15 +3090,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace serefpolicy-
- allow $1 snort_t:process { ptrace signal_perms };
+ allow $1 snort_t:process signal_perms;
ps_process_pattern($1, snort_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 snort_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, snort_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace serefpolicy-3.10.0/policy/modules/services/soundserver.if
---- serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace 2011-10-05 14:34:03.586103646 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/soundserver.if 2011-10-05 14:34:03.860103937 -0400
+--- serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace 2011-10-11 16:42:15.896761644 -0400
++++ serefpolicy-3.10.0/policy/modules/services/soundserver.if 2011-10-11 16:42:16.194761560 -0400
@@ -37,8 +37,11 @@ interface(`soundserver_admin',`
type soundd_tmp_t, soundd_var_run_t;
')
@@ -3104,15 +3106,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace serefp
- allow $1 soundd_t:process { ptrace signal_perms };
+ allow $1 soundd_t:process signal_perms;
ps_process_pattern($1, soundd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 soundd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, soundd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace serefpolicy-3.10.0/policy/modules/services/spamassassin.if
---- serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace 2011-10-05 14:34:03.587103647 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/spamassassin.if 2011-10-05 14:34:03.861103938 -0400
+--- serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace 2011-10-11 16:42:15.897761644 -0400
++++ serefpolicy-3.10.0/policy/modules/services/spamassassin.if 2011-10-11 16:42:16.194761560 -0400
@@ -27,12 +27,12 @@ interface(`spamassassin_role',`
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
@@ -3135,15 +3137,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace seref
- allow $1 spamd_t:process { ptrace signal_perms };
+ allow $1 spamd_t:process signal_perms;
ps_process_pattern($1, spamd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 spamd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, spamd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace serefpolicy-3.10.0/policy/modules/services/squid.if
---- serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace 2011-10-05 14:34:03.590103650 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/squid.if 2011-10-05 14:34:03.861103938 -0400
+--- serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace 2011-10-11 16:42:15.899761644 -0400
++++ serefpolicy-3.10.0/policy/modules/services/squid.if 2011-10-11 16:42:16.195761560 -0400
@@ -209,8 +209,11 @@ interface(`squid_admin',`
type squid_log_t, squid_var_run_t, squid_initrc_exec_t;
')
@@ -3151,15 +3153,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace serefpolicy-
- allow $1 squid_t:process { ptrace signal_perms };
+ allow $1 squid_t:process signal_perms;
ps_process_pattern($1, squid_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 squid_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace serefpolicy-3.10.0/policy/modules/services/ssh.if
---- serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace 2011-10-05 14:34:03.732103801 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-10-05 14:34:03.862103939 -0400
+--- serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace 2011-10-11 16:42:16.055761600 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-10-11 16:42:16.196761560 -0400
@@ -367,7 +367,7 @@ template(`ssh_role_template',`
# allow ps to show ssh
@@ -3179,8 +3181,8 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace serefpolicy-3.
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
diff -up serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace serefpolicy-3.10.0/policy/modules/services/sssd.if
---- serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace 2011-10-05 14:34:03.593103654 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/sssd.if 2011-10-05 14:34:03.863103940 -0400
+--- serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace 2011-10-11 16:42:15.902761644 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sssd.if 2011-10-11 16:42:16.196761560 -0400
@@ -232,8 +232,11 @@ interface(`sssd_admin',`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
')
@@ -3188,15 +3190,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace serefpolicy-3
- allow $1 sssd_t:process { ptrace signal_perms };
+ allow $1 sssd_t:process signal_perms;
ps_process_pattern($1, sssd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 sssd_t:process ptrace;
+ ')
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff -up serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/tcsd.if
---- serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace 2011-10-05 14:34:03.597103658 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/tcsd.if 2011-10-05 14:34:03.863103940 -0400
+--- serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace 2011-10-11 16:42:15.905761641 -0400
++++ serefpolicy-3.10.0/policy/modules/services/tcsd.if 2011-10-11 16:42:16.197761560 -0400
@@ -137,8 +137,11 @@ interface(`tcsd_admin',`
type tcsd_var_lib_t;
')
@@ -3204,15 +3206,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace serefpolicy-3
- allow $1 tcsd_t:process { ptrace signal_perms };
+ allow $1 tcsd_t:process signal_perms;
ps_process_pattern($1, tcsd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 tcsd_t:process ptrace;
+ ')
tcsd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/tftp.if
---- serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace 2011-10-05 14:34:03.598103659 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/tftp.if 2011-10-05 14:34:03.864103941 -0400
+--- serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace 2011-10-11 16:42:15.907761641 -0400
++++ serefpolicy-3.10.0/policy/modules/services/tftp.if 2011-10-11 16:42:16.197761560 -0400
@@ -109,8 +109,11 @@ interface(`tftp_admin',`
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
')
@@ -3220,15 +3222,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace serefpolicy-3
- allow $1 tftpd_t:process { ptrace signal_perms };
+ allow $1 tftpd_t:process signal_perms;
ps_process_pattern($1, tftpd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 tftp_t:process ptrace;
+ ')
files_list_var_lib($1)
admin_pattern($1, tftpdir_rw_t)
diff -up serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace serefpolicy-3.10.0/policy/modules/services/tor.if
---- serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace 2011-10-05 14:34:03.600103661 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/tor.if 2011-10-05 14:34:03.864103941 -0400
+--- serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace 2011-10-11 16:42:15.909761641 -0400
++++ serefpolicy-3.10.0/policy/modules/services/tor.if 2011-10-11 16:42:16.198761559 -0400
@@ -42,8 +42,11 @@ interface(`tor_admin',`
type tor_initrc_exec_t;
')
@@ -3236,15 +3238,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace serefpolicy-3.
- allow $1 tor_t:process { ptrace signal_perms };
+ allow $1 tor_t:process signal_perms;
ps_process_pattern($1, tor_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 tor_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, tor_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/tuned.if
---- serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace 2011-10-05 14:34:03.601103662 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/tuned.if 2011-10-05 14:34:03.865103943 -0400
+--- serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace 2011-10-11 16:42:15.910761641 -0400
++++ serefpolicy-3.10.0/policy/modules/services/tuned.if 2011-10-11 16:42:16.198761559 -0400
@@ -115,8 +115,11 @@ interface(`tuned_admin',`
type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
')
@@ -3252,7 +3254,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace serefpolicy-
- allow $1 tuned_t:process { ptrace signal_perms };
+ allow $1 tuned_t:process signal_perms;
ps_process_pattern($1, tuned_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 tuned_t:process ptrace;
+ ')
@@ -3260,7 +3262,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace serefpolicy-
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ulogd.if
--- serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/ulogd.if 2011-10-05 14:34:03.865103943 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ulogd.if 2011-10-11 16:42:16.199761558 -0400
@@ -123,8 +123,11 @@ interface(`ulogd_admin',`
type ulogd_var_log_t, ulogd_initrc_exec_t;
')
@@ -3268,7 +3270,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace serefpolicy-
- allow $1 ulogd_t:process { ptrace signal_perms };
+ allow $1 ulogd_t:process signal_perms;
ps_process_pattern($1, ulogd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 ulogd_t:process ptrace;
+ ')
@@ -3276,7 +3278,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace serefpolicy-
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace serefpolicy-3.10.0/policy/modules/services/uucp.if
--- serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/uucp.if 2011-10-05 14:34:03.866103944 -0400
++++ serefpolicy-3.10.0/policy/modules/services/uucp.if 2011-10-11 16:42:16.200761558 -0400
@@ -99,8 +99,11 @@ interface(`uucp_admin',`
type uucpd_var_run_t;
')
@@ -3284,15 +3286,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace serefpolicy-3
- allow $1 uucpd_t:process { ptrace signal_perms };
+ allow $1 uucpd_t:process signal_perms;
ps_process_pattern($1, uucpd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 uucpd_t:process ptrace;
+ ')
logging_list_logs($1)
admin_pattern($1, uucpd_log_t)
diff -up serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace serefpolicy-3.10.0/policy/modules/services/uuidd.if
---- serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace 2011-10-05 14:34:03.606103667 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/uuidd.if 2011-10-05 14:34:03.866103944 -0400
+--- serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace 2011-10-11 16:42:15.915761639 -0400
++++ serefpolicy-3.10.0/policy/modules/services/uuidd.if 2011-10-11 16:42:16.200761558 -0400
@@ -177,8 +177,11 @@ interface(`uuidd_admin',`
type uuidd_var_run_t;
')
@@ -3300,7 +3302,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace serefpolicy-
- allow $1 uuidd_t:process { ptrace signal_perms };
+ allow $1 uuidd_t:process signal_perms;
ps_process_pattern($1, uuidd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 uuidd_t:process ptrace;
+ ')
@@ -3308,7 +3310,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace serefpolicy-
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace serefpolicy-3.10.0/policy/modules/services/varnishd.if
--- serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace 2011-06-27 14:18:04.000000000 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/varnishd.if 2011-10-05 14:34:03.867103945 -0400
++++ serefpolicy-3.10.0/policy/modules/services/varnishd.if 2011-10-11 16:42:16.201761558 -0400
@@ -155,8 +155,11 @@ interface(`varnishd_admin_varnishlog',`
type varnishlog_var_run_t;
')
@@ -3316,7 +3318,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace serefpoli
- allow $1 varnishlog_t:process { ptrace signal_perms };
+ allow $1 varnishlog_t:process signal_perms;
ps_process_pattern($1, varnishlog_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 varnishd_t:process ptrace;
+ ')
@@ -3329,15 +3331,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace serefpoli
- allow $1 varnishd_t:process { ptrace signal_perms };
+ allow $1 varnishd_t:process signal_perms;
ps_process_pattern($1, varnishd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 varnishd_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace serefpolicy-3.10.0/policy/modules/services/vdagent.if
---- serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace 2011-10-05 14:34:03.608103670 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/vdagent.if 2011-10-05 14:34:03.868103946 -0400
+--- serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace 2011-10-11 16:42:15.917761639 -0400
++++ serefpolicy-3.10.0/policy/modules/services/vdagent.if 2011-10-11 16:42:16.202761558 -0400
@@ -118,8 +118,11 @@ interface(`vdagent_admin',`
type vdagent_var_run_t;
')
@@ -3345,15 +3347,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace serefpolic
- allow $1 vdagent_t:process { ptrace signal_perms };
+ allow $1 vdagent_t:process signal_perms;
ps_process_pattern($1, vdagent_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 vdagent_t:process ptrace;
+ ')
files_search_pids($1)
admin_pattern($1, vdagent_var_run_t)
diff -up serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vhostmd.if
---- serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace 2011-10-05 14:34:03.609103671 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/vhostmd.if 2011-10-05 14:34:03.869103947 -0400
+--- serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace 2011-10-11 16:42:15.918761638 -0400
++++ serefpolicy-3.10.0/policy/modules/services/vhostmd.if 2011-10-11 16:42:16.202761558 -0400
@@ -210,8 +210,11 @@ interface(`vhostmd_admin',`
type vhostmd_t, vhostmd_initrc_exec_t;
')
@@ -3361,15 +3363,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace serefpolic
- allow $1 vhostmd_t:process { ptrace signal_perms };
+ allow $1 vhostmd_t:process signal_perms;
ps_process_pattern($1, vhostmd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 vhostmd_t:process ptrace;
+ ')
vhostmd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace serefpolicy-3.10.0/policy/modules/services/virt.if
---- serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace 2011-10-05 14:34:03.611103673 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/virt.if 2011-10-05 14:34:03.870103948 -0400
+--- serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace 2011-10-11 16:42:15.920761637 -0400
++++ serefpolicy-3.10.0/policy/modules/services/virt.if 2011-10-11 16:42:16.203761558 -0400
@@ -618,10 +618,14 @@ interface(`virt_admin',`
type virt_lxc_t;
')
@@ -3377,7 +3379,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace serefpolicy-3
- allow $1 virtd_t:process { ptrace signal_perms };
+ allow $1 virtd_t:process signal_perms;
ps_process_pattern($1, virtd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 virtd_t:process ptrace;
+ allow $1 virt_lxc_t:process ptrace;
+ ')
@@ -3397,24 +3399,28 @@ diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace serefpolicy-3
########################################
diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace serefpolicy-3.10.0/policy/modules/services/virt.te
---- serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace 2011-10-05 14:34:03.685103751 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/virt.te 2011-10-05 14:34:03.870103948 -0400
-@@ -247,7 +247,11 @@ optional_policy(`
+--- serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace 2011-10-11 16:42:16.006761613 -0400
++++ serefpolicy-3.10.0/policy/modules/services/virt.te 2011-10-11 16:42:16.204761558 -0400
+@@ -247,7 +247,7 @@ optional_policy(`
# virtd local policy
#
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-+tunable_policy(`allow_ptrace',`
-+ allow virtd_t self:capability sys_ptrace;
-+')
-+
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
ifdef(`hide_broken_symptoms',`
# caused by some bogus kernel code
+@@ -838,7 +838,6 @@ optional_policy(`
+ # virt_lxc_domain local policy
+ #
+ allow svirt_lxc_domain self:capability { setuid setgid dac_override };
+-dontaudit svirt_lxc_domain self:capability sys_ptrace;
+
+ allow virtd_t svirt_lxc_domain:process { signal_perms };
+ allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
diff -up serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vnstatd.if
---- serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace 2011-10-05 14:34:03.613103675 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/vnstatd.if 2011-10-05 14:34:03.871103949 -0400
+--- serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace 2011-10-11 16:42:15.922761637 -0400
++++ serefpolicy-3.10.0/policy/modules/services/vnstatd.if 2011-10-11 16:42:16.204761558 -0400
@@ -136,8 +136,11 @@ interface(`vnstatd_admin',`
type vnstatd_t, vnstatd_var_lib_t;
')
@@ -3422,15 +3428,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace serefpolic
- allow $1 vnstatd_t:process { ptrace signal_perms };
+ allow $1 vnstatd_t:process signal_perms;
ps_process_pattern($1, vnstatd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 vnstatd_t:process ptrace;
+ ')
files_list_var_lib($1)
admin_pattern($1, vnstatd_var_lib_t)
diff -up serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/wdmd.if
---- serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace 2011-10-05 14:34:03.615103677 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/wdmd.if 2011-10-05 14:34:03.872103950 -0400
+--- serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace 2011-10-11 16:42:15.924761637 -0400
++++ serefpolicy-3.10.0/policy/modules/services/wdmd.if 2011-10-11 16:42:16.205761557 -0400
@@ -62,8 +62,11 @@ interface(`wdmd_admin',`
type wdmd_initrc_exec_t;
')
@@ -3438,48 +3444,44 @@ diff -up serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace serefpolicy-3
- allow $1 wdmd_t:process { ptrace signal_perms };
+ allow $1 wdmd_t:process signal_perms;
ps_process_pattern($1, wdmd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 wdmd_t:process ptrace;
+ ')
wdmd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace serefpolicy-3.10.0/policy/modules/services/xserver.te
---- serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace 2011-10-05 14:34:03.734103803 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-10-05 14:34:03.873103951 -0400
-@@ -417,8 +417,14 @@ optional_policy(`
+--- serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace 2011-10-11 16:42:16.063761597 -0400
++++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-10-11 16:42:16.206761556 -0400
+@@ -417,8 +417,13 @@ optional_policy(`
# XDM Local policy
#
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
-allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate ptrace };
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-+dontaudit xdm_t self:capability sys_ptrace;
+
+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
-+tunable_policy(`allow_ptrace',`
++tunable_policy(`deny_ptrace',`',`
+ allow xdm_t self:process ptrace;
+')
+
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
-@@ -929,7 +935,11 @@ allow xserver_t input_xevent_t:x_event s
+@@ -929,7 +934,8 @@ allow xserver_t input_xevent_t:x_event s
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
-+tunable_policy(`allow_ptrace',`
-+ allow xserver_t self:capability sys_ptrace;
-+')
+
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
diff -up serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace serefpolicy-3.10.0/policy/modules/services/zabbix.if
---- serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace 2011-10-05 14:34:03.621103683 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/zabbix.if 2011-10-05 14:34:03.873103951 -0400
+--- serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace 2011-10-11 16:42:15.929761635 -0400
++++ serefpolicy-3.10.0/policy/modules/services/zabbix.if 2011-10-11 16:42:16.207761556 -0400
@@ -142,8 +142,11 @@ interface(`zabbix_admin',`
type zabbix_initrc_exec_t;
')
@@ -3487,15 +3489,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace serefpolicy
- allow $1 zabbix_t:process { ptrace signal_perms };
+ allow $1 zabbix_t:process signal_perms;
ps_process_pattern($1, zabbix_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 zabbix_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
domain_system_change_exemption($1)
diff -up serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace serefpolicy-3.10.0/policy/modules/services/zebra.if
---- serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace 2011-10-05 14:34:03.623103686 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/zebra.if 2011-10-05 14:34:03.874103952 -0400
+--- serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace 2011-10-11 16:42:15.931761635 -0400
++++ serefpolicy-3.10.0/policy/modules/services/zebra.if 2011-10-11 16:42:16.207761556 -0400
@@ -64,8 +64,11 @@ interface(`zebra_admin',`
type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
')
@@ -3503,29 +3505,41 @@ diff -up serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace serefpolicy-
- allow $1 zebra_t:process { ptrace signal_perms };
+ allow $1 zebra_t:process signal_perms;
ps_process_pattern($1, zebra_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 zebra_t:process ptrace;
+ ')
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
domain_system_change_exemption($1)
+diff -up serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace serefpolicy-3.10.0/policy/modules/system/hotplug.te
+--- serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace 2011-10-11 16:42:15.941761633 -0400
++++ serefpolicy-3.10.0/policy/modules/system/hotplug.te 2011-10-11 16:42:16.208761556 -0400
+@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t)
+ #
+
+ allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
+-dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
++dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit hotplug_t self:capability { dac_override dac_read_search };
+ allow hotplug_t self:process { setpgid getsession getattr signal_perms };
diff -up serefpolicy-3.10.0/policy/modules/system/init.if.ptrace serefpolicy-3.10.0/policy/modules/system/init.if
---- serefpolicy-3.10.0/policy/modules/system/init.if.ptrace 2011-10-05 14:34:03.634103697 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/init.if 2011-10-05 14:34:03.875103953 -0400
+--- serefpolicy-3.10.0/policy/modules/system/init.if.ptrace 2011-10-11 16:42:15.942761632 -0400
++++ serefpolicy-3.10.0/policy/modules/system/init.if 2011-10-11 16:42:16.209761556 -0400
@@ -1123,7 +1123,9 @@ interface(`init_ptrace',`
type init_t;
')
- allow $1 init_t:process ptrace;
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 init_t:process ptrace;
+ ')
')
########################################
diff -up serefpolicy-3.10.0/policy/modules/system/init.te.ptrace serefpolicy-3.10.0/policy/modules/system/init.te
---- serefpolicy-3.10.0/policy/modules/system/init.te.ptrace 2011-10-05 14:34:03.713103781 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/init.te 2011-10-05 14:34:03.875103953 -0400
+--- serefpolicy-3.10.0/policy/modules/system/init.te.ptrace 2011-10-11 16:42:16.031761606 -0400
++++ serefpolicy-3.10.0/policy/modules/system/init.te 2011-10-11 16:42:16.209761556 -0400
@@ -121,7 +121,7 @@ ifdef(`enable_mls',`
#
@@ -3535,7 +3549,7 @@ diff -up serefpolicy-3.10.0/policy/modules/system/init.te.ptrace serefpolicy-3.1
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -406,7 +406,8 @@ optional_policy(`
+@@ -408,7 +408,8 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -3546,20 +3560,52 @@ diff -up serefpolicy-3.10.0/policy/modules/system/init.te.ptrace serefpolicy-3.1
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
diff -up serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace serefpolicy-3.10.0/policy/modules/system/ipsec.te
---- serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace 2011-10-05 14:34:03.637103700 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/ipsec.te 2011-10-05 14:34:03.876103954 -0400
-@@ -194,7 +194,7 @@ optional_policy(`
+--- serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace 2011-10-11 16:42:15.946761630 -0400
++++ serefpolicy-3.10.0/policy/modules/system/ipsec.te 2011-10-11 16:42:16.210761556 -0400
+@@ -73,7 +73,7 @@ role system_r types setkey_t;
+ #
+
+ allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
+-dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
++dontaudit ipsec_t self:capability sys_tty_config;
+ allow ipsec_t self:process { getcap setcap getsched signal setsched };
+ allow ipsec_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_t self:udp_socket create_socket_perms;
+@@ -193,8 +193,8 @@ optional_policy(`
+ #
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
- dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
+-dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
++dontaudit ipsec_mgmt_t self:capability sys_tty_config;
+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
+@@ -251,9 +251,6 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+ kernel_getattr_core_if(ipsec_mgmt_t)
+ kernel_getattr_message_if(ipsec_mgmt_t)
+
+-# don't audit using of lsof
+-dontaudit ipsec_mgmt_t self:capability sys_ptrace;
+-
+ domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
+ domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
+
+diff -up serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace serefpolicy-3.10.0/policy/modules/system/iscsi.te
+--- serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace 2011-10-11 16:42:15.948761630 -0400
++++ serefpolicy-3.10.0/policy/modules/system/iscsi.te 2011-10-11 16:42:16.211761556 -0400
+@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t)
+ #
+
+ allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
+-dontaudit iscsid_t self:capability sys_ptrace;
+ allow iscsid_t self:process { setrlimit setsched signal };
+ allow iscsid_t self:fifo_file rw_fifo_file_perms;
+ allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
diff -up serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace serefpolicy-3.10.0/policy/modules/system/locallogin.te
---- serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace 2011-10-05 14:34:03.642103706 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/locallogin.te 2011-10-05 14:34:03.877103955 -0400
+--- serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace 2011-10-11 16:42:15.950761629 -0400
++++ serefpolicy-3.10.0/policy/modules/system/locallogin.te 2011-10-11 16:42:16.211761556 -0400
@@ -32,7 +32,7 @@ role system_r types sulogin_t;
# Local login local policy
#
@@ -3570,8 +3616,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace serefpoli
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy-3.10.0/policy/modules/system/logging.if
---- serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace 2011-10-05 14:34:03.643103707 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/logging.if 2011-10-05 14:34:03.878103956 -0400
+--- serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace 2011-10-11 16:42:15.952761628 -0400
++++ serefpolicy-3.10.0/policy/modules/system/logging.if 2011-10-11 16:42:16.212761555 -0400
@@ -1095,9 +1095,13 @@ interface(`logging_admin_audit',`
type auditd_initrc_exec_t;
')
@@ -3580,7 +3626,7 @@ diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy-
+ allow $1 auditd_t:process signal_perms;
ps_process_pattern($1, auditd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 auditd_t:process ptrace;
+ ')
+
@@ -3597,7 +3643,7 @@ diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy-
+ allow $1 klogd_t:process signal_perms;
ps_process_pattern($1, syslogd_t)
ps_process_pattern($1, klogd_t)
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 syslogd_t:process ptrace;
+ allow $1 klogd_t:process ptrace;
+ ')
@@ -3605,15 +3651,15 @@ diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy-
manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
diff -up serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace serefpolicy-3.10.0/policy/modules/system/mount.te
---- serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace 2011-10-05 14:34:03.650103714 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/mount.te 2011-10-05 14:34:03.878103956 -0400
+--- serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace 2011-10-11 16:42:15.959761626 -0400
++++ serefpolicy-3.10.0/policy/modules/system/mount.te 2011-10-11 16:42:16.212761555 -0400
@@ -48,7 +48,11 @@ role system_r types showmount_t;
# setuid/setgid needed to mount cifs
allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
-allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal };
+allow mount_t self:process { getcap getsched setcap setrlimit signal };
-+tunable_policy(`allow_ptrace',`
++tunable_policy(`deny_ptrace',`',`
+ allow mount_t self:process ptrace;
+')
+
@@ -3621,43 +3667,43 @@ diff -up serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace serefpolicy-3.
allow mount_t self:unix_stream_socket create_stream_socket_perms;
allow mount_t self:unix_dgram_socket create_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace serefpolicy-3.10.0/policy/modules/system/sysnetwork.te
---- serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace 2011-10-05 14:34:03.658103723 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/sysnetwork.te 2011-10-05 14:34:03.879103957 -0400
-@@ -54,7 +54,10 @@ allow dhcpc_t self:capability { dac_over
- dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
+--- serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace 2011-10-11 16:42:15.966761624 -0400
++++ serefpolicy-3.10.0/policy/modules/system/sysnetwork.te 2011-10-11 16:42:16.213761554 -0400
+@@ -51,10 +51,13 @@ files_config_file(net_conf_t)
+ # DHCP client local policy
+ #
+ allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
+-dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
++dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+allow dhcpc_t self:process { getsched getcap setcap setfscreate signal_perms };
-+tunable_policy(`allow_ptrace',`
++tunable_policy(`deny_ptrace',`',`
+ allow dhcpc_t self:process ptrace;
+')
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace serefpolicy-3.10.0/policy/modules/system/udev.te
---- serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace 2011-10-05 14:34:03.661103726 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/udev.te 2011-10-05 14:34:03.879103957 -0400
-@@ -34,7 +34,11 @@ ifdef(`enable_mcs',`
+--- serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace 2011-10-11 16:42:15.970761624 -0400
++++ serefpolicy-3.10.0/policy/modules/system/udev.te 2011-10-11 16:42:16.214761554 -0400
+@@ -34,7 +34,7 @@ ifdef(`enable_mcs',`
# Local policy
#
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
-+tunable_policy(`allow_ptrace',`
-+ allow udev_t self:capability sys_ptrace;
-+')
-+
dontaudit udev_t self:capability sys_tty_config;
ifdef(`hide_broken_symptoms',`
-@@ -42,7 +46,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -42,7 +42,11 @@ ifdef(`hide_broken_symptoms',`
dontaudit udev_t self:capability sys_module;
')
-allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-+tunable_policy(`allow_ptrace',`
++tunable_policy(`deny_ptrace',`',`
+ allow udev_t self:process ptrace;
+')
+
@@ -3665,8 +3711,8 @@ diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace serefpolicy-3.1
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace serefpolicy-3.10.0/policy/modules/system/unconfined.if
---- serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace 2011-10-05 14:34:03.676103742 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/unconfined.if 2011-10-05 14:34:03.880103958 -0400
+--- serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace 2011-10-11 16:42:15.988761619 -0400
++++ serefpolicy-3.10.0/policy/modules/system/unconfined.if 2011-10-11 16:42:16.214761554 -0400
@@ -18,7 +18,12 @@ interface(`unconfined_domain_noaudit',`
')
@@ -3674,7 +3720,7 @@ diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace serefpoli
- allow $1 self:capability ~sys_module;
+
+ allow $1 self:capability ~{ sys_module sys_ptrace };
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 self:capability sys_ptrace;
+ ')
+
@@ -3682,15 +3728,15 @@ diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace serefpoli
allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpolicy-3.10.0/policy/modules/system/userdomain.if
---- serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace 2011-10-05 14:34:03.736103806 -0400
-+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-10-05 14:34:03.881103960 -0400
+--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace 2011-10-11 16:42:16.065761597 -0400
++++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-10-11 16:42:16.216761554 -0400
@@ -40,7 +40,10 @@ template(`userdom_base_user_template',`
role $1_r types $1_t;
allow system_r $1_r;
- allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
+ allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1_usertype $1_usertype:process ptrace;
+ ')
allow $1_usertype $1_usertype:fd use;
@@ -3705,23 +3751,37 @@ diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpoli
dontaudit $1_t self:process setrlimit;
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-@@ -1052,7 +1055,7 @@ template(`userdom_admin_user_template',`
+@@ -1052,7 +1055,10 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
- allow $1_t self:capability ~{ sys_module audit_control audit_write };
+ allow $1_t self:capability ~{ sys_ptrace sys_module audit_control audit_write };
++ tunable_policy(`deny_ptrace',`',`
++ allow $1_t self:capability sys_ptrace;
++ ')
allow $1_t self:capability2 syslog;
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
-@@ -3638,7 +3641,9 @@ interface(`userdom_ptrace_all_users',`
+@@ -3657,7 +3663,9 @@ interface(`userdom_ptrace_all_users',`
attribute userdomain;
')
- allow $1 userdomain:process ptrace;
-+ tunable_policy(`allow_ptrace',`
++ tunable_policy(`deny_ptrace',`',`
+ allow $1 userdomain:process ptrace;
+ ')
')
########################################
+diff -up serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace serefpolicy-3.10.0/policy/modules/system/xen.te
+--- serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace 2011-10-11 16:42:15.977761622 -0400
++++ serefpolicy-3.10.0/policy/modules/system/xen.te 2011-10-11 16:42:16.217761554 -0400
+@@ -206,7 +206,6 @@ tunable_policy(`xend_run_qemu',`
+ #
+
+ allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw };
+-dontaudit xend_t self:capability { sys_ptrace };
+ allow xend_t self:process { signal sigkill };
+ dontaudit xend_t self:process ptrace;
+ # internal communication is often done using fifo and unix sockets.
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 11ecaf7..93631ef 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 38.1%{?dist}
+Release: 39.1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -29,6 +29,7 @@ patch4: execmem.patch
patch5: userdomain.patch
patch6: apache.patch
patch7: ptrace.patch
+patch8: dontaudit.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -218,7 +219,7 @@ fi;
if [ -e /etc/selinux/%2/.rebuild ]; then \
rm /etc/selinux/%2/.rebuild; \
if [ %1 -ne 1 ]; then \
- /usr/sbin/semodule -n -s %2 -r java mono moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
+ /usr/sbin/semodule -n -s %2 -r hotplug howl java mono moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
fi \
/usr/sbin/semodule -B -s %2; \
else \
@@ -248,7 +249,8 @@ Based off of reference policy: Checked out revision 2.20091117
%patch4 -p1 -b .execmem
%patch5 -p1 -b .userdomain
%patch6 -p1 -b .apache
-#%patch7 -p1 -b .ptrace
+%patch7 -p1 -b .ptrace
+%patch8 -p1 -b .dontaudit
%install
mkdir selinux_config
@@ -480,6 +482,31 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Oct 11 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-39.1
+- Remove allow_ptrace and replace it with deny_ptrace, which will remove all
+ptrace from the system
+- Remove 2000 dontaudit rules between confined domains on transition
+and replace with single
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
+
+* Mon Oct 10 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-39
+- Fixes for bootloader policy
+- $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore
+- Allow nsplugin to read /usr/share/config
+- Allow sa-update to update rules
+- Add use_fusefs_home_dirs for chroot ssh option
+- Fixes for grub2
+- Update systemd_exec_systemctl() interface
+- Allow gpg to read the mail spool
+- More fixes for sa-update running out of cron job
+- Allow ipsec_mgmt_t to read hardware state information
+- Allow pptp_t to connect to unreserved_port_t
+- Dontaudit getattr on initctl in /dev from chfn
+- Dontaudit getattr on kernel_core from chfn
+- Add systemd_list_unit_dirs to systemd_exec_systemctl call
+- Fixes for collectd policy
+- CHange sysadm_t to create content as user_tmp_t under /tmp
+
* Thu Oct 6 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-38.1
- Shrink size of policy through use of attributes for userdomain and apache
@@ -496,9 +523,6 @@ SELinux Reference policy mls base module.
- Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
- Allow systemd_logind_t to manage /run/USER/dconf/user
-* Tue Oct 3 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-36.2
-- Make allow_ptrace remove all ptrace
-
* Tue Oct 3 2011 Dan Walsh <dwalsh at redhat.com> 3.10.0-36.1
- Fix missing patch from F16
diff --git a/userdomain.patch b/userdomain.patch
index 8556ed4..34832c9 100644
--- a/userdomain.patch
+++ b/userdomain.patch
@@ -1,7 +1,6 @@
-diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
-index 66cf96c..a6d907b 100644
---- a/policy/modules/admin/usermanage.if
-+++ b/policy/modules/admin/usermanage.if
+diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.if
+--- serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain 2011-10-11 10:15:28.062129903 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/usermanage.if 2011-10-11 10:15:28.489129089 -0400
@@ -308,7 +308,7 @@ interface(`usermanage_run_useradd',`
role $2 types useradd_t;
@@ -11,11 +10,10 @@ index 66cf96c..a6d907b 100644
seutil_run_semanage(useradd_t, $2)
-diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 4779a8d..7d7efd7 100644
---- a/policy/modules/admin/usermanage.te
-+++ b/policy/modules/admin/usermanage.te
-@@ -509,7 +509,7 @@ seutil_domtrans_setfiles(useradd_t)
+diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.te
+--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain 2011-10-11 10:15:28.447129169 -0400
++++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-10-11 10:15:28.490129087 -0400
+@@ -512,7 +512,7 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
userdom_home_filetrans_user_home_dir(useradd_t)
@@ -24,10 +22,9 @@ index 4779a8d..7d7efd7 100644
mta_manage_spool(useradd_t)
-diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
-index e23f640..182d6d1 100644
---- a/policy/modules/apps/execmem.if
-+++ b/policy/modules/apps/execmem.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain serefpolicy-3.10.0/policy/modules/apps/execmem.if
+--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain 2011-10-11 10:15:28.472129121 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-10-11 10:15:28.491129085 -0400
@@ -57,8 +57,6 @@ template(`execmem_role_template',`
role $2 types $1_execmem_t;
@@ -37,10 +34,9 @@ index e23f640..182d6d1 100644
allow $1_execmem_t self:process { execmem execstack };
allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
-diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
-index 7c398c0..c64cced 100644
---- a/policy/modules/apps/java.if
-+++ b/policy/modules/apps/java.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain serefpolicy-3.10.0/policy/modules/apps/java.if
+--- serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain 2011-10-11 10:15:28.077129873 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-10-11 10:15:28.492129083 -0400
@@ -73,7 +73,8 @@ template(`java_role_template',`
domain_interactive_fd($1_java_t)
@@ -51,10 +47,9 @@ index 7c398c0..c64cced 100644
allow $1_java_t self:process { ptrace signal getsched execmem execstack };
-diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
-index 1fa8573..8179185 100644
---- a/policy/modules/apps/mono.if
-+++ b/policy/modules/apps/mono.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mono.if
+--- serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain 2011-10-11 10:15:28.082129864 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-10-11 10:15:28.493129081 -0400
@@ -49,7 +49,8 @@ template(`mono_role_template',`
corecmd_bin_domtrans($1_mono_t, $1_t)
@@ -65,10 +60,9 @@ index 1fa8573..8179185 100644
optional_policy(`
xserver_role($1_r, $1_mono_t)
-diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 83fc139..596232f 100644
---- a/policy/modules/apps/mozilla.if
-+++ b/policy/modules/apps/mozilla.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mozilla.if
+--- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain 2011-10-11 10:15:28.083129862 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-10-11 10:15:28.494129079 -0400
@@ -51,7 +51,7 @@ interface(`mozilla_role',`
mozilla_run_plugin(mozilla_t, $1)
mozilla_dbus_chat($2)
@@ -78,10 +72,9 @@ index 83fc139..596232f 100644
optional_policy(`
nsplugin_role($1, mozilla_t)
-diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
-index 1925bd9..0a794bc 100644
---- a/policy/modules/apps/nsplugin.if
-+++ b/policy/modules/apps/nsplugin.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.if
+--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain 2011-10-11 10:15:28.087129854 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-10-11 10:15:28.495129077 -0400
@@ -103,7 +103,7 @@ ifdef(`hide_broken_symptoms', `
userdom_use_inherited_user_terminals(nsplugin_t)
userdom_use_inherited_user_terminals(nsplugin_config_t)
@@ -91,11 +84,10 @@ index 1925bd9..0a794bc 100644
optional_policy(`
pulseaudio_role($1, nsplugin_t)
-diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
-index 9bf1dd8..564d1ea 100644
---- a/policy/modules/apps/nsplugin.te
-+++ b/policy/modules/apps/nsplugin.te
-@@ -284,6 +284,7 @@ userdom_search_user_home_content(nsplugin_config_t)
+diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.te
+--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain 2011-10-11 10:15:28.088129853 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-10-11 10:15:28.496129075 -0400
+@@ -286,6 +286,7 @@ userdom_search_user_home_content(nsplugi
userdom_read_user_home_content_symlinks(nsplugin_config_t)
userdom_read_user_home_content_files(nsplugin_config_t)
userdom_dontaudit_search_admin_dir(nsplugin_config_t)
@@ -103,10 +95,9 @@ index 9bf1dd8..564d1ea 100644
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(nsplugin_t)
-diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
-index 9a5e99c..1e6cf7d 100644
---- a/policy/modules/apps/pulseaudio.if
-+++ b/policy/modules/apps/pulseaudio.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if
+--- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain 2011-10-11 10:15:28.089129851 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if 2011-10-11 10:15:28.497129073 -0400
@@ -35,9 +35,9 @@ interface(`pulseaudio_role',`
allow pulseaudio_t $2:unix_stream_socket connectto;
allow $2 pulseaudio_t:unix_stream_socket connectto;
@@ -120,10 +111,9 @@ index 9a5e99c..1e6cf7d 100644
allow $2 pulseaudio_t:dbus send_msg;
allow pulseaudio_t $2:dbus { acquire_svc send_msg };
-diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index 8522ab4..6941c29 100644
---- a/policy/modules/apps/pulseaudio.te
-+++ b/policy/modules/apps/pulseaudio.te
+diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te
+--- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain 2011-10-11 10:15:28.091129847 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te 2011-10-11 10:15:28.498129071 -0400
@@ -95,6 +95,10 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
@@ -135,11 +125,10 @@ index 8522ab4..6941c29 100644
optional_policy(`
alsa_read_rw_config(pulseaudio_t)
')
-diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
-index 8895098..19438a5 100644
---- a/policy/modules/apps/userhelper.if
-+++ b/policy/modules/apps/userhelper.if
-@@ -294,7 +294,7 @@ template(`userhelper_console_role_template',`
+diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.if
+--- serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain 2011-10-11 10:15:28.102129826 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/userhelper.if 2011-10-11 10:15:28.498129071 -0400
+@@ -294,7 +294,7 @@ template(`userhelper_console_role_templa
auth_use_pam($1_consolehelper_t)
@@ -148,10 +137,9 @@ index 8895098..19438a5 100644
optional_policy(`
dbus_connect_session_bus($1_consolehelper_t)
-diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
-index 8ce8577..f967898 100644
---- a/policy/modules/apps/userhelper.te
-+++ b/policy/modules/apps/userhelper.te
+diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.te
+--- serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain 2011-10-11 10:15:28.102129826 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/userhelper.te 2011-10-11 10:15:28.499129069 -0400
@@ -65,6 +65,7 @@ userhelper_exec(consolehelper_domain)
userdom_use_user_ptys(consolehelper_domain)
userdom_use_user_ttys(consolehelper_domain)
@@ -160,10 +148,9 @@ index 8ce8577..f967898 100644
optional_policy(`
gnome_read_gconf_home_files(consolehelper_domain)
-diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
-index e10101a..cf453e6 100644
---- a/policy/modules/apps/wine.if
-+++ b/policy/modules/apps/wine.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wine.if
+--- serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain 2011-10-11 10:15:28.105129820 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-10-11 10:15:28.499129069 -0400
@@ -105,7 +105,8 @@ template(`wine_role_template',`
corecmd_bin_domtrans($1_wine_t, $1_t)
@@ -174,10 +161,9 @@ index e10101a..cf453e6 100644
domain_mmap_low($1_wine_t)
-diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
-index 50c1a74..d618395 100644
---- a/policy/modules/apps/wm.if
-+++ b/policy/modules/apps/wm.if
+diff -up serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wm.if
+--- serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain 2011-10-11 10:15:28.107129816 -0400
++++ serefpolicy-3.10.0/policy/modules/apps/wm.if 2011-10-11 10:15:28.500129068 -0400
@@ -77,9 +77,13 @@ template(`wm_role_template',`
miscfiles_read_fonts($1_wm_t)
miscfiles_read_localization($1_wm_t)
@@ -195,10 +181,22 @@ index 50c1a74..d618395 100644
userdom_exec_user_tmp_files($1_wm_t)
optional_policy(`
-diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
-index e1113e0..5bcd298 100644
---- a/policy/modules/roles/unconfineduser.te
-+++ b/policy/modules/roles/unconfineduser.te
+diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain serefpolicy-3.10.0/policy/modules/roles/sysadm.te
+--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain 2011-10-11 10:15:28.000000000 -0400
++++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-10-11 10:16:15.471039586 -0400
+@@ -60,7 +60,8 @@ sysnet_filetrans_named_content(sysadm_t)
+ # Add/remove user home directories
+ userdom_manage_user_home_dirs(sysadm_t)
+ userdom_home_filetrans_user_home_dir(sysadm_t)
+-userdom_manage_tmp_role(sysadm_r, sysadm_t)
++userdom_manage_tmp_role(sysadm_r)
++userdom_manage_tmp(sysadm_t)
+
+ optional_policy(`
+ ssh_filetrans_admin_home_content(sysadm_t)
+diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te
+--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain 2011-10-11 10:15:28.476129113 -0400
++++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te 2011-10-11 10:15:28.501129066 -0400
@@ -45,9 +45,12 @@ gen_tunable(unconfined_login, true)
# calls is not correct, however we dont currently
# have another method to add access to these types
@@ -215,10 +213,9 @@ index e1113e0..5bcd298 100644
userdom_unpriv_usertype(unconfined, unconfined_t)
type unconfined_exec_t;
-diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
-index 49a4283..7a3ea96 100644
---- a/policy/modules/services/rshd.te
-+++ b/policy/modules/services/rshd.te
+diff -up serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain serefpolicy-3.10.0/policy/modules/services/rshd.te
+--- serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain 2011-10-11 10:15:28.333129386 -0400
++++ serefpolicy-3.10.0/policy/modules/services/rshd.te 2011-10-11 10:15:28.502129064 -0400
@@ -66,7 +66,7 @@ seutil_read_config(rshd_t)
seutil_read_default_contexts(rshd_t)
@@ -228,10 +225,9 @@ index 49a4283..7a3ea96 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(rshd_t)
-diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 8e3e9de..862e108 100644
---- a/policy/modules/services/ssh.if
-+++ b/policy/modules/services/ssh.if
+diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.if
+--- serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain 2011-10-11 10:15:28.354129346 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-10-11 10:15:28.503129062 -0400
@@ -380,7 +380,7 @@ template(`ssh_role_template',`
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
@@ -241,10 +237,9 @@ index 8e3e9de..862e108 100644
##############################
#
-diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index d81a09f..3fdc1df 100644
---- a/policy/modules/services/ssh.te
-+++ b/policy/modules/services/ssh.te
+diff -up serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.te
+--- serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain 2011-10-11 10:15:28.355129344 -0400
++++ serefpolicy-3.10.0/policy/modules/services/ssh.te 2011-10-11 10:15:28.503129062 -0400
@@ -200,6 +200,7 @@ userdom_read_user_tmp_files(ssh_t)
userdom_write_user_tmp_files(ssh_t)
userdom_read_user_home_content_symlinks(ssh_t)
@@ -253,7 +248,7 @@ index d81a09f..3fdc1df 100644
tunable_policy(`allow_ssh_keysign',`
domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -280,7 +281,7 @@ corenet_sendrecv_xserver_server_packets(sshd_t)
+@@ -280,7 +281,7 @@ corenet_sendrecv_xserver_server_packets(
userdom_read_user_home_content_files(sshd_t)
userdom_read_user_home_content_symlinks(sshd_t)
@@ -262,10 +257,9 @@ index d81a09f..3fdc1df 100644
userdom_spec_domtrans_unpriv_users(sshd_t)
userdom_signal_unpriv_users(sshd_t)
userdom_dyntransition_unpriv_users(sshd_t)
-diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 7d5a298..36b8a4c 100644
---- a/policy/modules/services/sssd.te
-+++ b/policy/modules/services/sssd.te
+diff -up serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain serefpolicy-3.10.0/policy/modules/services/sssd.te
+--- serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain 2011-10-11 10:15:28.356129342 -0400
++++ serefpolicy-3.10.0/policy/modules/services/sssd.te 2011-10-11 10:15:28.504129060 -0400
@@ -92,7 +92,7 @@ miscfiles_read_generic_certs(sssd_t)
sysnet_dns_name_resolve(sssd_t)
sysnet_use_ldap(sssd_t)
@@ -275,10 +269,9 @@ index 7d5a298..36b8a4c 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 60e0e2d..fcf2f38 100644
---- a/policy/modules/services/xserver.te
-+++ b/policy/modules/services/xserver.te
+diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain serefpolicy-3.10.0/policy/modules/services/xserver.te
+--- serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain 2011-10-11 10:15:28.480129106 -0400
++++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-10-11 10:15:28.505129058 -0400
@@ -671,7 +671,7 @@ userdom_stream_connect(xdm_t)
userdom_manage_user_tmp_dirs(xdm_t)
userdom_manage_user_tmp_files(xdm_t)
@@ -288,10 +281,9 @@ index 60e0e2d..fcf2f38 100644
application_signal(xdm_t)
-diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e7a65ae..6974244 100644
---- a/policy/modules/system/userdomain.if
-+++ b/policy/modules/system/userdomain.if
+diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.if
+--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain 2011-10-11 10:15:28.482129102 -0400
++++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-10-11 10:15:28.506129056 -0400
@@ -35,21 +35,14 @@ template(`userdom_base_user_template',`
type $1_t, userdomain, $1_usertype;
domain_type($1_t)
@@ -611,7 +603,7 @@ index e7a65ae..6974244 100644
')
#######################################
-@@ -424,6 +336,21 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -424,6 +336,21 @@ interface(`userdom_exec_user_tmp_files',
## Role allowed access.
## </summary>
## </param>
@@ -633,7 +625,7 @@ index e7a65ae..6974244 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -431,25 +358,23 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -431,25 +358,23 @@ interface(`userdom_exec_user_tmp_files',
## </param>
## <rolecap/>
#
@@ -671,7 +663,7 @@ index e7a65ae..6974244 100644
')
#######################################
-@@ -578,260 +503,31 @@ template(`userdom_change_password_template',`
+@@ -578,260 +503,31 @@ template(`userdom_change_password_templa
template(`userdom_common_user_template',`
gen_require(`
attribute unpriv_userdomain;
@@ -690,11 +682,9 @@ index e7a65ae..6974244 100644
- dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
- allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow $1_t self:socket create_socket_perms;
-+ typeattribute $1_t common_userdomain;
-
+-
- allow $1_usertype unpriv_userdomain:fd use;
-+ userdom_basic_networking(common_userdomain)
-
+-
- kernel_read_system_state($1_usertype)
- kernel_read_network_state($1_usertype)
- kernel_read_software_raid_state($1_usertype)
@@ -746,11 +736,13 @@ index e7a65ae..6974244 100644
-
- # for eject
- storage_getattr_fixed_disk_dev($1_usertype)
--
++ typeattribute $1_t common_userdomain;
+
- auth_read_login_records($1_usertype)
- auth_run_pam($1_t,$1_r)
- auth_run_utempter($1_t,$1_r)
--
++ userdom_basic_networking(common_userdomain)
+
- init_read_utmp($1_usertype)
-
- seutil_read_file_contexts($1_usertype)
@@ -775,21 +767,16 @@ index e7a65ae..6974244 100644
- # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_usertype)
- ')
-+ auth_run_pam(common_userdomain,$1_r)
-+ auth_run_utempter(common_userdomain,$1_r)
-+ seutil_run_newrole(common_userdomain,$1_r)
-
- optional_policy(`
+-
+- optional_policy(`
- canna_stream_connect($1_usertype)
-+ chrome_role($1_r, common_userdomain)
- ')
-
- optional_policy(`
+- ')
+-
+- optional_policy(`
- chrome_role($1_r, $1_usertype)
-+ git_session_role($1_r, common_userdomain)
- ')
-
- optional_policy(`
+- ')
+-
+- optional_policy(`
- colord_read_lib_files($1_usertype)
- ')
-
@@ -850,10 +837,9 @@ index e7a65ae..6974244 100644
- optional_policy(`
- vpn_dbus_chat($1_usertype)
- ')
-+ nsplugin_role($1_r, common_userdomain)
- ')
-
- optional_policy(`
+- ')
+-
+- optional_policy(`
- git_session_role($1_r, $1_usertype)
- ')
-
@@ -922,27 +908,33 @@ index e7a65ae..6974244 100644
- optional_policy(`
- resmgr_stream_connect($1_usertype)
- ')
--
-- optional_policy(`
++ auth_run_pam(common_userdomain,$1_r)
++ auth_run_utempter(common_userdomain,$1_r)
++ seutil_run_newrole(common_userdomain,$1_r)
+
+ optional_policy(`
- rpc_dontaudit_getattr_exports($1_usertype)
- rpc_manage_nfs_rw_content($1_usertype)
-- ')
--
-- optional_policy(`
++ chrome_role($1_r, common_userdomain)
+ ')
+
+ optional_policy(`
- rpcbind_stream_connect($1_usertype)
-- ')
--
-- optional_policy(`
++ git_session_role($1_r, common_userdomain)
+ ')
+
+ optional_policy(`
- samba_stream_connect_winbind($1_usertype)
-- ')
--
-- optional_policy(`
++ nsplugin_role($1_r, common_userdomain)
+ ')
+
+ optional_policy(`
- sandbox_transition($1_usertype, $1_r)
+ sandbox_transition(common_userdomain, $1_r)
')
optional_policy(`
-@@ -839,11 +535,7 @@ template(`userdom_common_user_template',`
+@@ -839,11 +535,7 @@ template(`userdom_common_user_template',
')
optional_policy(`
@@ -955,7 +947,7 @@ index e7a65ae..6974244 100644
')
')
-@@ -872,10 +564,9 @@ template(`userdom_login_user_template', `
+@@ -872,10 +564,9 @@ template(`userdom_login_user_template',
userdom_base_user_template($1)
@@ -969,7 +961,7 @@ index e7a65ae..6974244 100644
ifelse(`$1',`unconfined',`',`
gen_tunable(allow_$1_exec_content, true)
-@@ -1010,9 +701,6 @@ template(`userdom_restricted_user_template',`
+@@ -1010,9 +701,6 @@ template(`userdom_restricted_user_templa
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -979,7 +971,7 @@ index e7a65ae..6974244 100644
##############################
#
# Local policy
-@@ -3918,6 +3606,10 @@ template(`userdom_unpriv_usertype',`
+@@ -3929,6 +3617,10 @@ template(`userdom_unpriv_usertype',`
auth_use_nsswitch($2)
ubac_constrained($2)
@@ -990,10 +982,9 @@ index e7a65ae..6974244 100644
')
########################################
-diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 04d748b..c636356 100644
---- a/policy/modules/system/userdomain.te
-+++ b/policy/modules/system/userdomain.te
+diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.te
+--- serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain 2011-10-11 10:15:28.427129208 -0400
++++ serefpolicy-3.10.0/policy/modules/system/userdomain.te 2011-10-11 10:15:28.507129054 -0400
@@ -69,6 +69,8 @@ attribute userdomain;
# unprivileged user domains
More information about the scm-commits
mailing list