Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/global_tunables.ptrace serefpolicy-3.10.0/policy/global_tunables
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/global_tunables.ptrace	2011-10-14 09:46:28.474535144 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/global_tunables	2011-10-14 09:46:29.088523377 -0400
Dan Walsh 2a89df
@@ -6,6 +6,13 @@
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 ## <desc>
Dan Walsh 2a89df
 ## 

Dan Walsh 2a89df
+## Allow sysadm to debug or ptrace all processes.
Dan Walsh 2a89df
+## 

Dan Walsh 2a89df
+## </desc>
Dan Walsh 6554bb
+gen_tunable(deny_ptrace, false)
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+## <desc>
Dan Walsh 2a89df
+## 

Dan Walsh 2a89df
 ## Allow unconfined executables to make their heap memory executable.  Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
Dan Walsh 2a89df
 ## 

Dan Walsh 2a89df
 ## </desc>
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kdump.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/admin/kdump.if.ptrace	2011-10-14 09:46:28.489534857 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/admin/kdump.if	2011-10-14 09:46:29.089523358 -0400
Dan Walsh 2a89df
@@ -140,8 +140,11 @@ interface(`kdump_admin',`
Dan Walsh 2a89df
 		type kdump_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 kdump_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 kdump_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, kdump_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 kdump_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, kdump_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace serefpolicy-3.10.0/policy/modules/admin/kismet.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/admin/kismet.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/admin/kismet.if	2011-10-14 09:46:29.090523338 -0400
Dan Walsh 2a89df
@@ -239,7 +239,10 @@ interface(`kismet_admin',`
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	ps_process_pattern($1, kismet_t)
Dan Walsh 2a89df
-	allow $1 kismet_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 kismet_t:process signal_perms;
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 kismet_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	kismet_manage_pid_files($1)
Dan Walsh 2a89df
 	kismet_manage_lib($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace serefpolicy-3.10.0/policy/modules/admin/kudzu.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/admin/kudzu.te.ptrace	2011-10-14 09:46:28.491534818 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/admin/kudzu.te	2011-10-14 09:46:29.090523338 -0400
Dan Walsh 2a89df
@@ -20,7 +20,7 @@ files_pid_file(kudzu_var_run_t)
Dan Walsh 2a89df
 # Local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
Dan Walsh 2a89df
+allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
Dan Walsh 2a89df
 dontaudit kudzu_t self:capability sys_tty_config;
Dan Walsh 2a89df
 allow kudzu_t self:process { signal_perms execmem };
Dan Walsh 2a89df
 allow kudzu_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace serefpolicy-3.10.0/policy/modules/admin/logrotate.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/admin/logrotate.te.ptrace	2011-10-14 09:46:28.492534798 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/admin/logrotate.te	2011-10-14 09:46:29.091523318 -0400
Dan Walsh 6554bb
@@ -30,8 +30,6 @@ files_type(logrotate_var_lib_t)
Dan Walsh 6554bb
 
Dan Walsh 2a89df
 # Change ownership on log files.
Dan Walsh 2a89df
 allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
Dan Walsh 6554bb
-# for mailx
Dan Walsh 2a89df
-dontaudit logrotate_t self:capability { sys_ptrace };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace serefpolicy-3.10.0/policy/modules/admin/ncftool.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/admin/ncftool.te.ptrace	2011-10-14 09:46:28.496534722 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/admin/ncftool.te	2011-10-14 09:46:29.091523318 -0400
Dan Walsh 6554bb
@@ -17,8 +17,7 @@ role system_r types ncftool_t;
Dan Walsh 2a89df
 # ncftool local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow ncftool_t self:capability { net_admin sys_ptrace };
Dan Walsh 6554bb
-
Dan Walsh 2a89df
+allow ncftool_t self:capability net_admin;
Dan Walsh 2a89df
 allow ncftool_t self:process signal;
Dan Walsh 2a89df
 
Dan Walsh 6554bb
 allow ncftool_t self:fifo_file manage_fifo_file_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/rpm.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/admin/rpm.te.ptrace	2011-10-14 09:46:29.029524505 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/admin/rpm.te	2011-10-14 09:46:29.092523299 -0400
Dan Walsh 6554bb
@@ -248,7 +248,8 @@ optional_policy(`
Dan Walsh 2a89df
 # rpm-script Local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
Dan Walsh 2a89df
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
Dan Walsh 2a89df
 allow rpm_script_t self:fd use;
Dan Walsh 2a89df
 allow rpm_script_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sectoolm.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/admin/sectoolm.te.ptrace	2011-10-14 09:46:28.510534454 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/admin/sectoolm.te	2011-10-14 09:46:29.093523281 -0400
Dan Walsh 6554bb
@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t)
Dan Walsh 2a89df
 # sectool local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
Dan Walsh 2a89df
+allow sectoolm_t self:capability { dac_override net_admin sys_nice };
Dan Walsh 2a89df
 allow sectoolm_t self:process { getcap getsched	signull setsched };
Dan Walsh 2a89df
 dontaudit sectoolm_t self:process { execstack execmem };
Dan Walsh 2a89df
 allow sectoolm_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/admin/shorewall.if.ptrace	2011-10-14 09:46:28.511534435 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.if	2011-10-14 09:46:29.093523281 -0400
Dan Walsh 2a89df
@@ -139,8 +139,11 @@ interface(`shorewall_admin',`
Dan Walsh 2a89df
 		type shorewall_tmp_t, shorewall_etc_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 shorewall_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 shorewall_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, shorewall_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 shorewall_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace serefpolicy-3.10.0/policy/modules/admin/shorewall.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/admin/shorewall.te.ptrace	2011-10-14 09:46:28.511534435 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/admin/shorewall.te	2011-10-14 09:46:29.094523262 -0400
Dan Walsh 6554bb
@@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t)
Dan Walsh 2a89df
 # shorewall local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
Dan Walsh 2a89df
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice };
Dan Walsh 6554bb
 dontaudit shorewall_t self:capability sys_tty_config;
Dan Walsh 2a89df
 allow shorewall_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace serefpolicy-3.10.0/policy/modules/admin/sosreport.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/admin/sosreport.te.ptrace	2011-10-14 09:46:28.514534377 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/admin/sosreport.te	2011-10-14 09:46:29.095523243 -0400
Dan Walsh 6554bb
@@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t)
Dan Walsh 2a89df
 # sosreport local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
Dan Walsh 2a89df
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
Dan Walsh 2a89df
 allow sosreport_t self:process { setsched signull };
Dan Walsh 2a89df
 allow sosreport_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 allow sosreport_t self:tcp_socket create_stream_socket_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace serefpolicy-3.10.0/policy/modules/admin/usermanage.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.ptrace	2011-10-14 09:46:29.055524007 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te	2011-10-14 09:46:29.095523243 -0400
Dan Walsh 6554bb
@@ -435,7 +435,8 @@ optional_policy(`
Dan Walsh 2a89df
 # Useradd local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
Dan Walsh 2a89df
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 dontaudit useradd_t self:capability sys_tty_config;
Dan Walsh 2a89df
 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
Dan Walsh 2a89df
 allow useradd_t self:process setfscreate;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace serefpolicy-3.10.0/policy/modules/apps/chrome.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/chrome.te.ptrace	2011-10-14 09:46:28.528534108 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/chrome.te	2011-10-14 09:46:29.096523224 -0400
Dan Walsh 6554bb
@@ -21,7 +21,7 @@ ubac_constrained(chrome_sandbox_tmpfs_t)
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 # chrome_sandbox local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
-allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
Dan Walsh 2a89df
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
Dan Walsh 2a89df
 allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
Dan Walsh 2a89df
 allow chrome_sandbox_t self:process setsched;
Dan Walsh 2a89df
 allow chrome_sandbox_t self:fifo_file manage_file_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace serefpolicy-3.10.0/policy/modules/apps/execmem.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/execmem.if.ptrace	2011-10-14 09:46:29.056523988 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/execmem.if	2011-10-14 09:46:29.097523205 -0400
Dan Walsh 2a89df
@@ -59,7 +59,7 @@ template(`execmem_role_template',`
Dan Walsh 2a89df
 	userdom_unpriv_usertype($1, $1_execmem_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	allow $1_execmem_t self:process { execmem execstack };
Dan Walsh 2a89df
-	allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
Dan Walsh 2a89df
+	allow $3 $1_execmem_t:process { getattr noatsecure signal_perms };
Dan Walsh 2a89df
 	domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	files_execmod_tmp($1_execmem_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace serefpolicy-3.10.0/policy/modules/apps/gnome.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/gnome.if.ptrace	2011-10-14 09:46:28.534533994 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/gnome.if	2011-10-14 09:46:29.098523186 -0400
Dan Walsh 2a89df
@@ -91,8 +91,7 @@ interface(`gnome_role_gkeyringd',`
Dan Walsh 2a89df
 	auth_use_nsswitch($1_gkeyringd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	ps_process_pattern($3, $1_gkeyringd_t)
Dan Walsh 2a89df
-	allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
-
Dan Walsh 2a89df
+	allow $3 $1_gkeyringd_t:process signal_perms;
Dan Walsh 2a89df
 	dontaudit $3 gkeyringd_exec_t:file entrypoint;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace serefpolicy-3.10.0/policy/modules/apps/irc.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/irc.if.ptrace	2011-10-14 09:46:28.538533917 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/irc.if	2011-10-14 09:46:29.099523167 -0400
Dan Walsh 2a89df
@@ -33,7 +33,7 @@ interface(`irc_role',`
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	domtrans_pattern($2, irssi_exec_t, irssi_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $2 irssi_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 irssi_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($2, irssi_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace serefpolicy-3.10.0/policy/modules/apps/java.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/java.if.ptrace	2011-10-14 09:46:29.056523988 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/java.if	2011-10-14 09:46:29.099523167 -0400
Dan Walsh 2a89df
@@ -76,11 +76,11 @@ template(`java_role_template',`
Dan Walsh 2a89df
 	userdom_manage_tmpfs_role($2)
Dan Walsh 2a89df
 	userdom_manage_tmpfs($1_java_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1_java_t self:process { ptrace signal getsched execmem execstack };
Dan Walsh 2a89df
+	allow $1_java_t self:process { signal getsched execmem execstack };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	dontaudit $1_java_t $3:tcp_socket { read write };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms };
Dan Walsh 2a89df
+	allow $3 $1_java_t:process { getattr noatsecure signal_perms };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	domtrans_pattern($3, java_exec_t, $1_java_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace serefpolicy-3.10.0/policy/modules/apps/kde.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/kde.te.ptrace	2011-10-14 09:46:28.542533840 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/kde.te	2011-10-14 09:46:29.100523148 -0400
Dan Walsh 6554bb
@@ -13,9 +13,6 @@ dbus_system_domain(kdebacklighthelper_t,
Dan Walsh 6554bb
 #
Dan Walsh 6554bb
 # backlighthelper local policy
Dan Walsh 6554bb
 #
Dan Walsh 6554bb
-
Dan Walsh 6554bb
-dontaudit kdebacklighthelper_t self:capability sys_ptrace;
Dan Walsh 6554bb
-
Dan Walsh 6554bb
 allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 kernel_read_system_state(kdebacklighthelper_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace serefpolicy-3.10.0/policy/modules/apps/livecd.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/livecd.te.ptrace	2011-10-14 09:46:28.543533821 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/livecd.te	2011-10-14 09:46:29.100523148 -0400
Dan Walsh 2a89df
@@ -20,7 +20,10 @@ files_tmp_file(livecd_tmp_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 dontaudit livecd_t self:capability2 mac_admin;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-domain_ptrace_all_domains(livecd_t)
Dan Walsh 6554bb
+tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+	domain_ptrace_all_domains(livecd_t)
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 domain_interactive_fd(livecd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/mono.if.ptrace	2011-10-14 09:46:29.057523969 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/mono.if	2011-10-14 09:46:29.101523129 -0400
Dan Walsh 2a89df
@@ -40,8 +40,8 @@ template(`mono_role_template',`
Dan Walsh 2a89df
 	domain_interactive_fd($1_mono_t)
Dan Walsh 2a89df
 	application_type($1_mono_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
Dan Walsh 2a89df
-	allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
Dan Walsh 2a89df
+	allow $1_mono_t self:process { signal getsched execheap execmem execstack };
Dan Walsh 2a89df
+	allow $3 $1_mono_t:process { getattr noatsecure signal_perms };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	domtrans_pattern($3, mono_exec_t, $1_mono_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mono.te
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/apps/mono.te.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/mono.te	2011-10-14 09:46:29.101523129 -0400
Dan Walsh 2a89df
@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
Dan Walsh 2a89df
 # Local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
Dan Walsh 2a89df
+allow mono_t self:process { signal getsched execheap execmem execstack };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 init_dbus_chat_script(mono_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.ptrace	2011-10-14 09:46:29.058523950 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if	2011-10-14 09:46:29.102523109 -0400
Dan Walsh 2a89df
@@ -221,7 +221,7 @@ interface(`mozilla_domtrans_plugin',`
Dan Walsh 2a89df
 	allow mozilla_plugin_t $1:sem create_sem_perms;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	ps_process_pattern($1, mozilla_plugin_t)
Dan Walsh 2a89df
-	allow $1 mozilla_plugin_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 mozilla_plugin_t:process signal_perms;
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 ########################################
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace serefpolicy-3.10.0/policy/modules/apps/mozilla.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/mozilla.te.ptrace	2011-10-14 09:46:29.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/mozilla.te	2011-10-14 09:47:46.696136674 -0400
Dan Walsh e29441
@@ -301,7 +301,7 @@ optional_policy(`
Dan Walsh 6554bb
 # mozilla_plugin local policy
Dan Walsh 6554bb
 #
Dan Walsh e29441
 
Dan Walsh e29441
-dontaudit mozilla_plugin_t self:capability { sys_ptrace sys_nice };
Dan Walsh e29441
+dontaudit mozilla_plugin_t self:capability sys_nice;
Dan Walsh e29441
 
Dan Walsh 6554bb
 allow mozilla_plugin_t self:process { setsched signal_perms execmem };
Dan Walsh 6554bb
 allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.ptrace	2011-10-14 09:46:29.058523950 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if	2011-10-14 09:46:29.104523070 -0400
Dan Walsh 2a89df
@@ -93,7 +93,7 @@ ifdef(`hide_broken_symptoms', `
Dan Walsh 2a89df
 	dontaudit nsplugin_t $2:shm destroy;
Dan Walsh 2a89df
 	allow $2 nsplugin_t:sem rw_sem_perms;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $2 nsplugin_t:process { getattr ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 nsplugin_t:process { getattr signal_perms };
Dan Walsh 2a89df
 	allow $2 nsplugin_t:unix_stream_socket connectto;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# Connect to pulseaudit server
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace serefpolicy-3.10.0/policy/modules/apps/nsplugin.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.ptrace	2011-10-14 09:46:29.059523931 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te	2011-10-14 09:46:29.105523050 -0400
Dan Walsh 2a89df
@@ -54,7 +54,7 @@ application_executable_file(nsplugin_con
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
Dan Walsh 2a89df
 allow nsplugin_t self:fifo_file rw_file_perms;
Dan Walsh 2a89df
-allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms };
Dan Walsh 2a89df
+allow nsplugin_t self:process { setpgid getsched setsched signal_perms };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 allow nsplugin_t self:sem create_sem_perms;
Dan Walsh 2a89df
 allow nsplugin_t self:shm create_shm_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace serefpolicy-3.10.0/policy/modules/apps/openoffice.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/openoffice.if.ptrace	2011-10-14 09:46:28.555533591 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/openoffice.if	2011-10-14 09:46:29.105523050 -0400
Dan Walsh 2a89df
@@ -69,7 +69,7 @@ interface(`openoffice_role_template',`
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $3 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
Dan Walsh 2a89df
+	allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh };
Dan Walsh 2a89df
 	allow $1_openoffice_t $3:tcp_socket { read write };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace serefpolicy-3.10.0/policy/modules/apps/podsleuth.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/podsleuth.te.ptrace	2011-10-14 09:46:29.035524391 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/podsleuth.te	2011-10-14 09:46:29.106523031 -0400
Dan Walsh 2a89df
@@ -27,7 +27,8 @@ ubac_constrained(podsleuth_tmpfs_t)
Dan Walsh 2a89df
 # podsleuth local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
Dan Walsh 2a89df
-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
Dan Walsh 2a89df
+allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 allow podsleuth_t self:fifo_file rw_file_perms;
Dan Walsh 2a89df
 allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
Dan Walsh 2a89df
 allow podsleuth_t self:sem create_sem_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/apps/uml.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/uml.if	2011-10-14 09:46:29.107523012 -0400
Dan Walsh 2a89df
@@ -31,9 +31,9 @@ interface(`uml_role',`
Dan Walsh 2a89df
 	allow $2 uml_t:unix_dgram_socket sendto;
Dan Walsh 2a89df
 	allow uml_t $2:unix_dgram_socket sendto;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	# allow ps, ptrace, signal
Dan Walsh 2a89df
+	# allow ps, signal
Dan Walsh 2a89df
 	ps_process_pattern($2, uml_t)
Dan Walsh 2a89df
-	allow $2 uml_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 uml_t:process signal_perms;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	allow $2 uml_ro_t:dir list_dir_perms;
Dan Walsh 2a89df
 	read_files_pattern($2, uml_ro_t, uml_ro_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace serefpolicy-3.10.0/policy/modules/apps/uml.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/uml.te.ptrace	2011-10-14 09:46:28.569533323 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/uml.te	2011-10-14 09:46:29.107523012 -0400
Dan Walsh 2a89df
@@ -53,7 +53,7 @@ files_pid_file(uml_switch_var_run_t)
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 allow uml_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
-allow uml_t self:process { signal_perms ptrace };
Dan Walsh 2a89df
+allow uml_t self:process signal_perms;
Dan Walsh 2a89df
 allow uml_t self:unix_stream_socket create_stream_socket_perms;
Dan Walsh 2a89df
 allow uml_t self:unix_dgram_socket create_socket_perms;
Dan Walsh 2a89df
 # Use the network.
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace serefpolicy-3.10.0/policy/modules/apps/wine.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/apps/wine.if.ptrace	2011-10-14 09:46:29.062523874 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/apps/wine.if	2011-10-14 09:46:29.109522974 -0400
Dan Walsh 2a89df
@@ -100,7 +100,7 @@ template(`wine_role_template',`
Dan Walsh 2a89df
 	role $2 types $1_wine_t;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	allow $1_wine_t self:process { execmem execstack };
Dan Walsh 2a89df
-	allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
Dan Walsh 2a89df
+	allow $3 $1_wine_t:process { getattr noatsecure signal_perms };
Dan Walsh 2a89df
 	domtrans_pattern($3, wine_exec_t, $1_wine_t)
Dan Walsh 2a89df
 	corecmd_bin_domtrans($1_wine_t, $1_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/domain.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/kernel/domain.te.ptrace	2011-10-14 09:46:28.592532882 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/kernel/domain.te	2011-10-14 09:48:15.824664136 -0400
Dan Walsh 2a89df
@@ -181,7 +181,10 @@ allow unconfined_domain_type domain:fifo
Dan Walsh 2a89df
 allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 # Act upon any other process.
Dan Walsh 2a89df
-allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
Dan Walsh 2a89df
+allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap };
Dan Walsh 6554bb
+tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+	allow unconfined_domain_type domain:process ptrace;
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 # Create/access any System V IPC objects.
Dan Walsh 2a89df
 allow unconfined_domain_type domain:{ sem msgq shm } *;
Dan Walsh e29441
@@ -314,3 +317,4 @@ optional_policy(`
Dan Walsh 6554bb
 ')
Dan Walsh e29441
 
Dan Walsh e29441
 dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
Dan Walsh e29441
+dontaudit domain self:capability sys_ptrace;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace serefpolicy-3.10.0/policy/modules/kernel/kernel.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/kernel/kernel.te.ptrace	2011-10-14 09:46:28.603532671 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/kernel/kernel.te	2011-10-14 09:46:29.111522936 -0400
Dan Walsh 2a89df
@@ -191,7 +191,11 @@ sid tcp_socket		gen_context(system_u:obj
Dan Walsh 2a89df
 # kernel local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow kernel_t self:capability *;
Dan Walsh 2a89df
+allow kernel_t self:capability ~{ sys_ptrace };
Dan Walsh 6554bb
+tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+	allow kernel_t self:capability sys_ptrace;
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
Dan Walsh 2a89df
 allow kernel_t self:shm create_shm_perms;
Dan Walsh 2a89df
 allow kernel_t self:sem create_sem_perms;
Dan Walsh 2a89df
@@ -442,7 +446,7 @@ allow kern_unconfined unlabeled_t:dir_fi
Dan Walsh 2a89df
 allow kern_unconfined unlabeled_t:filesystem *;
Dan Walsh 2a89df
 allow kern_unconfined unlabeled_t:association *;
Dan Walsh 2a89df
 allow kern_unconfined unlabeled_t:packet *;
Dan Walsh 2a89df
-allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
Dan Walsh 2a89df
+allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 gen_require(`
Dan Walsh 2a89df
 	bool secure_mode_insmod;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/dbadm.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/roles/dbadm.te.ptrace	2011-10-14 09:46:28.612532498 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/roles/dbadm.te	2011-10-14 09:46:29.112522917 -0400
Dan Walsh 2a89df
@@ -28,7 +28,7 @@ userdom_base_user_template(dbadm)
Dan Walsh 2a89df
 # database admin local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
Dan Walsh 2a89df
+allow dbadm_t self:capability { dac_override dac_read_search };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 files_dontaudit_search_all_dirs(dbadm_t)
Dan Walsh 2a89df
 files_delete_generic_locks(dbadm_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/logadm.te
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/roles/logadm.te.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/roles/logadm.te	2011-10-14 09:46:29.113522898 -0400
Dan Walsh 2a89df
@@ -14,6 +14,5 @@ userdom_base_user_template(logadm)
Dan Walsh 2a89df
 # logadmin local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
Dan Walsh 2a89df
-
Dan Walsh 2a89df
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
Dan Walsh 2a89df
 logging_admin(logadm_t, logadm_r)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/sysadm.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.ptrace	2011-10-14 09:46:29.064523836 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te	2011-10-14 09:46:29.114522879 -0400
Dan Walsh 2a89df
@@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1)
Dan Walsh 2a89df
 # Declarations
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-## <desc>
Dan Walsh 2a89df
-## 

Dan Walsh 2a89df
-## Allow sysadm to debug or ptrace all processes.
Dan Walsh 2a89df
-## 

Dan Walsh 2a89df
-## </desc>
Dan Walsh 2a89df
-gen_tunable(allow_ptrace, false)
Dan Walsh 2a89df
-
Dan Walsh 2a89df
 role sysadm_r;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 userdom_admin_user_template(sysadm)
Dan Walsh 6554bb
@@ -86,7 +79,7 @@ ifndef(`enable_mls',`
Dan Walsh 6554bb
 	logging_stream_connect_syslog(sysadm_t)
Dan Walsh 6554bb
 ')
Dan Walsh 6554bb
 
Dan Walsh 6554bb
-tunable_policy(`allow_ptrace',`
Dan Walsh 6554bb
+tunable_policy(`deny_ptrace',`',`
Dan Walsh 6554bb
 	domain_ptrace_all_domains(sysadm_t)
Dan Walsh 6554bb
 ')
Dan Walsh 6554bb
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace serefpolicy-3.10.0/policy/modules/roles/webadm.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/roles/webadm.te.ptrace	2011-10-14 09:46:28.618532384 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/roles/webadm.te	2011-10-14 09:46:29.115522860 -0400
Dan Walsh 2a89df
@@ -28,7 +28,7 @@ userdom_base_user_template(webadm)
Dan Walsh 2a89df
 # webadmin local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
Dan Walsh 2a89df
+allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 files_dontaudit_search_all_dirs(webadm_t)
Dan Walsh 2a89df
 files_manage_generic_locks(webadm_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace serefpolicy-3.10.0/policy/modules/services/abrt.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/abrt.if.ptrace	2011-10-14 09:46:28.620532345 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/abrt.if	2011-10-14 09:46:29.115522860 -0400
Dan Walsh 2a89df
@@ -333,9 +333,13 @@ interface(`abrt_admin',`
Dan Walsh 2a89df
 		type abrt_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 abrt_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 abrt_t:process { signal_perms };
Dan Walsh 2a89df
 	ps_process_pattern($1, abrt_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 abrt_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, abrt_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 abrt_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/accountsd.if.ptrace	2011-10-14 09:46:28.622532306 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/accountsd.if	2011-10-14 09:46:29.116522841 -0400
Dan Walsh 2a89df
@@ -138,8 +138,12 @@ interface(`accountsd_admin',`
Dan Walsh 2a89df
 		type accountsd_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 accountsd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 accountsd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, accountsd_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 acountsd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	accountsd_manage_lib_files($1)
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/accountsd.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/accountsd.te.ptrace	2011-10-14 09:46:28.623532287 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/accountsd.te	2011-10-14 09:46:29.117522822 -0400
Dan Walsh 6554bb
@@ -19,7 +19,7 @@ files_type(accountsd_var_lib_t)
Dan Walsh 2a89df
 # accountsd local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace };
Dan Walsh 2a89df
+allow accountsd_t self:capability { dac_override setuid setgid };
Dan Walsh 2a89df
 allow accountsd_t self:process signal;
Dan Walsh 2a89df
 allow accountsd_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace serefpolicy-3.10.0/policy/modules/services/afs.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/afs.if.ptrace	2011-10-14 09:46:28.623532287 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/afs.if	2011-10-14 09:46:29.117522822 -0400
Dan Walsh 2a89df
@@ -97,9 +97,13 @@ interface(`afs_admin',`
Dan Walsh 2a89df
 		type afs_t, afs_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 afs_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 afs_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, afs_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 afs_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	# Allow afs_admin to restart the afs service
Dan Walsh 2a89df
 	afs_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace serefpolicy-3.10.0/policy/modules/services/aiccu.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/aiccu.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/aiccu.if	2011-10-14 09:46:29.118522803 -0400
Dan Walsh 2a89df
@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
Dan Walsh 2a89df
 		type aiccu_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 aiccu_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 aiccu_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, aiccu_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 aiccu_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	aiccu_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 aiccu_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace serefpolicy-3.10.0/policy/modules/services/aide.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/aide.if.ptrace	2011-10-14 09:46:28.626532230 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/aide.if	2011-10-14 09:46:29.119522783 -0400
Dan Walsh 2a89df
@@ -61,9 +61,13 @@ interface(`aide_admin',`
Dan Walsh 2a89df
 		type aide_t, aide_db_t, aide_log_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 aide_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 aide_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, aide_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 aide_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	files_list_etc($1)
Dan Walsh 2a89df
 	admin_pattern($1, aide_db_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace serefpolicy-3.10.0/policy/modules/services/aisexec.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/aisexec.if.ptrace	2011-10-14 09:46:28.627532211 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/aisexec.if	2011-10-14 09:46:29.119522783 -0400
Dan Walsh 2a89df
@@ -82,9 +82,13 @@ interface(`aisexecd_admin',`
Dan Walsh 2a89df
 		type aisexec_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 aisexec_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 aisexec_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, aisexec_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 aisexec_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 aisexec_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace serefpolicy-3.10.0/policy/modules/services/ajaxterm.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/ajaxterm.if.ptrace	2011-10-14 09:46:28.628532192 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/ajaxterm.if	2011-10-14 09:46:29.120522763 -0400
Dan Walsh 2a89df
@@ -76,9 +76,13 @@ interface(`ajaxterm_admin',`
Dan Walsh 2a89df
 		type ajaxterm_t, ajaxterm_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 ajaxterm_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 ajaxterm_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, ajaxterm_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 ajaxterm_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	ajaxterm_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 ajaxterm_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace serefpolicy-3.10.0/policy/modules/services/amavis.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/amavis.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/amavis.if	2011-10-14 09:46:29.121522744 -0400
Dan Walsh 2a89df
@@ -231,9 +231,13 @@ interface(`amavis_admin',`
Dan Walsh 2a89df
 		type amavis_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 amavis_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 amavis_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, amavis_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 amavis_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	amavis_initrc_domtrans($1)
Dan Walsh 2a89df
  	domain_system_change_exemption($1)
Dan Walsh 2a89df
  	role_transition $2 amavis_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace serefpolicy-3.10.0/policy/modules/services/apache.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/apache.if.ptrace	2011-10-14 09:46:29.079523549 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/apache.if	2011-10-14 09:46:29.122522725 -0400
Dan Walsh 6554bb
@@ -1297,9 +1297,13 @@ interface(`apache_admin',`
Dan Walsh 2a89df
 		type httpd_unit_file_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 httpd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 httpd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, httpd_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 httpd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 httpd_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/apcupsd.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/apcupsd.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/apcupsd.if	2011-10-14 09:46:29.123522706 -0400
Dan Walsh 2a89df
@@ -146,9 +146,13 @@ interface(`apcupsd_admin',`
Dan Walsh 2a89df
 		type apcupsd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 apcupsd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 apcupsd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, apcupsd_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 apcupsd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 apcupsd_initrc_exec_t system_r;
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace serefpolicy-3.10.0/policy/modules/services/apm.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/apm.te.ptrace	2011-10-14 09:46:28.636532038 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/apm.te	2011-10-14 09:46:29.123522706 -0400
Dan Walsh 6554bb
@@ -60,7 +60,7 @@ logging_send_syslog_msg(apm_t)
Dan Walsh 6554bb
 # mknod: controlling an orderly resume of PCMCIA requires creating device
Dan Walsh 6554bb
 # nodes 254,{0,1,2} for some reason.
Dan Walsh 6554bb
 allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
Dan Walsh 6554bb
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
Dan Walsh 6554bb
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
Dan Walsh 6554bb
 allow apmd_t self:process { signal_perms getsession };
Dan Walsh 6554bb
 allow apmd_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 6554bb
 allow apmd_t self:netlink_socket create_socket_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace serefpolicy-3.10.0/policy/modules/services/arpwatch.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/arpwatch.if.ptrace	2011-10-14 09:46:28.636532038 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/arpwatch.if	2011-10-14 09:46:29.124522687 -0400
Dan Walsh 2a89df
@@ -137,9 +137,13 @@ interface(`arpwatch_admin',`
Dan Walsh 2a89df
 		type arpwatch_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 arpwatch_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 arpwatch_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, arpwatch_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 arpwatch_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	arpwatch_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 arpwatch_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace serefpolicy-3.10.0/policy/modules/services/asterisk.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/asterisk.if.ptrace	2011-10-14 09:46:28.638532000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/asterisk.if	2011-10-14 09:46:29.125522668 -0400
Dan Walsh 2a89df
@@ -64,9 +64,13 @@ interface(`asterisk_admin',`
Dan Walsh 2a89df
 		type asterisk_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 asterisk_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 asterisk_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, asterisk_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 asterisk_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 asterisk_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace serefpolicy-3.10.0/policy/modules/services/automount.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/automount.if.ptrace	2011-10-14 09:46:28.640531962 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/automount.if	2011-10-14 09:46:29.125522668 -0400
Dan Walsh 2a89df
@@ -150,9 +150,13 @@ interface(`automount_admin',`
Dan Walsh 2a89df
 		type automount_var_run_t, automount_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 automount_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 automount_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, automount_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 automount_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, automount_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 automount_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace serefpolicy-3.10.0/policy/modules/services/avahi.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/avahi.if.ptrace	2011-10-14 09:46:28.641531943 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/avahi.if	2011-10-14 09:46:29.126522649 -0400
Dan Walsh 2a89df
@@ -154,9 +154,13 @@ interface(`avahi_admin',`
Dan Walsh 2a89df
 		type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 avahi_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 avahi_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, avahi_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 avahi_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, avahi_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 avahi_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace serefpolicy-3.10.0/policy/modules/services/bind.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/bind.if.ptrace	2011-10-14 09:46:28.643531904 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/bind.if	2011-10-14 09:46:29.127522630 -0400
Dan Walsh 6554bb
@@ -408,12 +408,20 @@ interface(`bind_admin',`
Dan Walsh 2a89df
 		type dnssec_t, ndc_t, named_keytab_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 named_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 named_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, named_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 ndc_t:process { ptrace signal_perms };
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 named_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	allow $1 ndc_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, ndc_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 ndc_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	bind_run_ndc($1, $2)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, named_initrc_exec_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace serefpolicy-3.10.0/policy/modules/services/bitlbee.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/bitlbee.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/bitlbee.if	2011-10-14 09:46:29.127522630 -0400
Dan Walsh 2a89df
@@ -43,9 +43,13 @@ interface(`bitlbee_admin',`
Dan Walsh 2a89df
 		type bitlbee_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 bitlbee_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 bitlbee_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, bitlbee_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 bitlbee_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 bitlbee_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace serefpolicy-3.10.0/policy/modules/services/bluetooth.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/bluetooth.if.ptrace	2011-10-14 09:46:28.645531865 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/bluetooth.if	2011-10-14 09:46:29.128522611 -0400
Dan Walsh 2a89df
@@ -28,7 +28,11 @@ interface(`bluetooth_role',`
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# allow ps to show cdrecord and allow the user to kill it
Dan Walsh 2a89df
 	ps_process_pattern($2, bluetooth_helper_t)
Dan Walsh 2a89df
-	allow $2 bluetooth_helper_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 bluetooth_helper_t:process signal_perms;
Dan Walsh 2a89df
+
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $2 bluetooth_helper_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
Dan Walsh 2a89df
 	manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t)
Dan Walsh 2a89df
@@ -220,9 +224,13 @@ interface(`bluetooth_admin',`
Dan Walsh 2a89df
 		type bluetooth_conf_t, bluetooth_conf_rw_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 bluetooth_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 bluetooth_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, bluetooth_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 bluetooth_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 bluetooth_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/boinc.if.ptrace	2011-10-14 09:46:28.648531808 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/boinc.if	2011-10-14 09:46:29.129522592 -0400
Dan Walsh 2a89df
@@ -137,9 +137,13 @@ interface(`boinc_admin',`
Dan Walsh 2a89df
 		type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 boinc_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 boinc_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, boinc_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 boic_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	boinc_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 boinc_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace serefpolicy-3.10.0/policy/modules/services/boinc.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/boinc.te.ptrace	2011-10-14 09:46:29.039524313 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/boinc.te	2011-10-14 09:46:29.130522573 -0400
Dan Walsh 2a89df
@@ -121,9 +121,13 @@ mta_send_mail(boinc_t)
Dan Walsh 2a89df
 domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
Dan Walsh 2a89df
 allow boinc_t boinc_project_t:process sigkill;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop };
Dan Walsh 2a89df
+allow boinc_project_t self:process { setpgid setsched signal signull sigkill sigstop };
Dan Walsh 2a89df
 allow boinc_project_t self:process { execmem execstack };
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+	allow boinc_project_t self:process ptrace;
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 allow boinc_project_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 allow boinc_project_t self:sem create_sem_perms;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace serefpolicy-3.10.0/policy/modules/services/bugzilla.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/bugzilla.if.ptrace	2011-10-14 09:46:28.649531789 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/bugzilla.if	2011-10-14 09:46:29.130522573 -0400
Dan Walsh 2a89df
@@ -62,9 +62,13 @@ interface(`bugzilla_admin',`
Dan Walsh 2a89df
         type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
Dan Walsh 2a89df
     ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 httpd_bugzilla_script_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, httpd_bugzilla_script_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 httpd_bugzilla_script_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	files_list_tmp($1)
Dan Walsh 2a89df
 	admin_pattern($1, httpd_bugzilla_tmp_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace serefpolicy-3.10.0/policy/modules/services/callweaver.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/callweaver.if.ptrace	2011-10-14 09:46:28.652531732 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/callweaver.if	2011-10-14 09:46:29.131522554 -0400
Dan Walsh 2a89df
@@ -336,9 +336,13 @@ interface(`callweaver_admin',`
Dan Walsh 2a89df
 		type callweaver_spool_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 callweaver_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 callweaver_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, callweaver_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 callweaver_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	callweaver_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 callweaver_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace serefpolicy-3.10.0/policy/modules/services/canna.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/canna.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/canna.if	2011-10-14 09:46:29.132522535 -0400
Dan Walsh 2a89df
@@ -42,9 +42,13 @@ interface(`canna_admin',`
Dan Walsh 2a89df
 		type canna_var_run_t, canna_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 canna_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 canna_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, canna_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 canna_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, canna_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 canna_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmaster.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/certmaster.if.ptrace	2011-10-14 09:46:28.656531654 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/certmaster.if	2011-10-14 09:46:29.132522535 -0400
Dan Walsh 2a89df
@@ -119,9 +119,13 @@ interface(`certmaster_admin',`
Dan Walsh 2a89df
 		type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 certmaster_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 certmaster_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, certmaster_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 certmaster_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 certmaster_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace serefpolicy-3.10.0/policy/modules/services/certmonger.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/certmonger.if.ptrace	2011-10-14 09:46:28.657531635 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/certmonger.if	2011-10-14 09:46:29.133522515 -0400
Dan Walsh 2a89df
@@ -158,7 +158,11 @@ interface(`certmonger_admin',`
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	ps_process_pattern($1, certmonger_t)
Dan Walsh 2a89df
-	allow $1 certmonger_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 certmonger_t:process signal_perms;
Dan Walsh 2a89df
+
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 certmonger_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# Allow certmonger_t to restart the apache service
Dan Walsh 2a89df
 	certmonger_initrc_domtrans($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/cgroup.if.ptrace	2011-10-14 09:46:28.660531578 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/cgroup.if	2011-10-14 09:46:29.134522495 -0400
Dan Walsh 2a89df
@@ -171,15 +171,27 @@ interface(`cgroup_admin',`
Dan Walsh 2a89df
 		type cgrules_etc_t, cgclear_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 cgclear_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 cgclear_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, cgclear_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 cgconfig_t:process { ptrace signal_perms };
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 cglear_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	allow $1 cgconfig_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, cgconfig_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 cgred_t:process { ptrace signal_perms };
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 cgconfig_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	allow $1 cgred_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, cgred_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 cgred_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	admin_pattern($1, cgconfig_etc_t)
Dan Walsh 2a89df
 	admin_pattern($1, cgrules_etc_t)
Dan Walsh 2a89df
 	files_list_etc($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace serefpolicy-3.10.0/policy/modules/services/cgroup.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/cgroup.te.ptrace	2011-10-14 09:46:28.660531578 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/cgroup.te	2011-10-14 09:46:29.134522495 -0400
Dan Walsh 6554bb
@@ -76,7 +76,8 @@ fs_unmount_cgroup(cgconfig_t)
Dan Walsh 2a89df
 # cgred personal policy.
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
Dan Walsh 2a89df
+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override };
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 allow cgred_t self:netlink_socket { write bind create read };
Dan Walsh 2a89df
 allow cgred_t self:unix_dgram_socket { write create connect };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/chronyd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/chronyd.if.ptrace	2011-10-14 09:46:28.661531559 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/chronyd.if	2011-10-14 09:46:29.135522476 -0400
Dan Walsh 6554bb
@@ -217,9 +217,13 @@ interface(`chronyd_admin',`
Dan Walsh 2a89df
 		type chronyd_keys_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 chronyd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 chronyd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, chronyd_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 chronyd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 chronyd_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace serefpolicy-3.10.0/policy/modules/services/clamav.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/clamav.if.ptrace	2011-10-14 09:46:28.664531502 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/clamav.if	2011-10-14 09:46:29.135522476 -0400
Dan Walsh 2a89df
@@ -176,13 +176,19 @@ interface(`clamav_admin',`
Dan Walsh 2a89df
 		type freshclam_t, freshclam_var_log_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 clamd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 clamd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, clamd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 clamscan_t:process { ptrace signal_perms };
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 clamd_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 clamscan_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 freshclam_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	allow $1 clamscan_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, clamscan_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 freshclam_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 freshclam_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, freshclam_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, clamd_initrc_exec_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace serefpolicy-3.10.0/policy/modules/services/cmirrord.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/cmirrord.if.ptrace	2011-10-14 09:46:28.668531424 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/cmirrord.if	2011-10-14 09:46:29.136522457 -0400
Dan Walsh 2a89df
@@ -101,9 +101,13 @@ interface(`cmirrord_admin',`
Dan Walsh 2a89df
 		type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 cmirrord_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 cmirrord_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, cmirrord_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 cmorrord_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	cmirrord_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 cmirrord_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/cobbler.if.ptrace	2011-10-14 09:46:28.669531405 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/cobbler.if	2011-10-14 09:46:29.137522438 -0400
Dan Walsh 2a89df
@@ -189,9 +189,13 @@ interface(`cobblerd_admin',`
Dan Walsh 2a89df
 		type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 cobblerd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 cobblerd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, cobblerd_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 cobblerd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	files_list_etc($1)
Dan Walsh 2a89df
 	admin_pattern($1, cobbler_etc_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace serefpolicy-3.10.0/policy/modules/services/cobbler.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/cobbler.te.ptrace	2011-10-14 09:46:28.670531386 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/cobbler.te	2011-10-14 09:46:29.138522419 -0400
Dan Walsh 6554bb
@@ -60,7 +60,7 @@ files_tmp_file(cobbler_tmp_t)
Dan Walsh 6554bb
 #
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
Dan Walsh 6554bb
-dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config };
Dan Walsh 6554bb
+dontaudit cobblerd_t self:capability sys_tty_config;
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 allow cobblerd_t self:process { getsched setsched signal };
Dan Walsh 6554bb
 allow cobblerd_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace serefpolicy-3.10.0/policy/modules/services/collectd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/collectd.if.ptrace	2011-10-14 09:46:28.671531367 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/collectd.if	2011-10-14 09:46:29.139522400 -0400
Dan Walsh 2a89df
@@ -142,9 +142,13 @@ interface(`collectd_admin',`
Dan Walsh 2a89df
 	type collectd_var_lib_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 collectd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 collectd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, collectd_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 collectd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	collectd_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 collectd_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/consolekit.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/consolekit.te.ptrace	2011-10-14 09:46:28.673531329 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/consolekit.te	2011-10-14 09:46:29.140522381 -0400
Dan Walsh 6554bb
@@ -23,7 +23,8 @@ files_tmpfs_file(consolekit_tmpfs_t)
Dan Walsh 2a89df
 # consolekit local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
Dan Walsh 2a89df
+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice };
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 allow consolekit_t self:process { getsched signal };
Dan Walsh 2a89df
 allow consolekit_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
Dan Walsh 6554bb
@@ -144,6 +145,8 @@ optional_policy(`
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 optional_policy(`
Dan Walsh 2a89df
 	#reading .Xauthity
Dan Walsh 2a89df
-	unconfined_ptrace(consolekit_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		unconfined_ptrace(consolekit_t)
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 	unconfined_stream_connect(consolekit_t)
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/corosync.if.ptrace	2011-10-14 09:46:28.674531310 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/corosync.if	2011-10-14 09:46:29.141522362 -0400
Dan Walsh 2a89df
@@ -101,9 +101,13 @@ interface(`corosyncd_admin',`
Dan Walsh 2a89df
 		type corosync_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 corosync_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 corosync_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, corosync_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 corosync_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, corosync_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 corosync_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace serefpolicy-3.10.0/policy/modules/services/corosync.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/corosync.te.ptrace	2011-10-14 09:46:28.675531291 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/corosync.te	2011-10-14 09:46:29.142522343 -0400
Dan Walsh e29441
@@ -33,7 +33,7 @@ files_pid_file(corosync_var_run_t)
Dan Walsh 2a89df
 # corosync local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow corosync_t self:capability { dac_override setuid sys_nice sys_ptrace sys_resource ipc_lock };
Dan Walsh 2a89df
+allow corosync_t self:capability { dac_override setuid sys_nice sys_resource ipc_lock };
Dan Walsh 2a89df
 allow corosync_t self:process { setpgid setrlimit setsched signal signull };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 allow corosync_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace serefpolicy-3.10.0/policy/modules/services/cron.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/cron.if.ptrace	2011-10-14 09:46:28.679531213 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/cron.if	2011-10-14 09:46:29.143522324 -0400
Dan Walsh 2a89df
@@ -140,7 +140,11 @@ interface(`cron_role',`
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# crontab shows up in user ps
Dan Walsh 2a89df
 	ps_process_pattern($2, crontab_t)
Dan Walsh 2a89df
-	allow $2 crontab_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 crontab_t:process signal_perms;
Dan Walsh 2a89df
+
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $2 crontab_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# Run helper programs as the user domain
Dan Walsh 2a89df
 	#corecmd_bin_domtrans(crontab_t, $2)
Dan Walsh 2a89df
@@ -183,7 +187,10 @@ interface(`cron_unconfined_role',`
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# cronjob shows up in user ps
Dan Walsh 2a89df
 	ps_process_pattern($2, unconfined_cronjob_t)
Dan Walsh 2a89df
-	allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 unconfined_cronjob_t:process signal_perms;
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $2 unconfined_cronjob_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	optional_policy(`
Dan Walsh 2a89df
 		gen_require(`
Dan Walsh 2a89df
@@ -230,7 +237,10 @@ interface(`cron_admin_role',`
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# crontab shows up in user ps
Dan Walsh 2a89df
 	ps_process_pattern($2, admin_crontab_t)
Dan Walsh 2a89df
-	allow $2 admin_crontab_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 admin_crontab_t:process signal_perms;
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $2 admin_crontab_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# Run helper programs as the user domain
Dan Walsh 2a89df
 	#corecmd_bin_domtrans(admin_crontab_t, $2)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace serefpolicy-3.10.0/policy/modules/services/cron.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/cron.te.ptrace	2011-10-14 09:46:29.040524294 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/cron.te	2011-10-14 09:46:29.145522286 -0400
Dan Walsh 6554bb
@@ -350,7 +350,6 @@ optional_policy(`
Dan Walsh 6554bb
 #
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
Dan Walsh 6554bb
-dontaudit system_cronjob_t self:capability sys_ptrace;
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 allow system_cronjob_t self:process { signal_perms getsched setsched };
Dan Walsh 6554bb
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/ctdbd.if.ptrace	2011-10-14 09:46:28.681531175 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/ctdbd.if	2011-10-14 09:46:29.146522267 -0400
Dan Walsh 2a89df
@@ -236,8 +236,11 @@ interface(`ctdbd_admin',`
Dan Walsh 2a89df
 		type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 ctdbd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 ctdbd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, ctdbd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 ctdbd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	ctdbd_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ctdbd.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/ctdbd.te.ptrace	2011-10-14 09:46:28.682531156 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/ctdbd.te	2011-10-14 09:46:29.146522267 -0400
Dan Walsh 6554bb
@@ -33,7 +33,7 @@ files_pid_file(ctdbd_var_run_t)
Dan Walsh 2a89df
 # ctdbd local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice sys_ptrace };
Dan Walsh 2a89df
+allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
Dan Walsh 2a89df
 allow ctdbd_t self:process { setpgid signal_perms setsched };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 allow ctdbd_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace serefpolicy-3.10.0/policy/modules/services/cups.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/cups.if.ptrace	2011-10-14 09:46:28.683531137 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/cups.if	2011-10-14 09:46:29.147522248 -0400
Dan Walsh 2a89df
@@ -327,9 +327,13 @@ interface(`cups_admin',`
Dan Walsh 2a89df
 		type ptal_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 cupsd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 cupsd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, cupsd_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 cupsd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 cupsd_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace serefpolicy-3.10.0/policy/modules/services/cvs.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/cvs.if.ptrace	2011-10-14 09:46:28.685531099 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/cvs.if	2011-10-14 09:46:29.148522228 -0400
Dan Walsh 2a89df
@@ -80,9 +80,13 @@ interface(`cvs_admin',`
Dan Walsh 2a89df
 		type cvs_data_t, cvs_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 cvs_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 cvs_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, cvs_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 cvs_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	# Allow cvs_t to restart the apache service
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, cvs_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace serefpolicy-3.10.0/policy/modules/services/cyrus.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/cyrus.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/cyrus.if	2011-10-14 09:46:29.148522228 -0400
Dan Walsh 2a89df
@@ -62,9 +62,13 @@ interface(`cyrus_admin',`
Dan Walsh 2a89df
 		type cyrus_var_run_t, cyrus_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 cyrus_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 cyrus_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, cyrus_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 cyrus_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 cyrus_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace serefpolicy-3.10.0/policy/modules/services/dbus.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/dbus.if.ptrace	2011-10-14 09:46:28.690531003 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/dbus.if	2011-10-14 09:46:29.149522208 -0400
Dan Walsh 2a89df
@@ -71,7 +71,11 @@ template(`dbus_role_template',`
Dan Walsh 2a89df
 	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	ps_process_pattern($3, $1_dbusd_t)
Dan Walsh 2a89df
-	allow $3 $1_dbusd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $3 $1_dbusd_t:process signal_perms;
Dan Walsh 2a89df
+
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $3 $1_dbusd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# cjp: this seems very broken
Dan Walsh 2a89df
 	corecmd_bin_domtrans($1_dbusd_t, $1_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace serefpolicy-3.10.0/policy/modules/services/ddclient.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/ddclient.if.ptrace	2011-10-14 09:46:28.693530945 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/ddclient.if	2011-10-14 09:46:29.150522189 -0400
Dan Walsh 2a89df
@@ -68,9 +68,13 @@ interface(`ddclient_admin',`
Dan Walsh 2a89df
 		type ddclient_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 ddclient_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 ddclient_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, ddclient_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 ddclient_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 ddclient_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace serefpolicy-3.10.0/policy/modules/services/denyhosts.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/denyhosts.if.ptrace	2011-10-14 09:46:28.694530926 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/denyhosts.if	2011-10-14 09:46:29.151522170 -0400
Dan Walsh 2a89df
@@ -67,9 +67,13 @@ interface(`denyhosts_admin',`
Dan Walsh 2a89df
 		type denyhosts_var_log_t, denyhosts_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 denyhosts_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 denyhosts_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, denyhosts_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 denyhosts_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	denyhosts_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
 	role_transition $2 denyhosts_initrc_exec_t system_r;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/devicekit.if.ptrace	2011-10-14 09:46:28.696530888 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/devicekit.if	2011-10-14 09:46:29.151522170 -0400
Dan Walsh 2a89df
@@ -308,13 +308,18 @@ interface(`devicekit_admin',`
Dan Walsh 2a89df
 		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 devicekit_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 devicekit_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, devicekit_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 devicekit_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 devicekit_disk_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 devicekit_power_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 devicekit_disk_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 devicekit_disk_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, devicekit_disk_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 devicekit_power_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 devicekit_power_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, devicekit_power_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	admin_pattern($1, devicekit_tmp_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace serefpolicy-3.10.0/policy/modules/services/devicekit.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/devicekit.te.ptrace	2011-10-14 09:46:28.697530869 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/devicekit.te	2011-10-14 09:46:29.152522151 -0400
Dan Walsh 6554bb
@@ -65,7 +65,8 @@ optional_policy(`
Dan Walsh 2a89df
 # DeviceKit disk local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
Dan Walsh 2a89df
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio };
Dan Walsh 6554bb
+
Dan Walsh 2a89df
 allow devicekit_disk_t self:process { getsched signal_perms };
Dan Walsh 2a89df
 allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
Dan Walsh 6554bb
@@ -199,7 +200,7 @@ optional_policy(`
Dan Walsh 2a89df
 # DeviceKit-Power local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
Dan Walsh 2a89df
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
Dan Walsh 2a89df
 allow devicekit_power_t self:process { getsched signal_perms };
Dan Walsh 2a89df
 allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace serefpolicy-3.10.0/policy/modules/services/dhcp.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/dhcp.if.ptrace	2011-10-14 09:46:28.698530850 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/dhcp.if	2011-10-14 09:46:29.153522132 -0400
Dan Walsh 2a89df
@@ -105,8 +105,11 @@ interface(`dhcpd_admin',`
Dan Walsh 2a89df
 		type dhcpd_var_run_t, dhcpd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 dhcpd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 dhcpd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, dhcpd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 dhcpd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace serefpolicy-3.10.0/policy/modules/services/dictd.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/dictd.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/dictd.if	2011-10-14 09:46:29.153522132 -0400
Dan Walsh 2a89df
@@ -38,8 +38,11 @@ interface(`dictd_admin',`
Dan Walsh 2a89df
 		type dictd_var_run_t, dictd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 dictd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 dictd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, dictd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 dictd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, dictd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace serefpolicy-3.10.0/policy/modules/services/dnsmasq.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/dnsmasq.if.ptrace	2011-10-14 09:46:28.704530734 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/dnsmasq.if	2011-10-14 09:46:29.154522113 -0400
Dan Walsh 6554bb
@@ -281,8 +281,11 @@ interface(`dnsmasq_admin',`
Dan Walsh 2a89df
 		type dnsmasq_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 dnsmasq_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 dnsmasq_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, dnsmasq_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 dnsmasq_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace serefpolicy-3.10.0/policy/modules/services/dovecot.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/dovecot.if.ptrace	2011-10-14 09:46:28.706530696 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/dovecot.if	2011-10-14 09:46:29.155522094 -0400
Dan Walsh 2a89df
@@ -119,8 +119,11 @@ interface(`dovecot_admin',`
Dan Walsh 2a89df
 		type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 dovecot_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 dovecot_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, dovecot_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 dovecot_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace serefpolicy-3.10.0/policy/modules/services/drbd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/drbd.if.ptrace	2011-10-14 09:46:28.709530639 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/drbd.if	2011-10-14 09:46:29.155522094 -0400
Dan Walsh 2a89df
@@ -120,8 +120,11 @@ interface(`drbd_admin',`
Dan Walsh 2a89df
                 type drbd_var_lib_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 drbd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 drbd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, drbd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 drbd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	files_search_var_lib($1)
Dan Walsh 2a89df
 	admin_pattern($1, drbd_var_lib_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace serefpolicy-3.10.0/policy/modules/services/dspam.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/dspam.if.ptrace	2011-10-14 09:46:28.711530601 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/dspam.if	2011-10-14 09:46:29.156522075 -0400
Dan Walsh 2a89df
@@ -244,8 +244,11 @@ interface(`dspam_admin',`
Dan Walsh 2a89df
 		type dspam_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 dspam_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 dspam_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, dspam_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 dspam_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	dspam_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace serefpolicy-3.10.0/policy/modules/services/exim.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/exim.if.ptrace	2011-10-14 09:46:28.712530582 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/exim.if	2011-10-14 09:46:29.157522056 -0400
Dan Walsh 2a89df
@@ -260,8 +260,11 @@ interface(`exim_admin',`
Dan Walsh 2a89df
 		type exim_tmp_t, exim_spool_t, exim_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 exim_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 exim_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, exim_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 exim_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	exim_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace serefpolicy-3.10.0/policy/modules/services/fail2ban.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/fail2ban.if.ptrace	2011-10-14 09:46:28.714530543 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/fail2ban.if	2011-10-14 09:46:29.158522037 -0400
Dan Walsh 2a89df
@@ -199,8 +199,11 @@ interface(`fail2ban_admin',`
Dan Walsh 2a89df
 		type fail2ban_client_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace serefpolicy-3.10.0/policy/modules/services/fcoemon.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/fcoemon.if.ptrace	2011-10-14 09:46:28.716530504 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/fcoemon.if	2011-10-14 09:46:29.158522037 -0400
Dan Walsh 2a89df
@@ -81,8 +81,11 @@ interface(`fcoemon_admin',`
Dan Walsh 2a89df
 	type fcoemon_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 fcoemon_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 fcoemon_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, fcoemon_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 fcoemon_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	files_search_pids($1)
Dan Walsh 2a89df
 	admin_pattern($1, fcoemon_var_run_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/fetchmail.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/fetchmail.if.ptrace	2011-10-14 09:46:28.717530485 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/fetchmail.if	2011-10-14 09:46:29.159522018 -0400
Dan Walsh 2a89df
@@ -18,8 +18,11 @@ interface(`fetchmail_admin',`
Dan Walsh 2a89df
 		type fetchmail_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 fetchmail_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 fetchmail_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, fetchmail_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 fetchmail_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	files_list_etc($1)
Dan Walsh 2a89df
 	admin_pattern($1, fetchmail_etc_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace serefpolicy-3.10.0/policy/modules/services/firewalld.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/firewalld.if.ptrace	2011-10-14 09:46:28.719530447 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/firewalld.if	2011-10-14 09:46:29.159522018 -0400
Dan Walsh 2a89df
@@ -62,8 +62,11 @@ interface(`firewalld_admin',`
Dan Walsh 2a89df
 		type firewalld_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 firewalld_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 firewalld_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, firewalld_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 firewalld_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	firewalld_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace serefpolicy-3.10.0/policy/modules/services/fprintd.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/fprintd.te.ptrace	2011-10-14 09:46:28.721530409 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/fprintd.te	2011-10-14 09:46:29.160521999 -0400
Dan Walsh 6554bb
@@ -17,7 +17,8 @@ files_type(fprintd_var_lib_t)
Dan Walsh 2a89df
 # Local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow fprintd_t self:capability { sys_nice sys_ptrace };
Dan Walsh 2a89df
+allow fprintd_t self:capability sys_nice;
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 allow fprintd_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 allow fprintd_t self:process { getsched setsched signal };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ftp.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/ftp.if.ptrace	2011-10-14 09:46:28.722530390 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/ftp.if	2011-10-14 09:46:29.161521980 -0400
Dan Walsh 6554bb
@@ -237,8 +237,11 @@ interface(`ftp_admin',`
Dan Walsh 2a89df
 		type ftpd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 ftpd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 ftpd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, ftpd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 ftpd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/git.if.ptrace serefpolicy-3.10.0/policy/modules/services/git.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/git.if.ptrace	2011-10-14 09:46:28.725530332 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/git.if	2011-10-14 09:46:29.162521961 -0400
Dan Walsh 2a89df
@@ -42,8 +42,11 @@ interface(`git_session_role',`
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	domtrans_pattern($2, gitd_exec_t, git_session_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $2 git_session_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 git_session_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($2, git_session_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $2 git_session_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 ########################################
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace serefpolicy-3.10.0/policy/modules/services/glance.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/glance.if.ptrace	2011-10-14 09:46:28.727530293 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/glance.if	2011-10-14 09:46:29.163521941 -0400
Dan Walsh 2a89df
@@ -245,10 +245,14 @@ interface(`glance_admin',`
Dan Walsh 2a89df
 		type glance_api_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 glance_registry_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 glance_registry_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, glance_registry_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 glance_registry_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 glance_api_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 glance_api_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 glance_api_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, glance_api_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, glance_registry_initrc_exec_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace serefpolicy-3.10.0/policy/modules/services/gnomeclock.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/gnomeclock.te.ptrace	2011-10-14 09:46:28.729530255 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/gnomeclock.te	2011-10-14 09:46:29.163521941 -0400
Dan Walsh 6554bb
@@ -14,7 +14,7 @@ dbus_system_domain(gnomeclock_t, gnomecl
Dan Walsh 2a89df
 # gnomeclock local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
Dan Walsh 2a89df
+allow gnomeclock_t self:capability { sys_nice sys_time };
Dan Walsh 2a89df
 allow gnomeclock_t self:process { getattr getsched signal };
Dan Walsh 2a89df
 allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace serefpolicy-3.10.0/policy/modules/services/gpsd.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/gpsd.te.ptrace	2011-10-14 09:46:28.731530217 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/gpsd.te	2011-10-14 09:46:29.164521921 -0400
Dan Walsh 6554bb
@@ -25,7 +25,7 @@ files_pid_file(gpsd_var_run_t)
Dan Walsh 6554bb
 #
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
Dan Walsh 6554bb
-dontaudit gpsd_t self:capability { dac_read_search dac_override sys_ptrace };
Dan Walsh 6554bb
+dontaudit gpsd_t self:capability { dac_read_search dac_override };
Dan Walsh 6554bb
 allow gpsd_t self:process { setsched signal_perms };
Dan Walsh 6554bb
 allow gpsd_t self:shm create_shm_perms;
Dan Walsh 6554bb
 allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace serefpolicy-3.10.0/policy/modules/services/hadoop.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/hadoop.if.ptrace	2011-10-14 09:46:29.040524294 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/hadoop.if	2011-10-14 09:46:29.165521902 -0400
Dan Walsh 2a89df
@@ -222,14 +222,21 @@ interface(`hadoop_role',`
Dan Walsh 2a89df
 	hadoop_domtrans($2)
Dan Walsh 2a89df
 	role $1 types hadoop_t;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $2 hadoop_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 hadoop_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($2, hadoop_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $2 hadoop_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	hadoop_domtrans_zookeeper_client($2)
Dan Walsh 2a89df
 	role $1 types zookeeper_t;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $2 zookeeper_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 zookeeper_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($2, zookeeper_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $2 zookeeper_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 ########################################
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace serefpolicy-3.10.0/policy/modules/services/hal.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/hal.if.ptrace	2011-10-14 09:46:28.735530141 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/hal.if	2011-10-14 09:46:29.166521883 -0400
Dan Walsh 2a89df
@@ -70,7 +70,9 @@ interface(`hal_ptrace',`
Dan Walsh 2a89df
 		type hald_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 hald_t:process ptrace;
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 hald_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 ########################################
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace serefpolicy-3.10.0/policy/modules/services/hal.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/hal.te.ptrace	2011-10-14 09:46:28.735530141 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/hal.te	2011-10-14 09:46:29.167521864 -0400
Dan Walsh 6554bb
@@ -64,7 +64,7 @@ typealias hald_var_run_t alias pmtools_v
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 # execute openvt which needs setuid
Dan Walsh 6554bb
 allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
Dan Walsh 6554bb
-dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
Dan Walsh 6554bb
+dontaudit hald_t self:capability sys_tty_config;
Dan Walsh 6554bb
 allow hald_t self:process { getsched getattr signal_perms };
Dan Walsh 6554bb
 allow hald_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 6554bb
 allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace serefpolicy-3.10.0/policy/modules/services/hddtemp.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/hddtemp.if.ptrace	2011-10-14 09:46:28.736530122 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/hddtemp.if	2011-10-14 09:46:29.167521864 -0400
Dan Walsh 2a89df
@@ -60,8 +60,11 @@ interface(`hddtemp_admin',`
Dan Walsh 2a89df
 		type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 hddtemp_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 hddtemp_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, hddtemp_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 hddtemp_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace serefpolicy-3.10.0/policy/modules/services/icecast.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/icecast.if.ptrace	2011-10-14 09:46:28.737530102 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/icecast.if	2011-10-14 09:46:29.168521845 -0400
Dan Walsh 2a89df
@@ -173,8 +173,11 @@ interface(`icecast_admin',`
Dan Walsh 2a89df
 		type icecast_t, icecast_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 icecast_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 icecast_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, icecast_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 icecast_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# Allow icecast_t to restart the apache service
Dan Walsh 2a89df
 	icecast_initrc_domtrans($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/ifplugd.if.ptrace	2011-10-14 09:46:28.738530082 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/ifplugd.if	2011-10-14 09:46:29.169521826 -0400
Dan Walsh 2a89df
@@ -117,7 +117,7 @@ interface(`ifplugd_admin',`
Dan Walsh 2a89df
 		type ifplugd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 ifplugd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 ifplugd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, ifplugd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace serefpolicy-3.10.0/policy/modules/services/ifplugd.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/ifplugd.te.ptrace	2011-10-14 09:46:28.739530063 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/ifplugd.te	2011-10-14 09:46:29.170521807 -0400
Dan Walsh 6554bb
@@ -26,7 +26,7 @@ files_pid_file(ifplugd_var_run_t)
Dan Walsh 6554bb
 #
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
Dan Walsh 6554bb
-dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace };
Dan Walsh 6554bb
+dontaudit ifplugd_t self:capability sys_tty_config;
Dan Walsh 6554bb
 allow ifplugd_t self:process { signal signull };
Dan Walsh 6554bb
 allow ifplugd_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 6554bb
 allow ifplugd_t self:tcp_socket create_stream_socket_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace serefpolicy-3.10.0/policy/modules/services/inn.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/inn.if.ptrace	2011-10-14 09:46:28.741530025 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/inn.if	2011-10-14 09:46:29.170521807 -0400
Dan Walsh 2a89df
@@ -202,8 +202,11 @@ interface(`inn_admin',`
Dan Walsh 2a89df
 		type innd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 innd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 innd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, innd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 innd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, innd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace serefpolicy-3.10.0/policy/modules/services/jabber.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/jabber.if.ptrace	2011-10-14 09:46:28.744529968 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/jabber.if	2011-10-14 09:46:29.171521788 -0400
Dan Walsh 2a89df
@@ -143,10 +143,14 @@ interface(`jabber_admin',`
Dan Walsh 2a89df
 		type jabberd_initrc_exec_t, jabberd_router_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 jabberd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 jabberd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, jabberd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 jabberd_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 jabberd_router_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 jabberd_router_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 jabberd_router_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, jabberd_router_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerberos.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/kerberos.if.ptrace	2011-10-14 09:46:28.746529930 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/kerberos.if	2011-10-14 09:46:29.172521769 -0400
Dan Walsh 2a89df
@@ -340,13 +340,18 @@ interface(`kerberos_admin',`
Dan Walsh 2a89df
 		type krb5kdc_var_run_t, krb5_host_rcache_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 kadmind_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 kadmind_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, kadmind_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 kadmind_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 krb5kdc_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 kpropd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 krb5kdc_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 krb5kdc_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, krb5kdc_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 kpropd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 kpropd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, kpropd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace serefpolicy-3.10.0/policy/modules/services/kerneloops.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/kerneloops.if.ptrace	2011-10-14 09:46:28.747529911 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/kerneloops.if	2011-10-14 09:46:29.172521769 -0400
Dan Walsh 2a89df
@@ -101,8 +101,11 @@ interface(`kerneloops_admin',`
Dan Walsh 2a89df
 		type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 kerneloops_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 kerneloops_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, kerneloops_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 kerneloops_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/ksmtuned.if.ptrace	2011-10-14 09:46:28.750529852 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.if	2011-10-14 09:46:29.173521750 -0400
Dan Walsh 2a89df
@@ -58,8 +58,11 @@ interface(`ksmtuned_admin',`
Dan Walsh 2a89df
 		type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 ksmtuned_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 ksmtuned_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, ksmtuned_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 ksmtuned_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	files_list_pids($1)
Dan Walsh 2a89df
 	admin_pattern($1, ksmtuned_var_run_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace serefpolicy-3.10.0/policy/modules/services/ksmtuned.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/ksmtuned.te.ptrace	2011-10-14 09:46:28.751529833 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/ksmtuned.te	2011-10-14 09:46:29.174521731 -0400
Dan Walsh 6554bb
@@ -23,7 +23,7 @@ files_pid_file(ksmtuned_var_run_t)
Dan Walsh 2a89df
 # ksmtuned local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
Dan Walsh 2a89df
+allow ksmtuned_t self:capability sys_tty_config;
Dan Walsh 2a89df
 allow ksmtuned_t self:fifo_file rw_file_perms;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/l2tpd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/l2tpd.if.ptrace	2011-10-14 09:46:28.752529814 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/l2tpd.if	2011-10-14 09:46:29.174521731 -0400
Dan Walsh 2a89df
@@ -101,8 +101,11 @@ interface(`l2tpd_admin',`
Dan Walsh 2a89df
 	type l2tpd_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 l2tpd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 l2tpd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, l2tpd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 l2tpd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	l2tpd_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace serefpolicy-3.10.0/policy/modules/services/ldap.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/ldap.if.ptrace	2011-10-14 09:46:28.754529776 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/ldap.if	2011-10-14 09:46:29.175521712 -0400
Dan Walsh 6554bb
@@ -174,8 +174,11 @@ interface(`ldap_admin',`
Dan Walsh 2a89df
 		type slapd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 slapd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 slapd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, slapd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 slapd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, slapd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lircd.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/lircd.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/lircd.if	2011-10-14 09:46:29.176521693 -0400
Dan Walsh 2a89df
@@ -80,8 +80,11 @@ interface(`lircd_admin',`
Dan Walsh 2a89df
 		type lircd_initrc_exec_t, lircd_etc_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 lircd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 lircd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, lircd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 lircd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, lircd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace serefpolicy-3.10.0/policy/modules/services/lldpad.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/lldpad.if.ptrace	2011-10-14 09:46:28.759529681 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/lldpad.if	2011-10-14 09:46:29.176521693 -0400
Dan Walsh 2a89df
@@ -180,8 +180,11 @@ interface(`lldpad_admin',`
Dan Walsh 2a89df
 	type lldpad_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 lldpad_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 lldpad_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, lldpad_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 lldpad_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	lldpad_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/lpd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/lpd.if.ptrace	2011-10-14 09:46:28.760529661 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/lpd.if	2011-10-14 09:46:29.178521654 -0400
Dan Walsh 2a89df
@@ -28,7 +28,10 @@ interface(`lpd_role',`
Dan Walsh 2a89df
 	dontaudit lpr_t $2:unix_stream_socket { read write };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	ps_process_pattern($2, lpr_t)
Dan Walsh 2a89df
-	allow $2 lpr_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 lpr_t:process signal_perms;
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $2 lpr_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	optional_policy(`
Dan Walsh 2a89df
 		cups_read_config($2)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace serefpolicy-3.10.0/policy/modules/services/mailscanner.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/mailscanner.if.ptrace	2011-10-14 09:46:28.763529603 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/mailscanner.if	2011-10-14 09:46:29.178521654 -0400
Dan Walsh 2a89df
@@ -47,8 +47,11 @@ interface(`mailscanner_admin',`
Dan Walsh 2a89df
 	role_transition $2 mscan_initrc_exec_t system_r;
Dan Walsh 2a89df
 	allow $2 system_r;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 mscan_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 mscan_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, mscan_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 mscan_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	admin_pattern($1, mscan_etc_t)
Dan Walsh 2a89df
 	files_list_etc($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/matahari.if.ptrace	2011-10-14 09:46:28.765529565 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/matahari.if	2011-10-14 09:46:29.179521635 -0400
Dan Walsh 2a89df
@@ -229,13 +229,18 @@ interface(`matahari_admin',`
Dan Walsh 2a89df
 	role_transition $2 matahari_initrc_exec_t system_r;
Dan Walsh 2a89df
 	allow $2 system_r;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 matahari_netd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 matahari_netd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, matahari_netd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 matahari_netd_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 matahari_hostd_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 matahari_serviced_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 matahari_hostd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 matahari_hostd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, matahari_hostd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 matahari_serviced_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 matahari_serviced_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, matahari_serviced_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	files_search_var_lib($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace serefpolicy-3.10.0/policy/modules/services/matahari.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/matahari.te.ptrace	2011-10-14 09:46:28.765529565 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/matahari.te	2011-10-14 09:46:29.180521616 -0400
Dan Walsh 6554bb
@@ -24,9 +24,6 @@ files_pid_file(matahari_var_run_t)
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 # matahari_hostd local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
-
Dan Walsh 2a89df
-allow matahari_hostd_t self:capability sys_ptrace;
Dan Walsh 6554bb
-
Dan Walsh 2a89df
 kernel_read_network_state(matahari_hostd_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
 dev_read_sysfs(matahari_hostd_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace serefpolicy-3.10.0/policy/modules/services/memcached.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/memcached.if.ptrace	2011-10-14 09:46:28.767529527 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/memcached.if	2011-10-14 09:46:29.180521616 -0400
Dan Walsh 2a89df
@@ -59,8 +59,11 @@ interface(`memcached_admin',`
Dan Walsh 2a89df
 		type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 memcached_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 memcached_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, memcached_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 memcached_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, memcached_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace serefpolicy-3.10.0/policy/modules/services/mock.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/mock.if.ptrace	2011-10-14 09:46:28.770529470 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/mock.if	2011-10-14 09:46:29.181521597 -0400
Dan Walsh 2a89df
@@ -245,7 +245,10 @@ interface(`mock_role',`
Dan Walsh 2a89df
 	mock_run($2, $1)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	ps_process_pattern($2, mock_t)
Dan Walsh 2a89df
-	allow $2 mock_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 mock_t:process signal_perms;
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $2 mock_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 #######################################
Dan Walsh 2a89df
@@ -289,10 +292,14 @@ interface(`mock_admin',`
Dan Walsh 2a89df
 		type mock_build_t, mock_etc_t, mock_tmp_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 mock_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 mock_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, mock_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 mock_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 mock_build_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 mock_build_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 mock_build_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, mock_build_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	files_list_var_lib($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace serefpolicy-3.10.0/policy/modules/services/mock.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/mock.te.ptrace	2011-10-14 09:46:28.771529451 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/mock.te	2011-10-14 09:46:29.182521578 -0400
Dan Walsh 2a89df
@@ -41,7 +41,7 @@ files_config_file(mock_etc_t)
Dan Walsh 2a89df
 # mock local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
Dan Walsh 2a89df
+allow mock_t self:capability { sys_admin setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
Dan Walsh 2a89df
 allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
Dan Walsh 2a89df
 # Needed because mock can run java and mono withing build environment
Dan Walsh 2a89df
 allow mock_t self:process { execmem execstack };
Dan Walsh 2a89df
@@ -164,7 +164,7 @@ optional_policy(`
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 # mock_build local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
-allow mock_build_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
Dan Walsh 2a89df
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
Dan Walsh 2a89df
 dontaudit mock_build_t self:capability audit_write;
Dan Walsh 2a89df
 allow mock_build_t self:process { fork setsched setpgid signal_perms };
Dan Walsh 2a89df
 allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace serefpolicy-3.10.0/policy/modules/services/mojomojo.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/mojomojo.if.ptrace	2011-10-14 09:46:28.772529431 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/mojomojo.if	2011-10-14 09:46:29.182521578 -0400
Dan Walsh 2a89df
@@ -24,8 +24,11 @@ interface(`mojomojo_admin',`
Dan Walsh 2a89df
 		type httpd_mojomojo_script_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 httpd_mojomojo_script_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 httpd_mojomojo_script_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, httpd_mojomojo_script_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 httpd_mojomo_script_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	files_list_tmp($1)
Dan Walsh 2a89df
 	admin_pattern($1, httpd_mojomojo_tmp_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace serefpolicy-3.10.0/policy/modules/services/mpd.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/mpd.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/mpd.if	2011-10-14 09:46:29.183521559 -0400
Dan Walsh 2a89df
@@ -244,8 +244,11 @@ interface(`mpd_admin',`
Dan Walsh 2a89df
 		type mpd_tmpfs_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 mpd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 mpd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, mpd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 mpd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	mpd_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace serefpolicy-3.10.0/policy/modules/services/munin.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/munin.if.ptrace	2011-10-14 09:46:28.779529297 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/munin.if	2011-10-14 09:46:29.184521540 -0400
Dan Walsh 2a89df
@@ -183,8 +183,11 @@ interface(`munin_admin',`
Dan Walsh 2a89df
 		type httpd_munin_content_t, munin_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 munin_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 munin_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, munin_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 munin_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, munin_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/mysql.if.ptrace	2011-10-14 09:46:28.780529278 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/mysql.if	2011-10-14 09:46:29.185521521 -0400
Dan Walsh 2a89df
@@ -389,8 +389,11 @@ interface(`mysql_admin',`
Dan Walsh 2a89df
 		type mysqld_etc_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 mysqld_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 mysqld_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, mysqld_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 mysqld_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace serefpolicy-3.10.0/policy/modules/services/mysql.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/mysql.te.ptrace	2011-10-14 09:46:28.781529259 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/mysql.te	2011-10-14 09:46:29.186521502 -0400
Dan Walsh 6554bb
@@ -158,7 +158,6 @@ optional_policy(`
Dan Walsh 6554bb
 #
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 allow mysqld_safe_t self:capability { chown dac_override fowner kill };
Dan Walsh 6554bb
-dontaudit mysqld_safe_t self:capability sys_ptrace;
Dan Walsh 6554bb
 allow mysqld_safe_t self:process { setsched getsched setrlimit };
Dan Walsh 6554bb
 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 6554bb
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace serefpolicy-3.10.0/policy/modules/services/nagios.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/nagios.if.ptrace	2011-10-14 09:46:28.782529240 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/nagios.if	2011-10-14 09:46:29.186521502 -0400
Dan Walsh 2a89df
@@ -225,8 +225,11 @@ interface(`nagios_admin',`
Dan Walsh 2a89df
 		type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 nagios_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 nagios_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, nagios_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 nagios_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, nagios_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/networkmanager.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/networkmanager.te.ptrace	2011-10-14 09:46:28.786529162 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/networkmanager.te	2011-10-14 09:46:29.187521483 -0400
Dan Walsh 2a89df
@@ -44,13 +44,17 @@ init_system_domain(wpa_cli_t, wpa_cli_ex
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 # networkmanager will ptrace itself if gdb is installed
Dan Walsh 2a89df
 # and it receives a unexpected signal (rh bug #204161)
Dan Walsh 2a89df
-allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
Dan Walsh 6554bb
-dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
Dan Walsh 2a89df
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
Dan Walsh 6554bb
+dontaudit NetworkManager_t self:capability sys_tty_config;
Dan Walsh 2a89df
 ifdef(`hide_broken_symptoms',`
Dan Walsh 2a89df
 	# caused by some bogus kernel code
Dan Walsh 2a89df
 	dontaudit NetworkManager_t self:capability sys_module;
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
Dan Walsh 2a89df
+allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
Dan Walsh 6554bb
+tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+	allow NetworkManager_t self:process ptrace;
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
Dan Walsh 2a89df
 allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace serefpolicy-3.10.0/policy/modules/services/nis.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/nis.if.ptrace	2011-10-14 09:46:28.787529143 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/nis.if	2011-10-14 09:46:29.188521464 -0400
Dan Walsh 6554bb
@@ -390,16 +390,22 @@ interface(`nis_admin',`
Dan Walsh 2a89df
 		type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 ypbind_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 ypbind_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, ypbind_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 ypbind_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 yppasswdd_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 ypserv_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 ypxfr_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 yppasswdd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 yppasswdd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, yppasswdd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 ypserv_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 ypserv_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, ypserv_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 ypxfr_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 ypxfr_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, ypxfr_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	nis_initrc_domtrans($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/nscd.if.ptrace	2011-10-14 09:46:28.788529124 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/nscd.if	2011-10-14 09:46:29.189521445 -0400
Dan Walsh 6554bb
@@ -321,8 +321,11 @@ interface(`nscd_admin',`
Dan Walsh 2a89df
 		type nscd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 nscd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 nscd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, nscd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 nscd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, nscd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace serefpolicy-3.10.0/policy/modules/services/nscd.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/nscd.te.ptrace	2011-10-14 09:46:28.789529105 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/nscd.te	2011-10-14 09:46:29.190521426 -0400
Dan Walsh 6554bb
@@ -40,7 +40,7 @@ logging_log_file(nscd_log_t)
Dan Walsh 2a89df
 # Local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow nscd_t self:capability { kill setgid setuid sys_ptrace };
Dan Walsh 2a89df
+allow nscd_t self:capability { kill setgid setuid };
Dan Walsh 2a89df
 dontaudit nscd_t self:capability sys_tty_config;
Dan Walsh 2a89df
 allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
Dan Walsh 2a89df
 allow nscd_t self:fifo_file read_fifo_file_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace serefpolicy-3.10.0/policy/modules/services/nslcd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/nslcd.if.ptrace	2011-10-14 09:46:28.790529086 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/nslcd.if	2011-10-14 09:46:29.190521426 -0400
Dan Walsh 2a89df
@@ -98,7 +98,10 @@ interface(`nslcd_admin',`
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	ps_process_pattern($1, nslcd_t)
Dan Walsh 2a89df
-	allow $1 nslcd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 nslcd_t:process signal_perms;
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 nslcd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# Allow nslcd_t to restart the apache service
Dan Walsh 2a89df
 	nslcd_initrc_domtrans($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ntp.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/ntp.if.ptrace	2011-10-14 09:46:28.792529048 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/ntp.if	2011-10-14 09:46:29.191521406 -0400
Dan Walsh 6554bb
@@ -204,8 +204,11 @@ interface(`ntp_admin',`
Dan Walsh 2a89df
 		type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 ntpd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 ntpd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, ntpd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 ntpd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace serefpolicy-3.10.0/policy/modules/services/oident.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/oident.if.ptrace	2011-10-14 09:46:28.797528951 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/oident.if	2011-10-14 09:46:29.192521387 -0400
Dan Walsh 2a89df
@@ -89,8 +89,11 @@ interface(`oident_admin',`
Dan Walsh 2a89df
 		type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 oidentd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 oidentd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, oidentd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 oidentd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace serefpolicy-3.10.0/policy/modules/services/openvpn.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/openvpn.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/openvpn.if	2011-10-14 09:46:29.192521387 -0400
Dan Walsh 2a89df
@@ -144,8 +144,11 @@ interface(`openvpn_admin',`
Dan Walsh 2a89df
 		type openvpn_var_run_t, openvpn_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 openvpn_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 openvpn_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, openvpn_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 openvpn_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace serefpolicy-3.10.0/policy/modules/services/pads.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/pads.if.ptrace	2011-10-14 09:46:28.801528875 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/pads.if	2011-10-14 09:46:29.193521367 -0400
Dan Walsh 2a89df
@@ -31,8 +31,11 @@ interface(`pads_admin',`
Dan Walsh 2a89df
 		type pads_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 pads_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 pads_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, pads_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 pads_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, pads_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace serefpolicy-3.10.0/policy/modules/services/pingd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/pingd.if.ptrace	2011-10-14 09:46:28.805528799 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/pingd.if	2011-10-14 09:46:29.194521347 -0400
Dan Walsh 2a89df
@@ -80,8 +80,11 @@ interface(`pingd_admin',`
Dan Walsh 2a89df
 		type pingd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 pingd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 pingd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, pingd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 pingd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, pingd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace serefpolicy-3.10.0/policy/modules/services/piranha.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/piranha.te.ptrace	2011-10-14 09:46:28.807528760 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/piranha.te	2011-10-14 09:46:29.195521328 -0400
Dan Walsh 2a89df
@@ -65,7 +65,11 @@ init_domtrans_script(piranha_fos_t)
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 allow piranha_web_t self:capability { setuid sys_nice kill setgid };
Dan Walsh 2a89df
-allow piranha_web_t self:process { getsched setsched signal signull ptrace };
Dan Walsh 2a89df
+allow piranha_web_t self:process { getsched setsched signal signull };
Dan Walsh 6554bb
+tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+	allow piranha_web_t self:process ptrace;
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 allow piranha_web_t self:rawip_socket create_socket_perms;
Dan Walsh 2a89df
 allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
Dan Walsh 2a89df
 allow piranha_web_t self:sem create_sem_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace serefpolicy-3.10.0/policy/modules/services/plymouthd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/plymouthd.if.ptrace	2011-10-14 09:46:28.808528740 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/plymouthd.if	2011-10-14 09:46:29.196521310 -0400
Dan Walsh 2a89df
@@ -291,8 +291,11 @@ interface(`plymouthd_admin',`
Dan Walsh 2a89df
 		type plymouthd_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 plymouthd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 plymouthd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, plymouthd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 plymouthd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	files_list_var_lib($1)
Dan Walsh 2a89df
 	admin_pattern($1, plymouthd_spool_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace serefpolicy-3.10.0/policy/modules/services/policykit.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/policykit.te.ptrace	2011-10-14 09:46:28.811528683 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/policykit.te	2011-10-14 09:46:29.197521291 -0400
Dan Walsh 6554bb
@@ -38,7 +38,7 @@ files_pid_file(policykit_var_run_t)
Dan Walsh 2a89df
 # policykit local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace };
Dan Walsh 2a89df
+allow policykit_t self:capability { dac_override dac_read_search setgid setuid };
Dan Walsh 2a89df
 allow policykit_t self:process { getsched getattr signal };
Dan Walsh 2a89df
 allow policykit_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 allow policykit_t self:unix_dgram_socket create_socket_perms;
Dan Walsh 6554bb
@@ -233,7 +233,7 @@ optional_policy(`
Dan Walsh 2a89df
 # polkit_resolve local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
Dan Walsh 2a89df
+allow policykit_resolve_t self:capability { setuid sys_nice };
Dan Walsh 2a89df
 allow policykit_resolve_t self:process getattr;
Dan Walsh 2a89df
 allow policykit_resolve_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace serefpolicy-3.10.0/policy/modules/services/polipo.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/polipo.if.ptrace	2011-10-14 09:46:28.812528664 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/polipo.if	2011-10-14 09:46:29.197521291 -0400
Dan Walsh 2a89df
@@ -32,8 +32,11 @@ template(`polipo_role',`
Dan Walsh 2a89df
 	# Policy
Dan Walsh 2a89df
 	#
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $2 polipo_session_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 polipo_session_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($2, polipo_session_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $2 polipo_session_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	tunable_policy(`polipo_session_users',`
Dan Walsh 2a89df
 		domtrans_pattern($2, polipo_exec_t, polipo_session_t)
Dan Walsh 2a89df
@@ -163,8 +166,11 @@ interface(`polipo_admin',`
Dan Walsh 2a89df
 		type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 polipo_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 polipo_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, polipo_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 polipo_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, polipo_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace serefpolicy-3.10.0/policy/modules/services/portreserve.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/portreserve.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/portreserve.if	2011-10-14 09:46:29.198521272 -0400
Dan Walsh 2a89df
@@ -104,8 +104,11 @@ interface(`portreserve_admin',`
Dan Walsh 2a89df
 		type portreserve_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 portreserve_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 portreserve_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, portreserve_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 portreserve_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	portreserve_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfix.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/postfix.if.ptrace	2011-10-14 09:46:28.817528569 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/postfix.if	2011-10-14 09:46:29.199521253 -0400
Dan Walsh 2a89df
@@ -729,25 +729,36 @@ interface(`postfix_admin',`
Dan Walsh 2a89df
 		type postfix_smtpd_t, postfix_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 postfix_bounce_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 postfix_bounce_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, postfix_bounce_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 postfix_bounce_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 postfix_cleanup_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 postfix_cleanup_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, postfix_cleanup_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 postfix_cleanup_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 postfix_local_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 postfix_master_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 postfix_pickup_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 postfix_qmgr_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 postfix_smtpd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 postfix_local_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 postfix_local_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, postfix_local_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 postfix_master_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 postfix_master_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, postfix_master_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 postfix_pickup_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 postfix_pickup_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, postfix_pickup_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 postfix_qmgr_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 postfix_qmgr_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, postfix_qmgr_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 postfix_smtpd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 postfix_smtpd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, postfix_smtpd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	postfix_run_map($1, $2)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if.ptrace	2011-10-14 09:46:28.818528550 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/postfixpolicyd.if	2011-10-14 09:46:29.200521234 -0400
Dan Walsh 2a89df
@@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',`
Dan Walsh 2a89df
 		type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 postfix_policyd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 postfix_policyd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, postfix_policyd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 postfix_policyd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgresql.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/postgresql.if.ptrace	2011-10-14 09:46:28.820528510 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/postgresql.if	2011-10-14 09:46:29.200521234 -0400
Dan Walsh 2a89df
@@ -541,8 +541,11 @@ interface(`postgresql_admin',`
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	typeattribute $1 sepgsql_admin_type;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 postgresql_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 postgresql_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, postgresql_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 postgresql_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace serefpolicy-3.10.0/policy/modules/services/postgrey.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/postgrey.if.ptrace	2011-10-14 09:46:28.823528453 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/postgrey.if	2011-10-14 09:46:29.202521196 -0400
Dan Walsh 2a89df
@@ -62,8 +62,11 @@ interface(`postgrey_admin',`
Dan Walsh 2a89df
 		type postgrey_var_lib_t, postgrey_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 postgrey_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 postgrey_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, postgrey_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 postgrey_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace serefpolicy-3.10.0/policy/modules/services/ppp.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/ppp.if.ptrace	2011-10-14 09:46:28.825528415 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/ppp.if	2011-10-14 09:46:29.202521196 -0400
Dan Walsh 6554bb
@@ -386,10 +386,14 @@ interface(`ppp_admin',`
Dan Walsh 2a89df
 		type pppd_initrc_exec_t, pppd_etc_rw_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 pppd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 pppd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, pppd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 pppd_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 pptp_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 pptp_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 pptp_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, pptp_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	ppp_initrc_domtrans($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace serefpolicy-3.10.0/policy/modules/services/prelude.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/prelude.if.ptrace	2011-10-14 09:46:28.826528396 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/prelude.if	2011-10-14 09:46:29.203521177 -0400
Dan Walsh 2a89df
@@ -118,13 +118,18 @@ interface(`prelude_admin',`
Dan Walsh 2a89df
 		type prelude_lml_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 prelude_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 prelude_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, prelude_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 prelude_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 prelude_audisp_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 prelude_lml_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 prelude_audisp_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 prelude_audisp_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, prelude_audisp_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 prelude_lml_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 prelude_lml_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, prelude_lml_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, prelude_initrc_exec_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace serefpolicy-3.10.0/policy/modules/services/privoxy.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/privoxy.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/privoxy.if	2011-10-14 09:46:29.204521158 -0400
Dan Walsh 2a89df
@@ -23,8 +23,11 @@ interface(`privoxy_admin',`
Dan Walsh 2a89df
 		type privoxy_etc_rw_t, privoxy_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 privoxy_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 privoxy_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, privoxy_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 privoxy_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace serefpolicy-3.10.0/policy/modules/services/psad.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/psad.if.ptrace	2011-10-14 09:46:28.830528320 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/psad.if	2011-10-14 09:46:29.204521158 -0400
Dan Walsh 2a89df
@@ -295,8 +295,11 @@ interface(`psad_admin',`
Dan Walsh 2a89df
 		type psad_tmp_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 psad_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 psad_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, psad_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 psad_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, psad_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace serefpolicy-3.10.0/policy/modules/services/puppet.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/puppet.te.ptrace	2011-10-14 09:46:28.833528261 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/puppet.te	2011-10-14 09:46:29.205521138 -0400
Dan Walsh 6554bb
@@ -62,7 +62,7 @@ files_tmp_file(puppetmaster_tmp_t)
Dan Walsh 2a89df
 # Puppet personal policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_ptrace sys_tty_config };
Dan Walsh 2a89df
+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
Dan Walsh 2a89df
 allow puppet_t self:process { signal signull getsched setsched };
Dan Walsh 2a89df
 allow puppet_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace serefpolicy-3.10.0/policy/modules/services/pyzor.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/pyzor.if.ptrace	2011-10-14 09:46:28.834528242 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/pyzor.if	2011-10-14 09:46:29.206521119 -0400
Dan Walsh 2a89df
@@ -29,7 +29,10 @@ interface(`pyzor_role',`
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# allow ps to show pyzor and allow the user to kill it 
Dan Walsh 2a89df
 	ps_process_pattern($2, pyzor_t)
Dan Walsh 2a89df
-	allow $2 pyzor_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 pyzor_t:process signal_perms;
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $2 pyzor_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 ########################################
Dan Walsh 2a89df
@@ -113,8 +116,11 @@ interface(`pyzor_admin',`
Dan Walsh 2a89df
 		type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 pyzord_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 pyzord_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, pyzord_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 pyzord_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace serefpolicy-3.10.0/policy/modules/services/qpid.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/qpid.if.ptrace	2011-10-14 09:46:28.839528147 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/qpid.if	2011-10-14 09:46:29.207521099 -0400
Dan Walsh 2a89df
@@ -177,8 +177,11 @@ interface(`qpidd_admin',`
Dan Walsh 2a89df
 		type qpidd_t, qpidd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 qpidd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 qpidd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, qpidd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 qpidd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# Allow qpidd_t to restart the apache service
Dan Walsh 2a89df
 	qpidd_initrc_domtrans($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace serefpolicy-3.10.0/policy/modules/services/radius.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/radius.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/radius.if	2011-10-14 09:46:29.207521099 -0400
Dan Walsh 2a89df
@@ -38,8 +38,11 @@ interface(`radius_admin',`
Dan Walsh 2a89df
 		type radiusd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 radiusd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 radiusd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, radiusd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 radiusd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace serefpolicy-3.10.0/policy/modules/services/radvd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/radvd.if.ptrace	2011-10-14 09:46:28.840528128 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/radvd.if	2011-10-14 09:46:29.208521079 -0400
Dan Walsh 2a89df
@@ -23,8 +23,11 @@ interface(`radvd_admin',`
Dan Walsh 2a89df
 		type radvd_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 radvd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 radvd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, radvd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 radvd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, radvd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace serefpolicy-3.10.0/policy/modules/services/razor.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/razor.if.ptrace	2011-10-14 09:46:28.842528089 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/razor.if	2011-10-14 09:46:29.209521060 -0400
Dan Walsh 2a89df
@@ -132,7 +132,10 @@ interface(`razor_role',`
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# allow ps to show razor and allow the user to kill it 
Dan Walsh 2a89df
 	ps_process_pattern($2, razor_t)
Dan Walsh 2a89df
-	allow $2 razor_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 razor_t:process signal_perms;
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $2 razor_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	manage_dirs_pattern($2, razor_home_t, razor_home_t)
Dan Walsh 2a89df
 	manage_files_pattern($2, razor_home_t, razor_home_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/rgmanager.if.ptrace	2011-10-14 09:46:28.845528031 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/rgmanager.if	2011-10-14 09:46:29.210521041 -0400
Dan Walsh 2a89df
@@ -117,8 +117,11 @@ interface(`rgmanager_admin',`
Dan Walsh 2a89df
 		type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 rgmanager_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 rgmanager_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, rgmanager_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 rgmanager_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace serefpolicy-3.10.0/policy/modules/services/rgmanager.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/rgmanager.te.ptrace	2011-10-14 09:46:28.847527993 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/rgmanager.te	2011-10-14 09:46:29.211521022 -0400
Dan Walsh 6554bb
@@ -37,7 +37,6 @@ files_pid_file(rgmanager_var_run_t)
Dan Walsh 6554bb
 #
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
Dan Walsh 6554bb
-dontaudit rgmanager_t self:capability { sys_ptrace };
Dan Walsh 6554bb
 allow rgmanager_t self:process { setsched signal };
Dan Walsh 6554bb
 dontaudit rgmanager_t self:process ptrace;
Dan Walsh 6554bb
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if.ptrace	2011-10-14 09:46:28.852527898 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/rhsmcertd.if	2011-10-14 09:46:29.212521003 -0400
Dan Walsh 2a89df
@@ -284,8 +284,11 @@ interface(`rhsmcertd_admin',`
Dan Walsh 2a89df
 	type rhsmcertd_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 rhsmcertd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 rhsmcertd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, rhsmcertd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 rhsmcertd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	rhsmcertd_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace serefpolicy-3.10.0/policy/modules/services/ricci.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/ricci.if.ptrace	2011-10-14 09:46:28.854527859 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/ricci.if	2011-10-14 09:46:29.213520984 -0400
Dan Walsh 2a89df
@@ -245,8 +245,11 @@ interface(`ricci_admin',`
Dan Walsh 2a89df
 		type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 ricci_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 ricci_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, ricci_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 ricci_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	ricci_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace serefpolicy-3.10.0/policy/modules/services/roundup.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/roundup.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/roundup.if	2011-10-14 09:46:29.213520984 -0400
Dan Walsh 2a89df
@@ -23,8 +23,11 @@ interface(`roundup_admin',`
Dan Walsh 2a89df
 		type roundup_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 roundup_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 roundup_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, roundup_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 roundup_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, roundup_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace serefpolicy-3.10.0/policy/modules/services/rpcbind.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/rpcbind.if.ptrace	2011-10-14 09:46:28.860527744 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/rpcbind.if	2011-10-14 09:46:29.214520965 -0400
Dan Walsh 2a89df
@@ -155,8 +155,11 @@ interface(`rpcbind_admin',`
Dan Walsh 2a89df
 		type rpcbind_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 rpcbind_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 rpcbind_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, rpcbind_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 rpcbind_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace serefpolicy-3.10.0/policy/modules/services/rtkit.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/rtkit.te.ptrace	2011-10-14 09:46:28.864527668 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/rtkit.te	2011-10-14 09:46:29.215520946 -0400
Dan Walsh 6554bb
@@ -15,7 +15,7 @@ init_system_domain(rtkit_daemon_t, rtkit
Dan Walsh 2a89df
 # rtkit_daemon local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
Dan Walsh 2a89df
+allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice };
Dan Walsh 2a89df
 allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 kernel_read_system_state(rtkit_daemon_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace serefpolicy-3.10.0/policy/modules/services/rwho.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/rwho.if.ptrace	2011-10-14 09:46:28.864527668 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/rwho.if	2011-10-14 09:46:29.216520927 -0400
Dan Walsh 2a89df
@@ -138,8 +138,11 @@ interface(`rwho_admin',`
Dan Walsh 2a89df
 		type rwho_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 rwho_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 rwho_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, rwho_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 rwho_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, rwho_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace serefpolicy-3.10.0/policy/modules/services/samba.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/samba.if.ptrace	2011-10-14 09:46:28.866527629 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/samba.if	2011-10-14 09:46:29.216520927 -0400
Dan Walsh 6554bb
@@ -784,13 +784,18 @@ interface(`samba_admin',`
Dan Walsh 2a89df
 		type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 smbd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 smbd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, smbd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 smbd_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 nmbd_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 samba_unconfined_script_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 nmbd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 nmbd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, nmbd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 samba_unconfined_script_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 samba_unconfined_script_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, samba_unconfined_script_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	samba_run_smbcontrol($1, $2, $3)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace serefpolicy-3.10.0/policy/modules/services/samhain.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/samhain.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/samhain.if	2011-10-14 09:46:29.218520889 -0400
Dan Walsh 2a89df
@@ -271,10 +271,14 @@ interface(`samhain_admin',`
Dan Walsh 2a89df
 		type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 samhain_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 samhain_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, samhain_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 samhain_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 samhaind_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 samhaind_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 samhaind_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, samhaind_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	files_list_var_lib($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace serefpolicy-3.10.0/policy/modules/services/sanlock.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/sanlock.if.ptrace	2011-10-14 09:46:28.870527552 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/sanlock.if	2011-10-14 09:46:29.218520889 -0400
Dan Walsh 2a89df
@@ -99,8 +99,11 @@ interface(`sanlock_admin',`
Dan Walsh 2a89df
 		type sanlock_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 sanlock_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 sanlock_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, sanlock_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 sanlock_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	sanlock_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace serefpolicy-3.10.0/policy/modules/services/sasl.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/sasl.if.ptrace	2011-10-14 09:46:28.871527533 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/sasl.if	2011-10-14 09:46:29.219520870 -0400
Dan Walsh 2a89df
@@ -42,8 +42,11 @@ interface(`sasl_admin',`
Dan Walsh 2a89df
 		type saslauthd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 saslauthd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 saslauthd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, saslauthd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 saslauthd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/sblim.if.ptrace	2011-10-14 09:46:28.873527495 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/sblim.if	2011-10-14 09:46:29.220520851 -0400
Dan Walsh 2a89df
@@ -65,11 +65,15 @@ interface(`sblim_admin',`
Dan Walsh 2a89df
 		type sblim_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 sblim_gatherd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 sblim_gatherd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, sblim_gatherd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 sblim_gatherd_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 sblim_reposd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 sblim_reposd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
-    ps_process_pattern($1, sblim_reposd_t)
Dan Walsh 2a89df
+	allow $1 sblim_reposd_t:process signal_perms;
Dan Walsh 2a89df
+	ps_process_pattern($1, sblim_reposd_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	files_search_pids($1)
Dan Walsh 2a89df
 	admin_pattern($1, sblim_var_run_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace serefpolicy-3.10.0/policy/modules/services/sblim.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/sblim.te.ptrace	2011-10-14 09:46:28.873527495 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/sblim.te	2011-10-14 09:46:29.221520832 -0400
Dan Walsh 6554bb
@@ -24,7 +24,7 @@ files_pid_file(sblim_var_run_t)
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 #needed by ps
Dan Walsh 2a89df
-allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override };
Dan Walsh 2a89df
+allow sblim_gatherd_t self:capability { kill dac_override };
Dan Walsh 2a89df
 allow sblim_gatherd_t self:process signal;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace serefpolicy-3.10.0/policy/modules/services/sendmail.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/sendmail.if.ptrace	2011-10-14 09:46:28.874527476 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/sendmail.if	2011-10-14 09:46:29.221520832 -0400
Dan Walsh 2a89df
@@ -334,10 +334,14 @@ interface(`sendmail_admin',`
Dan Walsh 2a89df
 		type mail_spool_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 sendmail_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 sendmail_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, sendmail_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 sendmail_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 unconfined_sendmail_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 unconfined_sendmail_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 unconfined_sendmail_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, unconfined_sendmail_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	sendmail_initrc_domtrans($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if.ptrace	2011-10-14 09:46:28.875527457 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/setroubleshoot.if	2011-10-14 09:46:29.222520812 -0400
Dan Walsh 2a89df
@@ -140,8 +140,11 @@ interface(`setroubleshoot_admin',`
Dan Walsh 2a89df
 		type setroubleshoot_var_lib_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 setroubleshootd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 setroubleshootd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, setroubleshootd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 setroubleshootd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	logging_list_logs($1)
Dan Walsh 2a89df
 	admin_pattern($1, setroubleshoot_var_log_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace serefpolicy-3.10.0/policy/modules/services/smartmon.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/smartmon.if.ptrace	2011-10-14 09:46:28.877527419 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/smartmon.if	2011-10-14 09:46:29.223520792 -0400
Dan Walsh 2a89df
@@ -42,8 +42,11 @@ interface(`smartmon_admin',`
Dan Walsh 2a89df
 		type fsdaemon_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 fsdaemon_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 fsdaemon_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, fsdaemon_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 smartmon_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace serefpolicy-3.10.0/policy/modules/services/smokeping.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/smokeping.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/smokeping.if	2011-10-14 09:46:29.224520773 -0400
Dan Walsh 2a89df
@@ -153,8 +153,11 @@ interface(`smokeping_admin',`
Dan Walsh 2a89df
 		type smokeping_t, smokeping_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 smokeping_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 smokeping_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, smokeping_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 smokeping_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	smokeping_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/snmp.if.ptrace	2011-10-14 09:46:28.880527360 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/snmp.if	2011-10-14 09:46:29.225520754 -0400
Dan Walsh 2a89df
@@ -168,8 +168,11 @@ interface(`snmp_admin',`
Dan Walsh 2a89df
 		type snmpd_var_lib_t, snmpd_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 snmpd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 snmpd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, snmpd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 snmpd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace serefpolicy-3.10.0/policy/modules/services/snmp.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/snmp.te.ptrace	2011-10-14 09:46:28.880527360 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/snmp.te	2011-10-14 09:46:29.225520754 -0400
Dan Walsh 6554bb
@@ -26,7 +26,8 @@ files_type(snmpd_var_lib_t)
Dan Walsh 2a89df
 # Local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
Dan Walsh 2a89df
+allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config };
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 dontaudit snmpd_t self:capability { sys_module sys_tty_config };
Dan Walsh 2a89df
 allow snmpd_t self:process { signal_perms getsched setsched };
Dan Walsh 2a89df
 allow snmpd_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace serefpolicy-3.10.0/policy/modules/services/snort.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/snort.if.ptrace	2011-10-14 09:46:28.881527341 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/snort.if	2011-10-14 09:46:29.226520735 -0400
Dan Walsh 2a89df
@@ -41,8 +41,11 @@ interface(`snort_admin',`
Dan Walsh 2a89df
 		type snort_etc_t, snort_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 snort_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 snort_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, snort_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 snort_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, snort_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace serefpolicy-3.10.0/policy/modules/services/soundserver.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/soundserver.if.ptrace	2011-10-14 09:46:28.882527322 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/soundserver.if	2011-10-14 09:46:29.227520716 -0400
Dan Walsh 2a89df
@@ -37,8 +37,11 @@ interface(`soundserver_admin',`
Dan Walsh 2a89df
 		type soundd_tmp_t, soundd_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 soundd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 soundd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, soundd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 soundd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, soundd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace serefpolicy-3.10.0/policy/modules/services/spamassassin.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/spamassassin.if.ptrace	2011-10-14 09:46:28.883527303 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/spamassassin.if	2011-10-14 09:46:29.228520697 -0400
Dan Walsh 2a89df
@@ -27,12 +27,12 @@ interface(`spamassassin_role',`
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $2 spamassassin_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 spamassassin_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($2, spamassassin_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	domtrans_pattern($2, spamc_exec_t, spamc_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $2 spamc_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $2 spamc_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($2, spamc_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
Dan Walsh 2a89df
@@ -337,8 +337,11 @@ interface(`spamassassin_spamd_admin',`
Dan Walsh 2a89df
 		type spamd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 spamd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 spamd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, spamd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 spamd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, spamd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace serefpolicy-3.10.0/policy/modules/services/squid.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/squid.if.ptrace	2011-10-14 09:46:28.885527265 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/squid.if	2011-10-14 09:46:29.228520697 -0400
Dan Walsh 2a89df
@@ -209,8 +209,11 @@ interface(`squid_admin',`
Dan Walsh 2a89df
 		type squid_log_t, squid_var_run_t, squid_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 squid_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 squid_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, squid_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 squid_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, squid_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace serefpolicy-3.10.0/policy/modules/services/ssh.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/ssh.if.ptrace	2011-10-14 09:46:29.066523798 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/ssh.if	2011-10-14 09:46:29.229520678 -0400
Dan Walsh 2a89df
@@ -367,7 +367,7 @@ template(`ssh_role_template',`
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# allow ps to show ssh
Dan Walsh 2a89df
 	ps_process_pattern($3, ssh_t)
Dan Walsh 2a89df
-	allow $3 ssh_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $3 ssh_t:process signal_perms;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# for rsync
Dan Walsh 2a89df
 	allow ssh_t $3:unix_stream_socket rw_socket_perms;
Dan Walsh 2a89df
@@ -402,7 +402,7 @@ template(`ssh_role_template',`
Dan Walsh 2a89df
 	stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# Allow the user shell to signal the ssh program.
Dan Walsh 2a89df
-	allow $3 $1_ssh_agent_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $3 $1_ssh_agent_t:process signal_perms;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# allow ps to show ssh
Dan Walsh 2a89df
 	ps_process_pattern($3, $1_ssh_agent_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace serefpolicy-3.10.0/policy/modules/services/sssd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/sssd.if.ptrace	2011-10-14 09:46:28.890527168 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/sssd.if	2011-10-14 09:46:29.230520659 -0400
Dan Walsh 2a89df
@@ -232,8 +232,11 @@ interface(`sssd_admin',`
Dan Walsh 2a89df
 		type sssd_t, sssd_public_t, sssd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 sssd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 sssd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, sssd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 sssd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# Allow sssd_t to restart the apache service
Dan Walsh 2a89df
 	sssd_initrc_domtrans($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace serefpolicy-3.10.0/policy/modules/services/tcsd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/tcsd.if.ptrace	2011-10-14 09:46:28.895527073 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/tcsd.if	2011-10-14 09:46:29.231520640 -0400
Dan Walsh 2a89df
@@ -137,8 +137,11 @@ interface(`tcsd_admin',`
Dan Walsh 2a89df
 		type tcsd_var_lib_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 tcsd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 tcsd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, tcsd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 tcsd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	tcsd_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace serefpolicy-3.10.0/policy/modules/services/tftp.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/tftp.if.ptrace	2011-10-14 09:46:28.897527035 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/tftp.if	2011-10-14 09:46:29.231520640 -0400
Dan Walsh 2a89df
@@ -109,8 +109,11 @@ interface(`tftp_admin',`
Dan Walsh 2a89df
 		type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 tftpd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 tftpd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, tftpd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 tftp_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	files_list_var_lib($1)
Dan Walsh 2a89df
 	admin_pattern($1, tftpdir_rw_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace serefpolicy-3.10.0/policy/modules/services/tor.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/tor.if.ptrace	2011-10-14 09:46:28.899526997 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/tor.if	2011-10-14 09:46:29.232520621 -0400
Dan Walsh 2a89df
@@ -42,8 +42,11 @@ interface(`tor_admin',`
Dan Walsh 2a89df
 		type tor_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 tor_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 tor_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, tor_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 tor_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, tor_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace serefpolicy-3.10.0/policy/modules/services/tuned.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/tuned.if.ptrace	2011-10-14 09:46:28.900526978 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/tuned.if	2011-10-14 09:46:29.233520602 -0400
Dan Walsh 2a89df
@@ -115,8 +115,11 @@ interface(`tuned_admin',`
Dan Walsh 2a89df
 		type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 tuned_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 tuned_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, tuned_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 tuned_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	tuned_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace serefpolicy-3.10.0/policy/modules/services/ulogd.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/ulogd.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/ulogd.if	2011-10-14 09:46:29.234520583 -0400
Dan Walsh 2a89df
@@ -123,8 +123,11 @@ interface(`ulogd_admin',`
Dan Walsh 2a89df
 		type ulogd_var_log_t, ulogd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 ulogd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 ulogd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, ulogd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 ulogd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace serefpolicy-3.10.0/policy/modules/services/uucp.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/uucp.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/uucp.if	2011-10-14 09:46:29.234520583 -0400
Dan Walsh 2a89df
@@ -99,8 +99,11 @@ interface(`uucp_admin',`
Dan Walsh 2a89df
 		type uucpd_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 uucpd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 uucpd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, uucpd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 uucpd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	logging_list_logs($1)
Dan Walsh 2a89df
 	admin_pattern($1, uucpd_log_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace serefpolicy-3.10.0/policy/modules/services/uuidd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/uuidd.if.ptrace	2011-10-14 09:46:28.906526862 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/uuidd.if	2011-10-14 09:46:29.235520564 -0400
Dan Walsh 2a89df
@@ -177,8 +177,11 @@ interface(`uuidd_admin',`
Dan Walsh 2a89df
 	type uuidd_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 uuidd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 uuidd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, uuidd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 uuidd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	uuidd_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace serefpolicy-3.10.0/policy/modules/services/varnishd.if
Dan Walsh 2a89df
--- serefpolicy-3.10.0/policy/modules/services/varnishd.if.ptrace	2011-06-27 14:18:04.000000000 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/varnishd.if	2011-10-14 09:46:29.236520544 -0400
Dan Walsh 2a89df
@@ -155,8 +155,11 @@ interface(`varnishd_admin_varnishlog',`
Dan Walsh 2a89df
 		type varnishlog_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 varnishlog_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 varnishlog_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, varnishlog_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 varnishd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
@@ -194,8 +197,11 @@ interface(`varnishd_admin',`
Dan Walsh 2a89df
 		type varnishd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 varnishd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 varnishd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, varnishd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 varnishd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace serefpolicy-3.10.0/policy/modules/services/vdagent.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/vdagent.if.ptrace	2011-10-14 09:46:28.908526824 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/vdagent.if	2011-10-14 09:46:29.236520544 -0400
Dan Walsh 2a89df
@@ -118,8 +118,11 @@ interface(`vdagent_admin',`
Dan Walsh 2a89df
                 type vdagent_var_run_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 vdagent_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 vdagent_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, vdagent_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 vdagent_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	files_search_pids($1)
Dan Walsh 2a89df
 	admin_pattern($1, vdagent_var_run_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vhostmd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/vhostmd.if.ptrace	2011-10-14 09:46:28.909526805 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/vhostmd.if	2011-10-14 09:46:29.237520524 -0400
Dan Walsh 2a89df
@@ -210,8 +210,11 @@ interface(`vhostmd_admin',`
Dan Walsh 2a89df
 		type vhostmd_t, vhostmd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 vhostmd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 vhostmd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, vhostmd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 vhostmd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	vhostmd_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace serefpolicy-3.10.0/policy/modules/services/virt.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/virt.if.ptrace	2011-10-14 09:46:28.911526767 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/virt.if	2011-10-14 09:46:29.238520505 -0400
Dan Walsh 2a89df
@@ -618,10 +618,14 @@ interface(`virt_admin',`
Dan Walsh 2a89df
 		type virt_lxc_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 virtd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 virtd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, virtd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 virtd_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 virt_lxc_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 virt_lxc_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 virt_lxc_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, virt_lxc_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, virtd_initrc_exec_t)
Dan Walsh 2a89df
@@ -637,7 +641,7 @@ interface(`virt_admin',`
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	virt_manage_images($1)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 virt_domain:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 virt_domain:process signal_perms;
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 ########################################
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace serefpolicy-3.10.0/policy/modules/services/virt.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/virt.te.ptrace	2011-10-14 09:46:29.010524870 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/virt.te	2011-10-14 09:46:29.239520486 -0400
Dan Walsh 6554bb
@@ -247,7 +247,7 @@ optional_policy(`
Dan Walsh 2a89df
 # virtd local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
Dan Walsh 2a89df
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
Dan Walsh 2a89df
 allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
Dan Walsh 2a89df
 ifdef(`hide_broken_symptoms',`
Dan Walsh 2a89df
 	# caused by some bogus kernel code
Dan Walsh 6554bb
@@ -838,7 +838,6 @@ optional_policy(`
Dan Walsh 6554bb
 # virt_lxc_domain local policy
Dan Walsh 6554bb
 #
Dan Walsh 6554bb
 allow svirt_lxc_domain self:capability { setuid setgid dac_override };
Dan Walsh 6554bb
-dontaudit svirt_lxc_domain self:capability sys_ptrace;
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 allow virtd_t svirt_lxc_domain:process { signal_perms };
Dan Walsh 6554bb
 allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace serefpolicy-3.10.0/policy/modules/services/vnstatd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/vnstatd.if.ptrace	2011-10-14 09:46:28.915526689 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/vnstatd.if	2011-10-14 09:46:29.240520467 -0400
Dan Walsh 2a89df
@@ -136,8 +136,11 @@ interface(`vnstatd_admin',`
Dan Walsh 2a89df
 		type vnstatd_t, vnstatd_var_lib_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 vnstatd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 vnstatd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, vnstatd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 vnstatd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	files_list_var_lib($1)
Dan Walsh 2a89df
 	admin_pattern($1, vnstatd_var_lib_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace serefpolicy-3.10.0/policy/modules/services/wdmd.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/wdmd.if.ptrace	2011-10-14 09:46:28.917526651 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/wdmd.if	2011-10-14 09:46:29.241520448 -0400
Dan Walsh 2a89df
@@ -62,8 +62,11 @@ interface(`wdmd_admin',`
Dan Walsh 2a89df
 		type wdmd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 wdmd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 wdmd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, wdmd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 wdmd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	wdmd_initrc_domtrans($1)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace serefpolicy-3.10.0/policy/modules/services/xserver.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/xserver.te.ptrace	2011-10-14 09:46:29.069523739 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/xserver.te	2011-10-14 09:46:29.242520429 -0400
Dan Walsh 6554bb
@@ -417,8 +417,13 @@ optional_policy(`
Dan Walsh 2a89df
 # XDM Local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
Dan Walsh 2a89df
-allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate ptrace };
Dan Walsh 2a89df
+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
Dan Walsh 6554bb
+tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+	allow xdm_t self:process ptrace;
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 allow xdm_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 allow xdm_t self:shm create_shm_perms;
Dan Walsh 2a89df
 allow xdm_t self:sem create_sem_perms;
Dan Walsh 6554bb
@@ -929,7 +934,8 @@ allow xserver_t input_xevent_t:x_event s
Dan Walsh 2a89df
 # execheap needed until the X module loader is fixed.
Dan Walsh 2a89df
 # NVIDIA Needs execstack
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
Dan Walsh 2a89df
+allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 dontaudit xserver_t self:capability chown;
Dan Walsh 2a89df
 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
Dan Walsh 2a89df
 allow xserver_t self:fd use;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace serefpolicy-3.10.0/policy/modules/services/zabbix.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/zabbix.if.ptrace	2011-10-14 09:46:28.923526537 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/zabbix.if	2011-10-14 09:46:29.243520410 -0400
Dan Walsh 2a89df
@@ -142,8 +142,11 @@ interface(`zabbix_admin',`
Dan Walsh 2a89df
 		type zabbix_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 zabbix_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 zabbix_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, zabbix_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 zabbix_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace serefpolicy-3.10.0/policy/modules/services/zebra.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/services/zebra.if.ptrace	2011-10-14 09:46:28.926526478 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/services/zebra.if	2011-10-14 09:46:29.244520391 -0400
Dan Walsh 2a89df
@@ -64,8 +64,11 @@ interface(`zebra_admin',`
Dan Walsh 2a89df
 		type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 zebra_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 zebra_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, zebra_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 zebra_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	init_labeled_script_domtrans($1, zebra_initrc_exec_t)
Dan Walsh 2a89df
 	domain_system_change_exemption($1)
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace serefpolicy-3.10.0/policy/modules/system/hotplug.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/system/hotplug.te.ptrace	2011-10-14 09:46:28.938526248 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/system/hotplug.te	2011-10-14 09:46:29.245520372 -0400
Dan Walsh 6554bb
@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t)
Dan Walsh 6554bb
 #
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
Dan Walsh 6554bb
-dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
Dan Walsh 6554bb
+dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
Dan Walsh 6554bb
 # for access("/etc/bashrc", X_OK) on Red Hat
Dan Walsh 6554bb
 dontaudit hotplug_t self:capability { dac_override dac_read_search };
Dan Walsh 6554bb
 allow hotplug_t self:process { setpgid getsession getattr signal_perms };
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/system/init.if.ptrace serefpolicy-3.10.0/policy/modules/system/init.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/system/init.if.ptrace	2011-10-14 09:46:28.940526210 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/system/init.if	2011-10-14 09:46:29.246520353 -0400
Dan Walsh 2a89df
@@ -1123,7 +1123,9 @@ interface(`init_ptrace',`
Dan Walsh 2a89df
 		type init_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 init_t:process ptrace;
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 init_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 ########################################
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/system/init.te.ptrace serefpolicy-3.10.0/policy/modules/system/init.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/system/init.te.ptrace	2011-10-14 09:46:29.044524218 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/system/init.te	2011-10-14 09:46:29.247520334 -0400
Dan Walsh 2a89df
@@ -121,7 +121,7 @@ ifdef(`enable_mls',`
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 # Use capabilities. old rule:
Dan Walsh 2a89df
-allow init_t self:capability ~{ audit_control audit_write sys_module };
Dan Walsh 2a89df
+allow init_t self:capability ~{ sys_ptrace audit_control audit_write sys_module };
Dan Walsh 2a89df
 # is ~sys_module really needed? observed:
Dan Walsh 2a89df
 # sys_boot
Dan Walsh 2a89df
 # sys_tty_config
Dan Walsh 6554bb
@@ -408,7 +408,8 @@ optional_policy(`
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
Dan Walsh 2a89df
-allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
Dan Walsh 2a89df
+allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
Dan Walsh 2a89df
 allow initrc_t self:passwd rootok;
Dan Walsh 2a89df
 allow initrc_t self:key manage_key_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace serefpolicy-3.10.0/policy/modules/system/ipsec.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/system/ipsec.te.ptrace	2011-10-14 09:46:28.944526134 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/system/ipsec.te	2011-10-14 09:46:29.248520315 -0400
Dan Walsh 6554bb
@@ -73,7 +73,7 @@ role system_r types setkey_t;
Dan Walsh 6554bb
 #
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
Dan Walsh 6554bb
-dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
Dan Walsh 6554bb
+dontaudit ipsec_t self:capability sys_tty_config;
Dan Walsh 6554bb
 allow ipsec_t self:process { getcap setcap getsched signal setsched };
Dan Walsh 6554bb
 allow ipsec_t self:tcp_socket create_stream_socket_perms;
Dan Walsh 6554bb
 allow ipsec_t self:udp_socket create_socket_perms;
Dan Walsh 6554bb
@@ -193,8 +193,8 @@ optional_policy(`
Dan Walsh 6554bb
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
Dan Walsh 6554bb
-dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
Dan Walsh 2a89df
-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
Dan Walsh 6554bb
+dontaudit ipsec_mgmt_t self:capability sys_tty_config;
Dan Walsh 2a89df
+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
Dan Walsh 2a89df
 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
Dan Walsh 2a89df
 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
Dan Walsh 2a89df
 allow ipsec_mgmt_t self:udp_socket create_socket_perms;
Dan Walsh 6554bb
@@ -251,9 +251,6 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
Dan Walsh 6554bb
 kernel_getattr_core_if(ipsec_mgmt_t)
Dan Walsh 6554bb
 kernel_getattr_message_if(ipsec_mgmt_t)
Dan Walsh 6554bb
 
Dan Walsh 6554bb
-# don't audit using of lsof
Dan Walsh 6554bb
-dontaudit ipsec_mgmt_t self:capability sys_ptrace;
Dan Walsh 6554bb
-
Dan Walsh 6554bb
 domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
Dan Walsh 6554bb
 domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
Dan Walsh 6554bb
 
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace serefpolicy-3.10.0/policy/modules/system/iscsi.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/system/iscsi.te.ptrace	2011-10-14 09:46:28.946526096 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/system/iscsi.te	2011-10-14 09:46:29.249520296 -0400
Dan Walsh 6554bb
@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t)
Dan Walsh 6554bb
 #
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
Dan Walsh 6554bb
-dontaudit iscsid_t self:capability sys_ptrace;
Dan Walsh 6554bb
 allow iscsid_t self:process { setrlimit setsched signal };
Dan Walsh 6554bb
 allow iscsid_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 6554bb
 allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace serefpolicy-3.10.0/policy/modules/system/locallogin.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/system/locallogin.te.ptrace	2011-10-14 09:46:28.951525999 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/system/locallogin.te	2011-10-14 09:46:29.249520296 -0400
Dan Walsh e29441
@@ -35,7 +35,7 @@ role system_r types sulogin_t;
Dan Walsh 2a89df
 # Local login local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_ptrace sys_resource sys_tty_config };
Dan Walsh 2a89df
+allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
Dan Walsh 2a89df
 allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
Dan Walsh 2a89df
 allow local_login_t self:fd use;
Dan Walsh 2a89df
 allow local_login_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace serefpolicy-3.10.0/policy/modules/system/logging.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/system/logging.if.ptrace	2011-10-14 09:46:28.952525980 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/system/logging.if	2011-10-14 09:46:29.250520277 -0400
Dan Walsh 2a89df
@@ -1095,9 +1095,13 @@ interface(`logging_admin_audit',`
Dan Walsh 2a89df
 		type auditd_initrc_exec_t;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 auditd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 auditd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, auditd_t)
Dan Walsh 2a89df
 
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 auditd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
Dan Walsh 2a89df
 	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
Dan Walsh 2a89df
 
Dan Walsh 2a89df
@@ -1142,10 +1146,14 @@ interface(`logging_admin_syslog',`
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	allow $1 self:capability2 syslog;
Dan Walsh 2a89df
-	allow $1 syslogd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
-	allow $1 klogd_t:process { ptrace signal_perms };
Dan Walsh 2a89df
+	allow $1 syslogd_t:process signal_perms;
Dan Walsh 2a89df
+	allow $1 klogd_t:process signal_perms;
Dan Walsh 2a89df
 	ps_process_pattern($1, syslogd_t)
Dan Walsh 2a89df
 	ps_process_pattern($1, klogd_t)
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 syslogd_t:process ptrace;
Dan Walsh 2a89df
+		allow $1 klogd_t:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
Dan Walsh 2a89df
 	manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace serefpolicy-3.10.0/policy/modules/system/mount.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/system/mount.te.ptrace	2011-10-14 09:46:28.962525788 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/system/mount.te	2011-10-14 09:46:29.251520257 -0400
Dan Walsh 2a89df
@@ -48,7 +48,11 @@ role system_r types showmount_t;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 # setuid/setgid needed to mount cifs 
Dan Walsh 2a89df
 allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid };
Dan Walsh 2a89df
-allow mount_t self:process { getcap getsched ptrace setcap setrlimit signal };
Dan Walsh 2a89df
+allow mount_t self:process { getcap getsched setcap setrlimit signal };
Dan Walsh 6554bb
+tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+	allow mount_t self:process ptrace;
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 allow mount_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 allow mount_t self:unix_stream_socket create_stream_socket_perms;
Dan Walsh 2a89df
 allow mount_t self:unix_dgram_socket create_socket_perms; 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace serefpolicy-3.10.0/policy/modules/system/sysnetwork.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.ptrace	2011-10-14 09:46:28.970525636 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/system/sysnetwork.te	2011-10-14 09:46:29.252520237 -0400
Dan Walsh 6554bb
@@ -51,10 +51,13 @@ files_config_file(net_conf_t)
Dan Walsh 6554bb
 # DHCP client local policy
Dan Walsh 6554bb
 #
Dan Walsh 6554bb
 allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
Dan Walsh 6554bb
-dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
Dan Walsh 6554bb
+dontaudit dhcpc_t self:capability sys_tty_config;
Dan Walsh 2a89df
 # for access("/etc/bashrc", X_OK) on Red Hat
Dan Walsh 2a89df
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
Dan Walsh 2a89df
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
Dan Walsh 2a89df
+allow dhcpc_t self:process { getsched getcap setcap setfscreate signal_perms };
Dan Walsh 6554bb
+tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+	allow dhcpc_t self:process ptrace;
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 allow dhcpc_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
 allow dhcpc_t self:tcp_socket create_stream_socket_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace serefpolicy-3.10.0/policy/modules/system/udev.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/system/udev.te.ptrace	2011-10-14 09:46:28.974525558 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/system/udev.te	2011-10-14 09:46:29.252520237 -0400
Dan Walsh 6554bb
@@ -34,7 +34,7 @@ ifdef(`enable_mcs',`
Dan Walsh 2a89df
 # Local policy
Dan Walsh 2a89df
 #
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
Dan Walsh 2a89df
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
Dan Walsh 2a89df
 dontaudit udev_t self:capability sys_tty_config;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 ifdef(`hide_broken_symptoms',`
Dan Walsh 6554bb
@@ -42,7 +42,11 @@ ifdef(`hide_broken_symptoms',`
Dan Walsh 2a89df
 	dontaudit udev_t self:capability sys_module;
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
Dan Walsh 2a89df
+allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
Dan Walsh 6554bb
+tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+	allow udev_t self:process ptrace;
Dan Walsh 2a89df
+')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 allow udev_t self:process { execmem setfscreate };
Dan Walsh 2a89df
 allow udev_t self:fd use;
Dan Walsh 2a89df
 allow udev_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace serefpolicy-3.10.0/policy/modules/system/unconfined.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/system/unconfined.if.ptrace	2011-10-14 09:46:28.992525214 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/system/unconfined.if	2011-10-14 09:46:29.253520218 -0400
Dan Walsh 2a89df
@@ -18,7 +18,12 @@ interface(`unconfined_domain_noaudit',`
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 	# Use any Linux capability.
Dan Walsh 2a89df
-	allow $1 self:capability ~sys_module;
Dan Walsh 2a89df
+
Dan Walsh 2a89df
+	allow $1 self:capability ~{ sys_module sys_ptrace };
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 self:capability sys_ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
+
Dan Walsh 2a89df
 	allow $1 self:capability2 syslog;
Dan Walsh 2a89df
 	allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace serefpolicy-3.10.0/policy/modules/system/userdomain.if
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/system/userdomain.if.ptrace	2011-10-14 09:46:29.071523701 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/system/userdomain.if	2011-10-14 09:46:29.255520180 -0400
Dan Walsh 2a89df
@@ -40,7 +40,10 @@ template(`userdom_base_user_template',`
Dan Walsh 2a89df
 	role $1_r types $1_t;
Dan Walsh 2a89df
 	allow system_r $1_r;
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1_usertype $1_usertype:process { ptrace signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
Dan Walsh 2a89df
+	allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr };
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1_usertype $1_usertype:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 	allow $1_usertype $1_usertype:fd use;
Dan Walsh 2a89df
 	allow $1_usertype $1_usertype:key { create view read write search link setattr };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
@@ -594,7 +597,7 @@ template(`userdom_login_user_template',
Dan Walsh 2a89df
 	allow $1_t self:capability { setgid chown fowner };
Dan Walsh 2a89df
 	dontaudit $1_t self:capability { sys_nice fsetid };
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
Dan Walsh 2a89df
+	allow $1_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
Dan Walsh 2a89df
 	dontaudit $1_t self:process setrlimit;
Dan Walsh 2a89df
 	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
Dan Walsh 2a89df
 
Dan Walsh 6554bb
@@ -1052,7 +1055,10 @@ template(`userdom_admin_user_template',`
Dan Walsh 2a89df
 	# $1_t local policy
Dan Walsh 2a89df
 	#
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1_t self:capability ~{ sys_module audit_control audit_write };
Dan Walsh 2a89df
+	allow $1_t self:capability ~{ sys_ptrace sys_module audit_control audit_write };
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 6554bb
+		allow $1_t self:capability sys_ptrace;
Dan Walsh 6554bb
+	')
Dan Walsh 2a89df
 	allow $1_t self:capability2 syslog;
Dan Walsh 2a89df
 	allow $1_t self:process { setexec setfscreate };
Dan Walsh 2a89df
 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
Dan Walsh 6554bb
@@ -3657,7 +3663,9 @@ interface(`userdom_ptrace_all_users',`
Dan Walsh 2a89df
 		attribute userdomain;
Dan Walsh 2a89df
 	')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
-	allow $1 userdomain:process ptrace;
Dan Walsh 6554bb
+	tunable_policy(`deny_ptrace',`',`
Dan Walsh 2a89df
+		allow $1 userdomain:process ptrace;
Dan Walsh 2a89df
+	')
Dan Walsh 2a89df
 ')
Dan Walsh 2a89df
 
Dan Walsh 2a89df
 ########################################
Dan Walsh 6554bb
diff -up serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace serefpolicy-3.10.0/policy/modules/system/xen.te
Dan Walsh e29441
--- serefpolicy-3.10.0/policy/modules/system/xen.te.ptrace	2011-10-14 09:46:28.984525366 -0400
Dan Walsh e29441
+++ serefpolicy-3.10.0/policy/modules/system/xen.te	2011-10-14 09:46:29.256520161 -0400
Dan Walsh 6554bb
@@ -206,7 +206,6 @@ tunable_policy(`xend_run_qemu',`
Dan Walsh 6554bb
 #
Dan Walsh 6554bb
 
Dan Walsh 6554bb
 allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw };
Dan Walsh 6554bb
-dontaudit xend_t self:capability { sys_ptrace };
Dan Walsh 6554bb
 allow xend_t self:process { signal sigkill };
Dan Walsh 6554bb
 dontaudit xend_t self:process ptrace;
Dan Walsh 6554bb
 # internal communication is often done using fifo and unix sockets.