From 2f4dfeb4256cbc5fdec6ca70ef2e17754d671968 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Oct 12 2011 14:13:18 +0000 Subject: Remove allow_ptrace and replace it with deny_ptrace, which will remove all ptrace from the system Remove 2000 dontaudit rules between confined domains on transition and replace with single dontaudit domain domain:process { noatsecure siginh rlimitinh } ; --- diff --git a/dontaudit.patch b/dontaudit.patch deleted file mode 100644 index 73d1ac9..0000000 --- a/dontaudit.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index db2a183..02cf550 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -312,3 +312,5 @@ optional_policy(` - optional_policy(` - seutil_dontaudit_read_config(domain) - ') -+ -+dontaudit domain domain:process { noatsecure siginh rlimitinh } ; -diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt -index 823794e..18e1b2f 100644 ---- a/policy/support/misc_patterns.spt -+++ b/policy/support/misc_patterns.spt -@@ -4,7 +4,7 @@ - define(`domain_transition_pattern',` - allow $1 $2:file { getattr open read execute }; - allow $1 $3:process transition; -- dontaudit $1 $3:process { noatsecure siginh rlimitinh }; -+# dontaudit $1 $3:process { noatsecure siginh rlimitinh }; - ') - - # compatibility: diff --git a/selinux-policy.spec b/selinux-policy.spec index 93631ef..18e473b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -29,7 +29,6 @@ patch4: execmem.patch patch5: userdomain.patch patch6: apache.patch patch7: ptrace.patch -patch8: dontaudit.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -250,7 +249,6 @@ Based off of reference policy: Checked out revision 2.20091117 %patch5 -p1 -b .userdomain %patch6 -p1 -b .apache %patch7 -p1 -b .ptrace -%patch8 -p1 -b .dontaudit %install mkdir selinux_config