diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 7b02f86..68a7db8 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -339,7 +339,7 @@ template(`ssh_role_template',` # allow ps to show ssh ps_process_pattern($3, ssh_t) - allow $3 ssh_t:process signal; + allow $3 ssh_t:process { ptrace signal_perms }; # for rsync allow ssh_t $3:unix_stream_socket rw_socket_perms; @@ -372,7 +372,7 @@ template(`ssh_role_template',` stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) # Allow the user shell to signal the ssh program. - allow $3 $1_ssh_agent_t:process signal; + allow $3 $1_ssh_agent_t:process { ptrace signal_perms }; # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t)