diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index 328302d..303ba6c 100644 --- a/policy/modules/services/bluetooth.if +++ b/policy/modules/services/bluetooth.if @@ -27,7 +27,7 @@ interface(`bluetooth_role',` # allow ps to show cdrecord and allow the user to kill it ps_process_pattern($2, bluetooth_helper_t) - allow $2 bluetooth_helper_t:process signal; + allow $2 bluetooth_helper_t:process { ptrace signal_perms }; manage_dirs_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) manage_files_pattern($2, bluetooth_helper_tmp_t, bluetooth_helper_tmp_t) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 72a174a..f17a4c2 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -138,7 +138,7 @@ interface(`cron_role',` # crontab shows up in user ps ps_process_pattern($2, crontab_t) - allow $2 crontab_t:process signal; + allow $2 crontab_t:process { ptrace signal_perms }; # Run helper programs as the user domain #corecmd_bin_domtrans(crontab_t, $2) @@ -180,6 +180,7 @@ interface(`cron_unconfined_role',` # cronjob shows up in user ps ps_process_pattern($2, unconfined_cronjob_t) + allow $2 unconfined_cronjob_t:process { ptrace signal_perms }; optional_policy(` gen_require(` @@ -225,7 +226,7 @@ interface(`cron_admin_role',` # crontab shows up in user ps ps_process_pattern($2, admin_crontab_t) - allow $2 admin_crontab_t:process signal; + allow $2 admin_crontab_t:process { ptrace signal_perms }; # Run helper programs as the user domain #corecmd_bin_domtrans(admin_crontab_t, $2) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index 7852441..dc7ff5a 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -90,14 +90,15 @@ template(`dbus_role_template',` files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir }) domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) - allow $3 $1_dbusd_t:process { signull sigkill signal }; + + ps_process_pattern($3, $1_dbusd_t) + allow $3 $1_dbusd_t:process { ptrace signal_perms }; # cjp: this seems very broken corecmd_bin_domtrans($1_dbusd_t, $1_t) allow $1_dbusd_t $3:process sigkill; allow $3 $1_dbusd_t:fd use; allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; - allow $3 $1_dbusd_t:process sigchld; kernel_read_system_state($1_dbusd_t) kernel_read_kernel_sysctls($1_dbusd_t)