Some dpkg maintainer scripts run pidof, which needs the sys_ptrace capability.
Mar 17 15:14:31 caligula kernel: audit(1205766871.788:13): avc: denied {
sys_ptrace } for pid=4214 comm="pidof" capability=19
scontext=system_u:system_r:dpkg_script_t:s0
tcontext=system_u:system_r:dpkg_script_t:s0 tclass=capability
--
Martin Orr
Written by: Martin Orr
Allow dpkg scripts to run pidof
Mar 17 15:14:31 caligula kernel: audit(1205766871.788:13): avc: denied { sys_ptrace } for pid=4214 comm="pidof" capability=19 scontext=system_u:system_r:dpkg_script_t:s0 tcontext=system_u:system_r:dpkg_script_t:s0 tclass=capability
Index: policy/modules/admin/dpkg.te
===================================================================
--- policy/modules/admin/dpkg.te.orig
+++ policy/modules/admin/dpkg.te
@@ -216,7 +216,7 @@
#
# TODO: actually use dpkg_script_t
-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill sys_ptrace };
allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
