On Wed, 2008-06-25 at 17:31 +0100, Martin Orr wrote: > Some dpkg maintainer scripts run pidof, which needs the sys_ptrace capability. > > Mar 17 15:14:31 caligula kernel: audit(1205766871.788:13): avc: denied { > sys_ptrace } for pid=4214 comm="pidof" capability=19 > scontext=system_u:system_r:dpkg_script_t:s0 > tcontext=system_u:system_r:dpkg_script_t:s0 tclass=capability Seems odd, since the ptrace process permission is not allowed. Does it work without this in enforcing? > plain text document attachment (118_dpkg_script_pidof) > Written by: Martin Orr > > Allow dpkg scripts to run pidof > > Mar 17 15:14:31 caligula kernel: audit(1205766871.788:13): avc: denied { sys_ptrace } for pid=4214 comm="pidof" capability=19 scontext=system_u:system_r:dpkg_script_t:s0 tcontext=system_u:system_r:dpkg_script_t:s0 tclass=capability > > Index: policy/modules/admin/dpkg.te > =================================================================== > --- policy/modules/admin/dpkg.te.orig > +++ policy/modules/admin/dpkg.te > @@ -216,7 +216,7 @@ > # > # TODO: actually use dpkg_script_t > > -allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; > +allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill sys_ptrace }; > allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; > allow dpkg_script_t self:fd use; > allow dpkg_script_t self:fifo_file rw_fifo_file_perms; -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.