[PATCH 07/19] sepolicy: ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Miroslav Grepl <mgrepl@xxxxxxxxxx>

Signed-off-by: Dan Walsh <dwalsh@xxxxxxxxxx>
---
 python/sepolicy/sepolicy/templates/executable.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/python/sepolicy/sepolicy/templates/executable.py b/python/sepolicy/sepolicy/templates/executable.py
index 0db6b9cc..4cc5bfa4 100644
--- a/python/sepolicy/sepolicy/templates/executable.py
+++ b/python/sepolicy/sepolicy/templates/executable.py
@@ -419,8 +419,12 @@ interface(`TEMPLATETYPE_admin',`
 if_middle_admin="""
 	')
 
-	allow $1 TEMPLATETYPE_t:process { ptrace signal_perms };
+	allow $1 TEMPLATETYPE_t:process { signal_perms };
 	ps_process_pattern($1, TEMPLATETYPE_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 TEMPLATETYPE_t:process ptrace;
+    ')
 """
 
 if_initscript_admin_types="""
-- 
2.12.2
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux