Add a boolean to turn off all instances of ptrace in the policy

[people/stevee/selinux-policy.git] / policy / modules / services / cups.if

diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index 173cd162d66bd2b897d60b1aeb17bf6b528d129a..2746e6fce916e234b7c5772a4ca6523110b90140 100644 (file)
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -327,9 +327,13 @@ interface(`cups_admin',`
                type ptal_var_run_t;
        ')
 
-       allow $1 cupsd_t:process { ptrace signal_perms };
+       allow $1 cupsd_t:process signal_perms;
        ps_process_pattern($1, cupsd_t)
 
+       tunable_policy(`deny_ptrace',`',`
+               allow $1 cupsd_t:process ptrace;
+       ')
+
        init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
        domain_system_change_exemption($1)
        role_transition $2 cupsd_initrc_exec_t system_r;