Add a boolean to turn off all instances of ptrace in the policy

[people/stevee/selinux-policy.git] / policy / modules / services / dbus.if

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 843d5fdf894795642f36e8019d33eb8338f4e8fa..3558f18126f9759187b00d60fead6ba2e5786489 100644 (file)
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -71,7 +71,11 @@ template(`dbus_role_template',`
        domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
 
        ps_process_pattern($3, $1_dbusd_t)
-       allow $3 $1_dbusd_t:process { ptrace signal_perms };
+       allow $3 $1_dbusd_t:process signal_perms;
+
+       tunable_policy(`deny_ptrace',`',`
+               allow $3 $1_dbusd_t:process ptrace;
+       ')
 
        # cjp: this seems very broken
        corecmd_bin_domtrans($1_dbusd_t, $1_t)