Add a boolean to turn off all instances of ptrace in the policy

[people/stevee/selinux-policy.git] / policy / modules / services / dovecot.if

diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
index 673f1854b820652bf4ebdbc9b9d020571115b02d..0557be0a0f6a70c4446a10c262edf87608079cca 100644 (file)
--- a/policy/modules/services/dovecot.if
+++ b/policy/modules/services/dovecot.if
@@ -119,8 +119,11 @@ interface(`dovecot_admin',`
                type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
        ')
 
-       allow $1 dovecot_t:process { ptrace signal_perms };
+       allow $1 dovecot_t:process signal_perms;
        ps_process_pattern($1, dovecot_t)
+       tunable_policy(`deny_ptrace',`',`
+               allow $1 dovecot_t:process ptrace;
+       ')
 
        init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
        domain_system_change_exemption($1)