Add a boolean to turn off all instances of ptrace in the policy

[people/stevee/selinux-policy.git] / policy / modules / services / qpid.if

diff --git a/policy/modules/services/qpid.if b/policy/modules/services/qpid.if
index c403abc198f055f591518d5b9158f730a0337c59..61f00994f78ab870502aee972701fbf4e4c5968d 100644 (file)
--- a/policy/modules/services/qpid.if
+++ b/policy/modules/services/qpid.if
@@ -177,8 +177,11 @@ interface(`qpidd_admin',`
                type qpidd_t, qpidd_initrc_exec_t;
        ')
 
-       allow $1 qpidd_t:process { ptrace signal_perms };
+       allow $1 qpidd_t:process signal_perms;
        ps_process_pattern($1, qpidd_t)
+       tunable_policy(`deny_ptrace',`',`
+               allow $1 qpidd_t:process ptrace;
+       ')
 
        # Allow qpidd_t to restart the apache service
        qpidd_initrc_domtrans($1)