Add a boolean to turn off all instances of ptrace in the policy

[people/stevee/selinux-policy.git] / policy / modules / services / rpcbind.if

diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if
index 3942dfc935d1be8a9b4a569888edc9d311d948b5..b4f950dfc431e6fac97286f0a2e1215ebc508150 100644 (file)
--- a/policy/modules/services/rpcbind.if
+++ b/policy/modules/services/rpcbind.if
@@ -155,8 +155,11 @@ interface(`rpcbind_admin',`
                type rpcbind_initrc_exec_t;
        ')
 
-       allow $1 rpcbind_t:process { ptrace signal_perms };
+       allow $1 rpcbind_t:process signal_perms;
        ps_process_pattern($1, rpcbind_t)
+       tunable_policy(`deny_ptrace',`',`
+               allow $1 rpcbind_t:process ptrace;
+       ')
 
        init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
        domain_system_change_exemption($1)