Seems chromium needs sys_ptrace for now, hopefully when we have the fixed kernel...

author Dan Walsh <dwalsh@redhat.com>

Tue, 13 Dec 2011 18:10:54 +0000 (13:10 -0500)

committer Dan Walsh <dwalsh@redhat.com>

Tue, 13 Dec 2011 18:10:54 +0000 (13:10 -0500)
author Dan Walsh <dwalsh@redhat.com>
Tue, 13 Dec 2011 18:10:54 +0000 (13:10 -0500)
committer Dan Walsh <dwalsh@redhat.com>
Tue, 13 Dec 2011 18:10:54 +0000 (13:10 -0500)
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te

index acb325cb05feb5c3a0753af5414e6a16937cf68d..4a71739d07222201237358f291cd0b85c244c502 100644 (file)
--- a/policy/modules/apps/chrome.te
+++ b/policy/modules/apps/chrome.te
@@ -27,6 +27,10 @@ role system_r types chrome_sandbox_nacl_t;
  # chrome_sandbox local policy
  #
  allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
+tunable_policy(`deny_ptrace',`',`
+       allow chrome_sandbox_t self:capability sys_ptrace;
+')
+
  allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
  allow chrome_sandbox_t self:process setsched;
  allow chrome_sandbox_t self:fifo_file manage_file_perms;
author	Dan Walsh <dwalsh@redhat.com>
	Tue, 13 Dec 2011 18:10:54 +0000 (13:10 -0500)
committer	Dan Walsh <dwalsh@redhat.com>
	Tue, 13 Dec 2011 18:10:54 +0000 (13:10 -0500)