Seems like policykit and consolekit need sys_ptrace for now, not sure if kernel updat...

diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index d45381d65fd84779ba06c4e8848b023a5f0dce93..8bd4751633d7e55fa4b0620d751f058b5edfea69 100644 (file)
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -24,6 +24,9 @@ files_tmpfs_file(consolekit_tmpfs_t)
 #
 
 allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice };
+tunable_policy(`deny_ptrace',`',`
+       allow consolekit_t self:capability sys_ptrace;
+')
 
 allow consolekit_t self:process { getsched signal };
 allow consolekit_t self:fifo_file rw_fifo_file_perms;

diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 3abd6aa7a1c73c44e253c5b4ec03e3ee6153385a..885c619fb9df878598b8ddb86003ad195705461c 100644 (file)
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -61,6 +61,10 @@ miscfiles_read_localization(policykit_domain)
 #
 
 allow policykit_t self:capability { dac_override dac_read_search setgid setuid };
+tunable_policy(`deny_ptrace',`',`
+       allow policykit_t self:capability sys_ptrace;
+')
+
 allow policykit_t self:process { getscheda signal };
 allow policykit_t self:unix_dgram_socket create_socket_perms;
 allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };