From: Dan Walsh <dwalsh@redhat.com>
Date: Tue, 13 Dec 2011 18:10:54 +0000 (-0500)
Subject: Seems chromium needs sys_ptrace for now, hopefully when we have the fixed kernel... 
X-Git-Tag: 000~25
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2361af56746e54c125c2f26c01b647efcb6ea403;p=people%2Fstevee%2Fselinux-policy.git

Seems chromium needs sys_ptrace for now, hopefully when we have the fixed kernel this will go away
---

diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
index acb325cb..4a71739d 100644
--- a/policy/modules/apps/chrome.te
+++ b/policy/modules/apps/chrome.te
@@ -27,6 +27,10 @@ role system_r types chrome_sandbox_nacl_t;
 # chrome_sandbox local policy
 #
 allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot };
+tunable_policy(`deny_ptrace',`',`
+	allow chrome_sandbox_t self:capability sys_ptrace;
+')
+
 allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
 allow chrome_sandbox_t self:process setsched;
 allow chrome_sandbox_t self:fifo_file manage_file_perms;