From: Dan Walsh <dwalsh@redhat.com>
Date: Wed, 16 Nov 2011 15:46:25 +0000 (-0500)
Subject: Seems like policykit and consolekit need sys_ptrace for now, not sure if kernel updat... 
X-Git-Tag: 000~109
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=588885e55e015868067ea230ad00fed2dd2de68e;p=people%2Fstevee%2Fselinux-policy.git

Seems like policykit and consolekit need sys_ptrace for now, not sure if kernel update will fix this problem
---

diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index d45381d6..8bd47516 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -24,6 +24,9 @@ files_tmpfs_file(consolekit_tmpfs_t)
 #
 
 allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice };
+tunable_policy(`deny_ptrace',`',`
+	allow consolekit_t self:capability sys_ptrace;
+')
 
 allow consolekit_t self:process { getsched signal };
 allow consolekit_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 3abd6aa7..885c619f 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -61,6 +61,10 @@ miscfiles_read_localization(policykit_domain)
 #
 
 allow policykit_t self:capability { dac_override dac_read_search setgid setuid };
+tunable_policy(`deny_ptrace',`',`
+	allow policykit_t self:capability sys_ptrace;
+')
+
 allow policykit_t self:process { getscheda signal };
 allow policykit_t self:unix_dgram_socket create_socket_perms;
 allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };