From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 28 Feb 2011 09:48:33 -0500
Subject: [refpolicy] [PATCH 29/34]: patch to add sys_ptrace permission
 to the dbus module
In-Reply-To: <1297838137.3205.106.camel@tesla.lan>
References: <1297838137.3205.106.camel@tesla.lan>
Message-ID: <4D6BB5C1.5040609@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/16/11 01:35, Guido Trentalancia wrote:
> This patch adds self:capability sys_ptrace to the dbus module.
> 
> --- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te	2011-02-07 02:36:05.874787818 +0100
> +++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te	2011-02-07 02:51:51.910683659 +0100
> @@ -52,7 +52,7 @@ ifdef(`enable_mls',`
>  
>  # dac_override: /var/run/dbus is owned by messagebus on Debian
>  # cjp: dac_override should probably go in a distro_debian
> -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
> +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
>  dontaudit system_dbusd_t self:capability sys_tty_config;
>  allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
>  allow system_dbusd_t self:fifo_file rw_fifo_file_perms;

I find this highly questionable.  It needs justification.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com