From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 28 Feb 2011 10:31:35 -0500
Subject: [refpolicy] [PATCH 29/34]: patch to add sys_ptrace permission
 to the dbus module
In-Reply-To: <4D6BB5C1.5040609@tresys.com>
References: <1297838137.3205.106.camel@tesla.lan> <4D6BB5C1.5040609@tresys.com>
Message-ID: <4D6BBFD7.4040301@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/28/2011 09:48 AM, Christopher J. PeBenito wrote:
> On 02/16/11 01:35, Guido Trentalancia wrote:
>> This patch adds self:capability sys_ptrace to the dbus module.
>>
>> --- refpolicy-git-02022011-test-apply/policy/modules/services/dbus.te	2011-02-07 02:36:05.874787818 +0100
>> +++ refpolicy-git-02022011-test-apply2/policy/modules/services/dbus.te	2011-02-07 02:51:51.910683659 +0100
>> @@ -52,7 +52,7 @@ ifdef(`enable_mls',`
>>  
>>  # dac_override: /var/run/dbus is owned by messagebus on Debian
>>  # cjp: dac_override should probably go in a distro_debian
>> -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
>> +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
>>  dontaudit system_dbusd_t self:capability sys_tty_config;
>>  allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
>>  allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
> 
> I find this highly questionable.  It needs justification.
> 

We do not have this in Fedora.  Might be similar to policykit, examining
/proc/PID/cmdline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1rv9cACgkQrlYvE4MpobPFbwCfS+tg0VMnAtOwN8G67WnBPN1J
xX0An1tydi5iEvayHq/QtiZPqLWtSEdf
=nXYv
-----END PGP SIGNATURE-----