From 497da0953cbc5ccee0d82b901f5382e20698e66c Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 8 Aug 2006 17:49:03 +0000
Subject: [PATCH] ps/ptrace dontaudit cleanup

---
 policy/modules/apps/cdrecord.if    |  6 ------
 policy/modules/apps/evolution.if   |  5 -----
 policy/modules/apps/irc.if         |  5 -----
 policy/modules/apps/mozilla.if     |  5 -----
 policy/modules/apps/mplayer.if     | 10 ----------
 policy/modules/apps/thunderbird.if |  5 -----
 policy/modules/apps/tvtime.if      |  5 -----
 policy/modules/apps/uml.if         |  5 -----
 policy/modules/services/cron.if    |  1 -
 policy/modules/services/xserver.if | 22 ----------------------
 policy/modules/system/init.if      |  6 ------
 11 files changed, 75 deletions(-)

diff --git a/policy/modules/apps/cdrecord.if b/policy/modules/apps/cdrecord.if
index f756bc422..4b98c08d9 100644
--- a/policy/modules/apps/cdrecord.if
+++ b/policy/modules/apps/cdrecord.if
@@ -64,12 +64,6 @@ template(`cdrecord_per_userdomain_template', `
 	allow $2 $1_cdrecord_t:dir { search getattr read };
 	allow $2 $1_cdrecord_t:{ file lnk_file } { read getattr };
 	allow $2 $1_cdrecord_t:process getattr;
-	#We need to suppress this denial because procps
-	#tries to access /proc/pid/environ and this now
-	#triggers a ptrace check in recent kernels
-	# (2.4 and 2.6). Might want to change procps
-	#to not do this, or only if running in a privileged domain.
-	dontaudit $2 $1_cdrecord_t:process ptrace;
 	allow $2 $1_cdrecord_t:process signal;
 
 	# Transition from the user domain to the derived domain.
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index 946a9fbc5..16b640e2c 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -170,11 +170,6 @@ template(`evolution_per_userdomain_template',`
 	allow $2 $1_evolution_t:dir { search getattr read };
 	allow $2 $1_evolution_t:{ file lnk_file } { read getattr };
 	allow $2 $1_evolution_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_evolution_t:process ptrace;
 
 	#FIXME check to see if really needed
 	kernel_read_kernel_sysctls($1_evolution_t)
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 1cd0fbfe0..9fe759286 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -96,11 +96,6 @@ template(`irc_per_userdomain_template',`
 	allow $2 $1_irc_t:dir { search getattr read };
 	allow $2 $1_irc_t:{ file lnk_file } { read getattr };
 	allow $2 $1_irc_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_irc_t:process ptrace;
 	
 	kernel_read_proc_symlinks($1_irc_t)
 
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 26e7bad2d..747bde4b6 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -106,11 +106,6 @@ template(`mozilla_per_userdomain_template',`
 	allow $2 $1_mozilla_t:dir { search getattr read };
 	allow $2 $1_mozilla_t:{ file lnk_file } { read getattr };
 	allow $2 $1_mozilla_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_mozilla_t:process ptrace;
 
 	allow $2 $1_mozilla_t:process signal_perms;
 	
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index 12e9260df..347f0fb7f 100644
--- a/policy/modules/apps/mplayer.if
+++ b/policy/modules/apps/mplayer.if
@@ -81,11 +81,6 @@ template(`mplayer_per_userdomain_template',`
 	allow $2 $1_mencoder_t:dir { search getattr read };
 	allow $2 $1_mencoder_t:{ file lnk_file } { read getattr };
 	allow $2 $1_mencoder_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_mencoder_t:process ptrace;
 	allow $2 $1_mencoder_t:process signal_perms;
 
 	# Read /proc files and directories
@@ -295,11 +290,6 @@ template(`mplayer_per_userdomain_template',`
 	allow $2 $1_mplayer_t:dir { search getattr read };
 	allow $2 $1_mplayer_t:{ file lnk_file } { read getattr };
 	allow $2 $1_mplayer_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_mplayer_t:process ptrace;
 	allow $2 $1_mplayer_t:process signal_perms;
 
 	kernel_dontaudit_list_unlabeled($1_mplayer_t)
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index 2e197eb93..0c8401438 100644
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -87,11 +87,6 @@ template(`thunderbird_per_userdomain_template',`
 	allow $2 $1_thunderbird_t:dir { search getattr read };
 	allow $2 $1_thunderbird_t:{ file lnk_file } { read getattr };
 	allow $2 $1_thunderbird_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_thunderbird_t:process ptrace;
 
 	# Access ~/.thunderbird
 	allow $2 $1_thunderbird_home_t:dir manage_dir_perms;
diff --git a/policy/modules/apps/tvtime.if b/policy/modules/apps/tvtime.if
index 4a6899ba1..22c035f67 100644
--- a/policy/modules/apps/tvtime.if
+++ b/policy/modules/apps/tvtime.if
@@ -99,11 +99,6 @@ template(`tvtime_per_userdomain_template',`
 	allow $2 $1_tvtime_t:dir { search getattr read };
 	allow $2 $1_tvtime_t:{ file lnk_file } { read getattr };
 	allow $2 $1_tvtime_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_tvtime_t:process ptrace;
 	allow $2 $1_tvtime_t:process signal_perms;
 	
 	kernel_read_all_sysctls($1_tvtime_t)
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index abc568f5b..fb067bbec 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -120,11 +120,6 @@ template(`uml_per_userdomain_template',`
 	allow $2 $1_uml_t:dir { search getattr read };
 	allow $2 $1_uml_t:{ file lnk_file } { read getattr };
 	allow $2 $1_uml_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_uml_t:process ptrace;
 
 	allow $2 $1_uml_tmp_t:dir create_dir_perms;
 	allow $2 $1_uml_tmp_t:file create_file_perms;
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index fb6b8839c..88033ab3f 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -186,7 +186,6 @@ template(`cron_per_userdomain_template',`
 	allow $2 $1_crontab_t:dir { search getattr read };
 	allow $2 $1_crontab_t:{ file lnk_file } { read getattr };
 	allow $2 $1_crontab_t:process getattr;
-	dontaudit $2 $1_crontab_t:process ptrace;
 
 	# for ^Z
 	allow $2 $1_crontab_t:process signal;
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6868bb688..bac7292e8 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -174,16 +174,6 @@ template(`xserver_common_domain_template',`
 	optional_policy(`
 		xfs_stream_connect($1_xserver_t)
 	')
-
-	ifdef(`TODO',`
-	ifdef(`distro_redhat',`
-		ifdef(`rpm.te', `
-			allow $1_xserver_t rpm_t:shm { unix_read unix_write read write associate getattr };
-			allow $1_xserver_t rpm_tmpfs_t:file { read write };
-			rpm_use_fds($1_xserver_t)
-		')
-	')
-	') dnl end TODO
 ')
 
 #######################################
@@ -317,8 +307,6 @@ template(`xserver_per_userdomain_template',`
 	')
 
 	ifdef(`TODO',`
-	allow $1_t xdm_xserver_t:unix_stream_socket connectto;
-
 	ifdef(`xdm.te', `
 		allow $1_t xdm_tmp_t:sock_file unlink;
 		allow $1_xserver_t xdm_var_run_t:dir search;
@@ -352,11 +340,6 @@ template(`xserver_per_userdomain_template',`
 	allow $2 $1_xauth_t:dir { search getattr read };
 	allow $2 $1_xauth_t:{ file lnk_file } { read getattr };
 	allow $2 $1_xauth_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_xauth_t:process ptrace;
 
 	allow $2 $1_xauth_home_t:file manage_file_perms;
 	allow $2 $1_xauth_home_t:file { relabelfrom relabelto };
@@ -419,11 +402,6 @@ template(`xserver_per_userdomain_template',`
 	allow $2 $1_iceauth_t:dir { search getattr read };
 	allow $2 $1_iceauth_t:{ file lnk_file } { read getattr };
 	allow $2 $1_iceauth_t:process getattr;
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $2 $1_iceauth_t:process ptrace;
 
 	allow $2 $1_iceauth_home_t:file manage_file_perms;
 	allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4e76bd4b8..cfe04fa32 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -620,12 +620,6 @@ interface(`init_read_script_state',`
 	allow $1 initrc_t:dir r_dir_perms;
 	allow $1 initrc_t:{ file lnk_file } r_file_perms;
 	allow $1 initrc_t:process getattr;
-
-	# We need to suppress this denial because procps tries to access
-	# /proc/pid/environ and this now triggers a ptrace check in recent kernels
-	# (2.4 and 2.6).  Might want to change procps to not do this, or only if
-	# running in a privileged domain.
-	dontaudit $1 initrc_t:process ptrace;
 ')
 
 ########################################