Written by: Martin Orr

Allow dpkg maintainer scripts to ptrace
For dpkg_script_t, this is needed for gconf-schemas, called by libgnomevfs2-common.postinst
For dpkg_t, this is needed for start-stop-daemon, called by udev.postinst

type=SYSCALL msg=audit(01/07/09 14:24:05.114:1482) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=7ffff4add010 a1=7ffff4add110 a2=7ffff4add110 a3=8101010101010100 items=0 ppid=8136 pid=8137 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=4294967295 comm=pidof exe=/sbin/killall5 subj=system_u:system_r:dpkg_script_t:s0 key=(null)
type=AVC msg=audit(01/07/09 14:24:05.114:1482) : avc:  denied  { sys_ptrace } for  pid=8137 comm=pidof capability=sys_ptrace scontext=system_u:system_r:dpkg_script_t:s0 tcontext=system_u:system_r:dpkg_script_t:s0 tclass=capability

type=SYSCALL msg=audit(1251224725.910:256): arch=c000003e syscall=0 success=yes exit=199 a0=4 a1=7f2554b77000 a2=400 a3=22 items=0 ppid=4346 pid=4353 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=4294967295 comm="start-stop-daem" exe="/sbin/start-stop-daemon" subj=system_u:system_r:dpkg_t:s0 key=(null)
type=AVC msg=audit(1251224725.910:256): avc:  denied  { sys_ptrace } for  pid=4353 comm="start-stop-daem" capability=19 scontext=system_u:system_r:dpkg_t:s0 tcontext=system_u:system_r:dpkg_t:s0 tclass=capability

Index: policy/modules/admin/dpkg.te
===================================================================
--- policy/modules/admin/dpkg.te.orig
+++ policy/modules/admin/dpkg.te
@@ -51,7 +51,7 @@
 # dpkg Local policy
 #
 
-allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
+allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable sys_ptrace };
 allow dpkg_t self:process { setpgid fork getsched setfscreate };
 allow dpkg_t self:fd use;
 allow dpkg_t self:fifo_file rw_fifo_file_perms;
@@ -220,7 +220,7 @@
 #
 # TODO: actually use dpkg_script_t
 
-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill sys_ptrace };
 allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow dpkg_script_t self:fd use;
 allow dpkg_script_t self:fifo_file rw_fifo_file_perms;