Written by: Martin Orr

Allow userdel to look through /proc to check if the user to be deleted is
running any processes
Should maybe just domain_dontaudit_search_all_domains_state

Index: policy/modules/admin/usermanage.te
===================================================================
--- policy/modules/admin/usermanage.te.orig
+++ policy/modules/admin/usermanage.te
@@ -426,7 +426,7 @@
 # Useradd local policy
 #
 
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource sys_ptrace };
 dontaudit useradd_t self:capability sys_tty_config;
 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow useradd_t self:process setfscreate;
@@ -448,6 +448,7 @@
 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
 corecmd_exec_bin(useradd_t)
 
+domain_read_all_domains_state(useradd_t)
 domain_use_interactive_fds(useradd_t)
 domain_read_all_domains_state(useradd_t)