Hide Forgot
Description of problem: Several packages are using the ptrace capability and generate lots of logs. In enforcing mode this was even blocking semodule for loading a module. For now I am using the following: #============= consolekit_t ============== allow consolekit_t self:capability sys_ptrace; #============= rtkit_daemon_t ============== allow rtkit_daemon_t self:capability sys_ptrace; #============= syslogd_t ============== allow syslogd_t self:capability sys_ptrace; Version-Release number of selected component (if applicable): selinux-policy-targeted-3.10.0-86.fc17.noarch Additional info: Note that this is in rawhide. The same package works OK in branched (f17). getsebool reports: deny_ptrace --> off
It's possible that the part of the issue getting semodule to load a policy may have been just very slow do to all of the AVCs rather than actual blocking. I waited several minutes and then tried setenforce 0 and it finished shortly afterwards. But that might have been a coincidence or maybe the load was reduced a bit.
The sys_ptrace access will be allowed in selinux-policy-3.10.0-88.fc17.noarch