Skip to content

Instantly share code, notes, and snippets.

@samuelwilliams
Last active August 8, 2025 02:24
Show Gist options
  • Save samuelwilliams/172ce54f8a8ebf9789cfe1c2e9d90f5c to your computer and use it in GitHub Desktop.
Save samuelwilliams/172ce54f8a8ebf9789cfe1c2e9d90f5c to your computer and use it in GitHub Desktop.
ps SELinux policy
# This is a sample SELinux policy module file to confine a process executing the /bin/ps binary
# The purpose is to act as a point of reference when writing policies for apps that make use of the ps functionality
policy_module(ps, 0.1)
type ps_t;
domain_type(ps_t)
allow ps_t self:cap_userns sys_ptrace;
allow ps_t self:capability dac_read_search;
# Read the process state (/proc/pid) of all domains.
domain_read_all_domains_state(ps_t)
# Do not audit attempts to read the process state (/proc/pid) of all domains.
#domain_dontaudit_read_all_domains_state(ps_t)
# Resolve names and groups using /etc/passwd, sss nsswitch, and systemd nsswitch
auth_read_passwd(ps_t)
# Allow attempts to read all proc types.
kernel_read_all_proc(ps_t)
# Read hardware state information.
dev_read_sysfs(ps_t)
# Search the contents of the /dev/pts directory.
term_search_ptys(ps_t)
# Read and write a user domain pty.
userdom_use_user_ptys(ps_t)
# Get the attributes of a user domain tty.
userdom_getattr_user_ttys(ps_t)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment