Last active
August 8, 2025 02:24
-
-
Save samuelwilliams/172ce54f8a8ebf9789cfe1c2e9d90f5c to your computer and use it in GitHub Desktop.
ps SELinux policy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is a sample SELinux policy module file to confine a process executing the /bin/ps binary | |
# The purpose is to act as a point of reference when writing policies for apps that make use of the ps functionality | |
policy_module(ps, 0.1) | |
type ps_t; | |
domain_type(ps_t) | |
allow ps_t self:cap_userns sys_ptrace; | |
allow ps_t self:capability dac_read_search; | |
# Read the process state (/proc/pid) of all domains. | |
domain_read_all_domains_state(ps_t) | |
# Do not audit attempts to read the process state (/proc/pid) of all domains. | |
#domain_dontaudit_read_all_domains_state(ps_t) | |
# Resolve names and groups using /etc/passwd, sss nsswitch, and systemd nsswitch | |
auth_read_passwd(ps_t) | |
# Allow attempts to read all proc types. | |
kernel_read_all_proc(ps_t) | |
# Read hardware state information. | |
dev_read_sysfs(ps_t) | |
# Search the contents of the /dev/pts directory. | |
term_search_ptys(ps_t) | |
# Read and write a user domain pty. | |
userdom_use_user_ptys(ps_t) | |
# Get the attributes of a user domain tty. | |
userdom_getattr_user_ttys(ps_t) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment