diff --git a/20-yama-ptrace.conf b/20-yama-ptrace.conf
new file mode 100644
index 0000000..4fbaf97
--- /dev/null
+++ b/20-yama-ptrace.conf
@@ -0,0 +1,42 @@
+# The ptrace system call is used for interprocess services,
+# communication and introspection (like synchronisation, signaling,
+# debugging, tracing and profiling) of processes.
+#
+# Usage of ptrace is restricted by normal user permissions. Normal
+# unprivileged processes cannot use ptrace on processes that they
+# cannot send signals to or processes that are running set-uid or
+# set-gid. Nevertheless, processes running under the same uid will
+# usually be able to ptrace one another.
+#
+# Fedora enables the Yama security mechanism which restricts ptrace
+# even further. Sysctl setting kernel.yama.ptrace_scope can have one
+# of the following values:
+#
+# 0 - Normal ptrace security permissions.
+# 1 - Restricted ptrace. Only child processes plus normal permissions.
+# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
+# 3 - No attach. No process may call ptrace at all. Irrevocable.
+#
+# For more information see Documentation/security/Yama.txt in the
+# kernel sources.
+#
+# The default is 1., which allows tracing of child processes, but
+# forbids tracing of arbitrary processes. This allows programs like
+# gdb or strace to work when the most common way of having the
+# debugger start the debuggee is used:
+#    gdb /path/to/program ...
+# Attaching to already running programs is NOT allowed:
+#    gdb -p ...
+# This default setting is suitable for the common case, because it
+# reduces the risk that one hacked process can be used to attack other
+# processes. (For example, a hacked firefox process in a user session
+# will not be able to ptrace the keyring process and extract passwords
+# stored only in memory.)
+#
+# Developers and administrators might want to disable those protections
+# to be able to attach debuggers to existing processes. Use
+#   sysctl kernel.yama.ptrace_scope=0
+# for change the setting temporarily, or copy this file to
+# /etc/sysctl.d/20-yama-ptrace.conf to set it for future boots.
+
+kernel.yama.ptrace_scope = 0
diff --git a/systemd.spec b/systemd.spec
index f5b3517..f5fd4b7 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -34,6 +34,7 @@ Source5:        inittab
 Source6:        sysctl.conf.README
 Source7:        systemd-journal-remote.xml
 Source8:        systemd-journal-gatewayd.xml
+Source9:        20-yama-ptrace.conf
 
 # temporary fix for broken kernel headers
 Source99:       in.h
@@ -384,6 +385,10 @@ mkdir -vp %{buildroot}/usr/lib/firewalld/services/
 install -Dm0644 %{SOURCE7} %{buildroot}/usr/lib/firewalld/services/
 install -Dm0644 %{SOURCE8} %{buildroot}/usr/lib/firewalld/services/
 
+# Install additional docs
+# https://bugzilla.redhat.com/show_bug.cgi?id=1234951
+install -Dm0644 %{SOURCE9} %{buildroot}%{_pkgdocdir}/
+
 %find_lang %{name}
 
 %check
@@ -553,6 +558,7 @@ getent passwd systemd-journal-upload >/dev/null 2>&1 || useradd -r -l -g systemd
 
 %files -f %{name}.lang
 %doc %{_pkgdocdir}
+%{_pkgdocdir}/20-yama-ptrace.conf
 %exclude %{_pkgdocdir}/LICENSE.*
 %license LICENSE.GPL2 LICENSE.LGPL2.1
 %dir %{_sysconfdir}/systemd