SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Jan Kratochvil
jan.kratochvil at redhat.com
Mon Apr 9 05:59:36 UTC 2012
On Sun, 08 Apr 2012 22:50:21 +0200, Tom Lane wrote:
> A possible compromise that might allow software developers to live
> with the setting would be if the default excluded gdb
Counterargument in some that Bug was then the attacker can spawn GDB instead
of using PTRACE_ATTACH in that process itself.
SELinux tries to limit impact of an already exploited code so it is difficult
to say what is right. The right is not to have any code exploitable.
F-17 should at least bring it to the level of YAMA functionality:
SELinux deny_ptrace: Do not restrict PTRACE_TRACEME [NEW]
https://bugzilla.redhat.com/show_bug.cgi?id=802072
Regards,
Jan
More information about the devel
mailing list