SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Denys Vlasenko
dvlasenk at redhat.com
Tue Apr 10 14:02:38 UTC 2012
On 04/09/2012 08:22 PM, Daniel J Walsh wrote:
> On 04/09/2012 02:15 PM, Miloslav Trmač wrote:
>> On Mon, Apr 9, 2012 at 4:58 PM, Daniel J Walsh<dwalsh at redhat.com> wrote:
>>> One suggestion I have heard is to turn the feature off if someone install
>>> gdb like we do with DrKonji, which might be a better solution then
>>> disabling by default.
>> It would be very surprising if merely installing a package changed the
>> security configuration that is not directly related to the files installed
>> by the package. Mirek
> Right, although this is about compromise. I want the feature for as many
> users as possible.
We know, believe me...
Do you want to know what *users* want?
> If I have it on, I will hit 90% of the installed SELinux
> Base. If I turn it off by default I will hit< 1 % of the installed SELinux
> Base. If I compromise I can get 50 % of the installed base to use it.
Poor installed base....
> People do not tend to change the defaults when it comes to security other then
> loosening it.
People also tend to remove handcuffs at every opportunity they get.
I wonder why.
--
vda
More information about the devel
mailing list