SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Mark Wielaard
mjw at redhat.com
Sun Apr 8 17:02:31 UTC 2012
Hi,
I recently tested out f17 and saw I can no longer trace or debug
applications by default. While I appreciate why one might want
some applications to not ptrace any other application, it is a
bit of a sledge hammer to deny any and all program introspection.
Previously https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace
implied that this feature could be turned on by an administrator,
but recently it was changed to be on by default. Was that intended?
The change to selinux-policy was fairly recent (3.10.0-92) and seems
to have taken at least some people by surprise.
IMHO turning this on globally is a bit of a sledgehammer. Also the
fact that when you just want to trace or debug your own applications
you now also have to allow it for everything is discouraging. I like
the idea to disallow this for say firefox plugins or httpd cgi scripts,
but does it really have to be global all or nothing?
It seems a little odd that a user is now allowed to write, compile
and run their own programs, but then wouldn't be allowed to debug
them by default.
The feature also assumes developers and administrators are the same
person on a machine. While this often is the case, it isn't generally.
This might lead to a "security fight" between administrators and
developers who is or isn't allowed to analyse the system. Not helped
by the fact that this feature seems to be globally on or off only.
Is there still time to discuss and/or reconsider turning this on by
default for F17?
Thanks,
Mark
More information about the devel
mailing list