SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Tom Lane
tgl at redhat.com
Sun Apr 8 20:50:21 UTC 2012
John Reiser <jreiser at bitwagon.com> writes:
> gdb nicely gives the work-around for denyPtrace, but the work-around
> requires privileges to implement. So far the implementation history
> of the denyPtrace feature leads me to fear loss of Functionality and
> Usability for software developers.
Indeed. This "feature" isn't going to make people more secure if the
first thing on everyone's Fedora installation checklist is to turn it
off. And that certainly will be on my checklist, if it goes in like
this.
A possible compromise that might allow software developers to live
with the setting would be if the default excluded gdb (and any other
tools that normally need ptrace) from its effects. I can see the
point of disallowing ptrace from security-exposed things like
firefox, but I'm not very worried about gdb being compromised.
And, as I said, the alternative is that this gets turned off, by me
and probably a very large fraction of other Fedora users. How is
that "more secure"?
regards, tom lane
More information about the devel
mailing list