SELinuxDenyPtrace: Write, compile, run, but don't debug applications?

Antonio Trande anto.trande at gmail.com
Mon Apr 9 18:12:56 UTC 2012 

2012/4/9 Daniel J Walsh <dwalsh at redhat.com>

> On 04/09/2012 11:11 AM, Frank Ch. Eigler wrote:
> >
> > dwalsh wrote:
> >
> >> I thought I made this clear in my blogs and the feature page that I
> >> wanted this on deny_ptrace on by default. [...]
> >> https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace
> >
> > The version of this page that you last edited [1] (and presumably as seen
> > by FESCO) had this blurb:
> >
> > The deny_ptrace boolean will deny all processes even the unconfined_t
> > domain from being able to ptrace other domains. Because of this it will
> be
> > optional and turned off by default
> >
> > which seems easy to interpret as the opposite of "deny_ptrace on by
> > default".
> >
> > [1]
> >
> https://fedoraproject.org/w/index.php?title=Features/SELinuxDenyPtrace&oldid=268413
> >
> >  - FChE
> Ok, I guess I will have to fix this, and propose that we turn it on by
> default
> in Fedora 18.
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
>


Maybe if deny_ptrace remains turn on by default already from F17 is good, i
think. Because of two reasons primarily:

- Many "Fedora normal users" still don't know because SELinux is important,
you image  if someone be worried how to turn on a its boolean.
- Although someone is  interested to it, will think that it is not as
important if disabled on default.

Also:

- If this feature is turned off by default, less feedbacks will come back
from comunity.

In any case i will advice  to active it if necessary.

My two cents. :)
Regards.

-- 
*Antonio Trande
"Fedora Ambassador"

**mail*: mailto:sagitter at fedoraproject.org <sagitter at fedoraproject.org>
*Homepage*: http://www.fedora-os.org
*Sip Address* : sip:sagitter AT ekiga.net
*Jabber <http://jabber.org/>* :sagitter AT jabber.org
*GPG Key: 19E6DF27*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20120409/743b317a/attachment.html>

More information about the devel mailing list