SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Daniel J Walsh
dwalsh at redhat.com
Mon Apr 9 18:22:56 UTC 2012
On 04/09/2012 02:15 PM, Miloslav Trmač wrote:
> On Mon, Apr 9, 2012 at 4:58 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> One suggestion I have heard is to turn the feature off if someone install
>> gdb like we do with DrKonji, which might be a better solution then
>> disabling by default.
> It would be very surprising if merely installing a package changed the
> security configuration that is not directly related to the files installed
> by the package. Mirek
Right, although this is about compromise. I want the feature for as many
users as possible. If I have it on, I will hit 90% of the installed SELinux
Base. If I turn it off by default I will hit < 1 % of the installed SELinux
Base. If I compromise I can get 50 % of the installed base to use it.
People do not tend to change the defaults when it comes to security other then
loosening it.
More information about the devel
mailing list