SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Daniel J Walsh
dwalsh at redhat.com
Mon Apr 9 20:55:27 UTC 2012
On 04/09/2012 04:11 PM, Przemek Klosowski wrote:
> On 04/09/2012 06:08 AM, Matej Cepl wrote:
>
>> Without getting into this discussion much, I would just note a bit of
>> shocking news for you ... I am afraid you are not an ordinary Fedora
>> user. If abrt/breakpad/etc. works as they should, then I don't think
>> majority of Fedora users have any reason why to pull out gdb at all.
>
> It's not just gdb: I use strace when applications have mysterious runtime
> problems of the type that outputs "configuration error" but doesn't say
> which file it is looking for or reading. Such introspection is one of the
> principal reasons Linux works better than the alternatives.
Yes we understand why ptrace and gdb and other stuff is good. We currently
allow you to enable this by executing as root
setsebool deny_ptrace 0
or if you want it permanantly disabled
setsebool -P deny_ptrace 0
My argument is if you understand what ptrace or gdb are, you probably can
figure out how to turn this feature off. And we are even putting information
into the commands to tell you how to disable it. But for the vast majority of
computer users who would what the hell strace, ptrace, gdb, DrKonqi are, we
should disable the ability of any process on their desktop from being able to
read/manipulate other processes on their desktop.
And guess what I use these tools, and I just execute setsebool deny_ptrace 0
anytime I need to strace or debug an application, then I turn it back on when
I am done.
More information about the devel
mailing list