SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Daniel J Walsh
dwalsh at redhat.com
Tue Apr 10 11:47:25 UTC 2012
On 04/09/2012 10:00 PM, Kevin Kofler wrote:
> Daniel J Walsh wrote:
>> We already block ptrace from almost every confined domain other then
>> user domains.
>
> Then why not just keep it that way instead of breaking GDB?
>
> Kevin Kofler
>
Because we are trying to protect the logged in user, where we currently do not
confine that many domains, and even if you are using confined users we do not
prevent a confined user process from ptrace on another user process, since
they could be programmers of admin who need gdb or strace. I run always as
staff_t but staff_t is allowed ptrace of staff_t, unless the deny_ptrace
boolean is set.
More information about the devel
mailing list