SELinuxDenyPtrace: Write, compile, run, but don't debug applications?

Jim Meyering jim at meyering.net
Tue Apr 10 15:24:41 UTC 2012


Mark Wielaard wrote:
> On Mon, Apr 09, 2012 at 10:58:43AM -0400, Daniel J Walsh wrote:
>> I thought I made this clear in my blogs and the feature page that I wanted
>> this on deny_ptrace on by default.
>> [...]
>> We did have a bug in Alpha where it was turned off.  Now that people are
>> actually seeing it turned on in Fedora 17 Beta, they are reacting.
>
> My apologies I seem to react to this change so late. Now that I have seen
> your other blog postings I see that was your intention. But I did see the
> initial proposal and, like others, and FESCO, read it as making it an
> option that could be turned on. But not by default. Because that creates
> this situation that a normal users/developer needs to ask their admin to
> fix their machine even though they can write, compile and run their own
> programs, but suddenly aren't allowed to debug, profile or trace them.
> If I had thought it would be turned on by default, I would have spoken
> up sooner to try and help figure out something that wouldn't create such
> a disruption.

Not being able to get an strace from du or df (or several other
programs in coreutils) would be a problem for me as coreutils maintainer.
If someone is reporting strange behavior from those tools, it is
common that the easiest way for us to diagnose the failure is by
getting them to strace the program in their somehow-unusual environment.

This situation arises once or twice a month, and the user reporting
the problem might well not have root access to the system with the
unusual file system or kernel.  Admittedly, it hasn't happened much
with Fedora recently, but with combinations of virtual machines and
new file system types, we're far from seeing the last of those.


More information about the devel mailing list