SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Jan-Frode Myklebust
janfrode at tanso.net
Tue Apr 10 20:14:30 UTC 2012
On Tue, Apr 10, 2012 at 07:47:25AM -0400, Daniel J Walsh wrote:
>
> Because we are trying to protect the logged in user, where we currently do not
> confine that many domains, and even if you are using confined users we do not
> prevent a confined user process from ptrace on another user process, since
> they could be programmers of admin who need gdb or strace. I run always as
> staff_t but staff_t is allowed ptrace of staff_t, unless the deny_ptrace
> boolean is set.
>
Would it not be possible to wrap gdb/strace/etc. in something that
presents a password prompt before switching to a context that's allowed
to ptrace? Then it wouldn't be allowed to happen behind the users back,
but still give all users the ability to ptrace.
F.ex. something like a sudoers:
ALL ALL=(ALL) TYPE=ptracer_t ROLE=ptrace_r PASSWD: /usr/bin/gdb, /usr/bin/strace
ideally only unconfined_u, staff_u, sysadm_u and user_u should be
allowed to do this.
-jf
More information about the devel
mailing list