SELinuxDenyPtrace: Write, compile, run, but don't debug applications?
Mark Wielaard
mjw at redhat.com
Sun Apr 15 14:30:52 UTC 2012
On Fri, Apr 13, 2012 at 10:26:06AM -0400, Daniel J Walsh wrote:
> Trying to fix all apps that could include "confidential" data from Programmer
> Debugging tools which are a very small percentage of users use, is just crazy.
It isn't just debugging tools that would break, also things like wine, the
java tools, performance and tracing tools, etc. And even if they were a
small percentage of the users, it is an important part of Fedora. It would
set an extremely bad precedent if we would make it harder for users to be
programmers.
> We now have a feature for those who care about security that can stop any
> process on the system from reading/modifying the memory of any other process
> on the system. If sysadmins want to take advantage of this they can, If they
> do not then can turn it off.
It is good to have the feature. It is just crazy to turn it on by default
as long as that means breaking a normal install. We already have solutions
for the most important security sensitive programs like gnome-keytools and
ssh-agent. We don't have to go for "perfect security" as long as there is
no satisfactory solution to just clobbering normal functionality for all
users (and make then unbreak their machines and/or disable selinux for good,
which IMHO would be a bad thing).
Thanks,
Mark
More information about the devel
mailing list