SELinuxDenyPtrace: Write, compile, run, but don't debug applications?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


I recently tested out f17 and saw I can no longer trace or debug
applications by default. While I appreciate why one might want
some applications to not ptrace any other application, it is a
bit of a sledge hammer to deny any and all program introspection.

implied that this feature could be turned on by an administrator,
but recently it was changed to be on by default. Was that intended?
The change to selinux-policy was fairly recent (3.10.0-92) and seems
to have taken at least some people by surprise.

IMHO turning this on globally is a bit of a sledgehammer. Also the
fact that when you just want to trace or debug your own applications
you now also have to allow it for everything is discouraging. I like
the idea to disallow this for say firefox plugins or httpd cgi scripts,
but does it really have to be global all or nothing?

It seems a little odd that a user is now allowed to write, compile
and run their own programs, but then wouldn't be allowed to debug
them by default.

The feature also assumes developers and administrators are the same
person on a machine. While this often is the case, it isn't generally.
This might lead to a "security fight" between administrators and
developers who is or isn't allowed to analyse the system. Not helped
by the fact that this feature seems to be globally on or off only.

Is there still time to discuss and/or reconsider turning this on by
default for F17?


devel mailing list

[Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Home]     [Fedora Tools]     [Fedora PHP Devel]     [Kernel List]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

Add to Google Powered by Linux