Re: SELinuxDenyPtrace: Write, compile, run, but don't debug applications?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On 04/09/2012 08:22 PM, Daniel J Walsh wrote:
On 04/09/2012 02:15 PM, Miloslav Trmač wrote:
On Mon, Apr 9, 2012 at 4:58 PM, Daniel J Walsh<dwalsh@xxxxxxxxxx>  wrote:
One suggestion I have heard is to turn the feature off if someone install
gdb like we do with DrKonji, which might be a better solution then
disabling by default.

It would be very surprising if merely installing a package changed the
security configuration that is not directly related to the files installed
by the package. Mirek

Right, although this is about compromise.  I want the feature for as many
users as possible.

We know, believe me...
Do you want to know what *users* want?

If I have it on, I will hit 90% of the installed SELinux
Base.  If I turn it off by default I will hit<  1 % of the installed SELinux
Base.  If I compromise I can get 50 % of the installed base to use it.

Poor installed base....

People do not tend to change the defaults when it comes to security other then
loosening it.

People also tend to remove handcuffs at every opportunity they get.
I wonder why.

devel mailing list

[Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Home]     [Fedora Tools]     [Fedora PHP Devel]     [Kernel List]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

Add to Google Powered by Linux