Hi, I recently tested out f17 and saw I can no longer trace or debug applications by default. While I appreciate why one might want some applications to not ptrace any other application, it is a bit of a sledge hammer to deny any and all program introspection. Previously https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace implied that this feature could be turned on by an administrator, but recently it was changed to be on by default. Was that intended? The change to selinux-policy was fairly recent (3.10.0-92) and seems to have taken at least some people by surprise. IMHO turning this on globally is a bit of a sledgehammer. Also the fact that when you just want to trace or debug your own applications you now also have to allow it for everything is discouraging. I like the idea to disallow this for say firefox plugins or httpd cgi scripts, but does it really have to be global all or nothing? It seems a little odd that a user is now allowed to write, compile and run their own programs, but then wouldn't be allowed to debug them by default. The feature also assumes developers and administrators are the same person on a machine. While this often is the case, it isn't generally. This might lead to a "security fight" between administrators and developers who is or isn't allowed to analyse the system. Not helped by the fact that this feature seems to be globally on or off only. Is there still time to discuss and/or reconsider turning this on by default for F17? Thanks, Mark -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
