On Sun, 08 Apr 2012 22:50:21 +0200, Tom Lane wrote: > A possible compromise that might allow software developers to live > with the setting would be if the default excluded gdb Counterargument in some that Bug was then the attacker can spawn GDB instead of using PTRACE_ATTACH in that process itself. SELinux tries to limit impact of an already exploited code so it is difficult to say what is right. The right is not to have any code exploitable. F-17 should at least bring it to the level of YAMA functionality: SELinux deny_ptrace: Do not restrict PTRACE_TRACEME [NEW] https://bugzilla.redhat.com/show_bug.cgi?id=802072 Regards, Jan -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
