I thought I made this clear in my blogs and the feature page that I wanted this on deny_ptrace on by default. http://danwalsh.livejournal.com/49336.html https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace http://danwalsh.livejournal.com/49564.html Even on You Tube. https://www.youtube.com/watch?v=WVRS9krNFxU We did have a bug in Alpha where it was turned off. Now that people are actually seeing it turned on in Fedora 17 Beta, they are reacting. If Fedora Board decides it should be turned off by default, I will of course abide by this decision. I could turn it off for Fedora 17 final and on in Rawhide to find other problems with the feature. As I have stated in the blogs, this would be sad, since the goal of this feature is to protect the people who would never execute gdb -p, don't even know what gdb is. IE The vast majority of computer users. So we will make the system insecure for the majority who will never turn on security features, since they expect the machine to be secure by default, for the developers who know fully how to turn off the feature, so they will not be inconvenienced. Secondarily we do not know which software needs to be able to ptrace another process or what we get wrong with the feature without turning it on. IE we did not know we broke DrKongi until we turned it on. We have heard feedback from people to say they want gdb /usr/bin/foobar or strace /usr/bin/foobar to work. Which is the fix Eric is adding the kernel. We are trying to figure out a fix for DrKonji, but have no feedback from these people other then we suck so turn it off. Lets work to figure out if we can do this feature with DrKonji. One suggestion I have heard is to turn the feature off if someone install gdb like we do with DrKonji, which might be a better solution then disabling by default. Although abrt-desktop seems to require gdb... Labeling an application and allowing a transition will not work as long as we have unconfined_t users. For example it has been suggested that we label certain apps like gdb or DrKonji as ptrace_exec_t and then transition when these apps get executed. Since an unconfined_t user can label any file as ptrace_exec_t and transition to the domains that allows ptrace. Changing the default user from unconfined_t to staff_t, would allow us to fix this problem, but I have a feeling the screaming about that would be overwhelming. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
