Re: SELinuxDenyPtrace: Write, compile, run, but don't debug applications?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/09/2012 04:11 PM, Przemek Klosowski wrote:
> On 04/09/2012 06:08 AM, Matej Cepl wrote:
> 
>> Without getting into this discussion much, I would just note a bit of 
>> shocking news for you ... I am afraid you are not an ordinary Fedora 
>> user. If abrt/breakpad/etc. works as they should, then I don't think 
>> majority of Fedora users have any reason why to pull out gdb at all.
> 
> It's not just gdb: I use strace when applications have mysterious runtime 
> problems of the type that outputs "configuration error" but doesn't say
> which file it is looking for or reading. Such introspection is one of the
> principal reasons Linux works better than the alternatives.

Yes we understand why ptrace and gdb and other stuff is good.  We currently
allow you to enable this by executing as root

setsebool deny_ptrace 0

or if you want it permanantly disabled

setsebool -P deny_ptrace 0

My argument is if you understand what ptrace or gdb are, you probably can
figure out how to turn this feature off. And we are even putting information
into the commands to tell you how to disable it.  But for the vast majority of
computer users who would what the hell strace, ptrace, gdb, DrKonqi are, we
should disable the ability of any process on their desktop from being able to
read/manipulate other processes on their desktop.

And guess what I use these tools, and I just execute setsebool deny_ptrace 0
anytime I need to strace or debug an application, then I turn it back on when
I am done.




-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux