On 04/09/2012 10:00 PM, Kevin Kofler wrote: > Daniel J Walsh wrote: >> We already block ptrace from almost every confined domain other then >> user domains. > > Then why not just keep it that way instead of breaking GDB? > > Kevin Kofler > Because we are trying to protect the logged in user, where we currently do not confine that many domains, and even if you are using confined users we do not prevent a confined user process from ptrace on another user process, since they could be programmers of admin who need gdb or strace. I run always as staff_t but staff_t is allowed ptrace of staff_t, unless the deny_ptrace boolean is set. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
