On Tue, Apr 10, 2012 at 07:47:25AM -0400, Daniel J Walsh wrote: > > Because we are trying to protect the logged in user, where we currently do not > confine that many domains, and even if you are using confined users we do not > prevent a confined user process from ptrace on another user process, since > they could be programmers of admin who need gdb or strace. I run always as > staff_t but staff_t is allowed ptrace of staff_t, unless the deny_ptrace > boolean is set. > Would it not be possible to wrap gdb/strace/etc. in something that presents a password prompt before switching to a context that's allowed to ptrace? Then it wouldn't be allowed to happen behind the users back, but still give all users the ability to ptrace. F.ex. something like a sudoers: ALL ALL=(ALL) TYPE=ptracer_t ROLE=ptrace_r PASSWD: /usr/bin/gdb, /usr/bin/strace ideally only unconfined_u, staff_u, sysadm_u and user_u should be allowed to do this. -jf -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
