|From:||Daniel J Walsh <dwalsh-AT-redhat.com>|
|To:||Development discussions related to Fedora <devel-AT-lists.fedoraproject.org>|
|Subject:||Re: SELinuxDenyPtrace: Write, compile, run, but don't debug applications?|
|Date:||Mon, 09 Apr 2012 16:55:27 -0400|
On 04/09/2012 04:11 PM, Przemek Klosowski wrote: > On 04/09/2012 06:08 AM, Matej Cepl wrote: > >> Without getting into this discussion much, I would just note a bit of >> shocking news for you ... I am afraid you are not an ordinary Fedora >> user. If abrt/breakpad/etc. works as they should, then I don't think >> majority of Fedora users have any reason why to pull out gdb at all. > > It's not just gdb: I use strace when applications have mysterious runtime > problems of the type that outputs "configuration error" but doesn't say > which file it is looking for or reading. Such introspection is one of the > principal reasons Linux works better than the alternatives. Yes we understand why ptrace and gdb and other stuff is good. We currently allow you to enable this by executing as root setsebool deny_ptrace 0 or if you want it permanantly disabled setsebool -P deny_ptrace 0 My argument is if you understand what ptrace or gdb are, you probably can figure out how to turn this feature off. And we are even putting information into the commands to tell you how to disable it. But for the vast majority of computer users who would what the hell strace, ptrace, gdb, DrKonqi are, we should disable the ability of any process on their desktop from being able to read/manipulate other processes on their desktop. And guess what I use these tools, and I just execute setsebool deny_ptrace 0 anytime I need to strace or debug an application, then I turn it back on when I am done. -- devel mailing list email@example.com https://admin.fedoraproject.org/mailman/listinfo/devel
Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds