• 1
Maybe, better, is to add the following booleans:
unconfined_may_ptrace on/off
rest_may_ptrace on/off

I assume doing this for every domain is way too much (for example: httpd_may_ptrace).

Well most confined domains should not have ptrace period.

We made some kernel changes that stopped generating ptrace AVC's when looking at /proc/PID, which allows us to cleanup lots of the policy to remove ptrace and sys_ptrace from almost all unconfined domains.

deny_ptrace main goal is to take this away from the unconfined_t domain, since most users login with the context.

  • 1

Log in