• 1
Well most confined domains should not have ptrace period.

We made some kernel changes that stopped generating ptrace AVC's when looking at /proc/PID, which allows us to cleanup lots of the policy to remove ptrace and sys_ptrace from almost all unconfined domains.

deny_ptrace main goal is to take this away from the unconfined_t domain, since most users login with the context.

  • 1

Log in