• 1

Please leave unconfined unconfined

Please consider modifying deny_ptrace to leave unconfined unconfined:.

Rationale:
1. Consider a student taking a programming 101 course and just learning to use GDB. It's very hard to arrange things so that the information "there's this thing called SELinux booleans and you have to turn one off" reaches them.

2. Fedora / Red Hat currently does not have majority market share among applications developers on Unix like platforms. If gdb works out of the box on Mac OSX and Ubuntu but not on Fedora, things are not going to end well.

This is from a user that's been reading your blog for years and tries hard to help his friends leave SELinux in enforcing mode by spreading information about permissive domains and custom SELinux modules.

Why did you make deny_ptrace apply to unconfined when you have your two requirements?

Re: Please leave unconfined unconfined

1. Currently the ptrace access does not seem to apply to gdp PROGRAM. Only gdp -P PID, so for most students this would not be a problem.
Also I believe ubunto has a similar feature to turn off the ability to ptrace random processes.

Also I think turning off security for a small subsection of people who could easily adjust their machines or have the teacher adjust their machines is not a justification.

2. I don't believe turning on or off this boolean is going to effect the number of developers on Red Hat Platforms.

If deny_ptrace does not apply to unconfined_t it would be almost useless, since it would apply to a minority of of people using confined domains.

Re: Please leave unconfined unconfined

At least on my f17 install it denies even things like gdb ./helloworld where I start gdb on my own program I just wrote.

Turning it off, so that I can debug my own programs means globally allowing it also for things I don't want this to have this capability?

I do think it is going to effect developers on Fedora/Red at platform. Not every hackers is administrator on all machines/severs they have to work on. If they are not the administrator it will mean that by default they cannot write/compile/debug stuff normally on such a machine. And I wouldn't be surprised if this becomes a "security race" between the developer vs the administrator wanting/not wanting to allow ptrace globally.

  • 1
?

Log in