• 1

Re: Please leave unconfined unconfined

1. Currently the ptrace access does not seem to apply to gdp PROGRAM. Only gdp -P PID, so for most students this would not be a problem.
Also I believe ubunto has a similar feature to turn off the ability to ptrace random processes.

Also I think turning off security for a small subsection of people who could easily adjust their machines or have the teacher adjust their machines is not a justification.

2. I don't believe turning on or off this boolean is going to effect the number of developers on Red Hat Platforms.

If deny_ptrace does not apply to unconfined_t it would be almost useless, since it would apply to a minority of of people using confined domains.

Re: Please leave unconfined unconfined

At least on my f17 install it denies even things like gdb ./helloworld where I start gdb on my own program I just wrote.

Turning it off, so that I can debug my own programs means globally allowing it also for things I don't want this to have this capability?

I do think it is going to effect developers on Fedora/Red at platform. Not every hackers is administrator on all machines/severs they have to work on. If they are not the administrator it will mean that by default they cannot write/compile/debug stuff normally on such a machine. And I wouldn't be surprised if this becomes a "security race" between the developer vs the administrator wanting/not wanting to allow ptrace globally.

  • 1

Log in