• 1
As a random thought, how feasible would it be a specific warning included in common ptrace users (eg, gdb) if you use, eg, "gdb -P PID" and it fails to attach but all the "normal" permission checks pass (eg, same userid, etc). A "this could be due to ptrace being blocked on unconfined users; see ..." type warning.

I suggest this having, earlier this week, in another context, spent a few minutes scratching my head wondering why something I was expecting not to be confined beyond normal unix permissions wasn't able to access file that its user appeared to be able to access. So if one expects to be unconfined and isn't, then a warning that "maybe you're more confined than you thought" is valuable.

Ewen

PS: I don't think just an AVC log is going to help the uneducated enough. If they don't know they're being restricted they might not think to look there (which is where I was; once I thought to check it was immediately obvious what the cause of my issue was).

  • 1
?

Log in