[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: AVC attaching gdb to Mozilla process.

From: Stephen Smalley <sds epoch ncsc mil>
To: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: AVC attaching gdb to Mozilla process.
Date: Wed, 28 Apr 2004 08:11:40 -0400

On Wed, 2004-04-28 at 02:05, Aleksey Nogin wrote:
> Under policy-sources-1.11.2-18:
> 
> audit(1083131647.146:0): avc:  denied  { signal } for  pid=28661 
> exe=/usr/bin/gdb scontext=aleksey:staff_r:staff_mozilla_t 
> tcontext=aleksey:staff_r:staff_t tclass=process

In general, you'd like to confine mozilla so that if it is subverted by
malicious code, then it can't do much harm.  So allowing it to send
signals back to the user domain isn't desirable.  For development
environments, you might want a policy tunable or boolean to allow such
permissions, but not for operational use.

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency

Follow-Ups:
- Re: AVC attaching gdb to Mozilla process.
  - From: Aleksey Nogin

References:
- AVC attaching gdb to Mozilla process.
  - From: Aleksey Nogin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]