[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: AVC attaching gdb to Mozilla process.

From: Aleksey Nogin <aleksey nogin org>
To: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: AVC attaching gdb to Mozilla process.
Date: Wed, 28 Apr 2004 13:29:14 -0700

On 28.04.2004 05:11, Stephen Smalley wrote:

On Wed, 2004-04-28 at 02:05, Aleksey Nogin wrote:

Under policy-sources-1.11.2-18:

audit(1083131647.146:0): avc: denied { signal } for pid=28661 exe=/usr/bin/gdb scontext=aleksey:staff_r:staff_mozilla_t tcontext=aleksey:staff_r:staff_t tclass=process
In general, you'd like to confine mozilla so that if it is subverted by
malicious code, then it can't do much harm.  So allowing it to send
signals back to the user domain isn't desirable.  For development
environments, you might want a policy tunable or boolean to allow such
permissions, but not for operational use.

Note that exe is gdb, not mozilla. How did gdb end up in mozilla_t?

--
Aleksey Nogin

Home Page: http://nogin.org/
E-Mail: nogin cs caltech edu (office), aleksey nogin org (personal)
Office: Jorgensen 70, tel: (626) 395-2907

Follow-Ups:
- Re: AVC attaching gdb to Mozilla process.
  - From: Stephen Smalley

References:
- AVC attaching gdb to Mozilla process.
  - From: Aleksey Nogin
- Re: AVC attaching gdb to Mozilla process.
  - From: Stephen Smalley

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]