AVC attaching gdb to Mozilla process.
Aleksey Nogin
aleksey at nogin.org
Wed Apr 28 20:29:14 UTC 2004
On 28.04.2004 05:11, Stephen Smalley wrote:
> On Wed, 2004-04-28 at 02:05, Aleksey Nogin wrote:
>
>>Under policy-sources-1.11.2-18:
>>
>>audit(1083131647.146:0): avc: denied { signal } for pid=28661
>>exe=/usr/bin/gdb scontext=aleksey:staff_r:staff_mozilla_t
>>tcontext=aleksey:staff_r:staff_t tclass=process
>
>
> In general, you'd like to confine mozilla so that if it is subverted by
> malicious code, then it can't do much harm. So allowing it to send
> signals back to the user domain isn't desirable. For development
> environments, you might want a policy tunable or boolean to allow such
> permissions, but not for operational use.
Note that exe is gdb, not mozilla. How did gdb end up in mozilla_t?
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
More information about the fedora-selinux-list
mailing list