Archives
Archives
| From: | julien.thomas@××××××××××××××××.eu |
|---|---|
| To: | julien.thomas@××××××××××××××××.eu |
| Cc: | gentoo-hardened@l.g.o |
| Subject: | [gentoo-hardened] ptrace and gdb |
| Date: | Sat, 14 Jun 2008 00:39:48 |
| Message-Id: | 20080614023932.tkfrja1g8cwwogco@webmail.enst-bretagne.fr |
| 1 | Good afternoon. |
| 2 | |
| 3 | I would like to be able to trace the slapd daemon (slapd_t type) with |
| 4 | gdb, and more |
| 5 | precisely to interact with it. |
| 6 | |
| 7 | However, when i perform the attach command of gdb, I get a |
| 8 | ptrace: Permission denied. with no avc log ... |
| 9 | |
| 10 | I added the following authorization but it seems to be not enough. |
| 11 | the process gdb and slapd have to the following types : |
| 12 | |
| 13 | system_u:system_r:slapd_t 5930 ? Ssl 0:00 |
| 14 | /usr/lib/openldap/slapd |
| 15 | root:sysadm_r:sysadm_t 5818 pts/0 S+ 0:00 gdb |
| 16 | |
| 17 | ---- additional SELinux module |
| 18 | module gbd_attach 1.0 ; |
| 19 | |
| 20 | require{ |
| 21 | type slapd_t; |
| 22 | type sysadm_t; |
| 23 | class file {execute getattr read} ; |
| 24 | class process {signal ptrace transition noatsecure rlimitinh |
| 25 | siginh getsched |
| 26 | setsched getsession getpgid setpgid getcap setcap}; |
| 27 | } |
| 28 | |
| 29 | allow slapd_t sysadm_t:process {signal ptrace}; |
| 30 | allow sysadm_t slapd_t:process {noatsecure rlimitinh siginh transition |
| 31 | getsched setsched getsession getpgid setpgid getcap setcap |
| 32 | }; |
| 33 | |
| 34 | Thanks. |
| 35 | |
| 36 | Best regards, |
| 37 | Julien Thomas |
| 38 | |
| 39 | |
| 40 | -- |
| 41 | My RSA public key for email authentication is available at |
| 42 | http://perso.telecom-bretagne.eu/julienthomas/technical_informations/ |
| 43 | and on the PGP server http://subkeys.pgp.net (id 0x43E623F5) |
| 44 | |
| 45 | My (google) calendars (for meeting arrangement) |
| 46 | Thesis : |
| 47 | http://www.google.com/calendar/embed?src=d3te2j26l4g7qah12a9q4vpiu4%40group.calendar.google.com&ctz=Europe/Paris Personnal (only disponibility) |
| 48 | : |
| 49 | http://www.google.com/calendar/embed?src=julien.thomas.1%40gmail.com&ctz=Europe/Paris |
| 50 | |
| 51 | -- |
| 52 | gentoo-hardened@l.g.o mailing list |
| Subject | Author |
|---|---|
| Re: [gentoo-hardened] ptrace and gdb | Julien Thomas <julien.thomas@××××××××××××××××.eu> |