4.15. Disabling ptrace()
ptrace()system call allows one process to observe and control the execution of another process and change its memory and registers. This call is used primarily by developers during debugging, for example when using the
ptrace()is not needed, it can be disabled to improve system security. This can be done by enabling the
deny_ptraceBoolean, which denies all processes, even those that are running in
unconfined_tdomains, from being able to use
ptrace()on other processes.
deny_ptraceBoolean is disabled by default. To enable it, run the
setsebool -P deny_ptrace oncommand as the root user:
setsebool -P deny_ptrace on
To verify if this Boolean is enabled, use the following command:
getsebool deny_ptracedeny_ptrace --> on
To disable this Boolean, run the
setsebool -P deny_ptrace offcommand as root:
setsebool -P deny_ptrace off
setsebool -Pcommand makes persistent changes. Do not use the
-Poption if you do not want changes to persist across reboots.
This Boolean influences only packages that are part of Red Hat Enterprise Linux. Consequently, third-party packages could still use the
ptrace()system call. To list all domains that are allowed to use
ptrace(), enter the following command. Note that the setools-console package provides the
sesearchutility and that the package is not installed by default.
sesearch -A -p ptrace,sys_ptrace -C | grep -v deny_ptrace | cut -d ' ' -f 5