Another selinux rant

John Dennis jdennis at redhat.com
Mon Jan 7 19:35:40 UTC 2008


Michael Wiktowy wrote:
> On Jan 4, 2008 6:54 PM, Jonathan Underwood <jonathan.underwood at gmail.com> wrote:
>> That could be the case. Perhaps there's something that could be added
>> to Smolt to allow the history of avc denials to be uploaded as part of
>> the profile - that would allow some really interesting analysis.
> 
> That is a great idea!
> 
> Even just something that indicates the proportion of people using
> enforcing/permissive/disabled. That would be useful to either support
> or refute the periodic SELinux rant threads based on people's personal
> usage patterns and seem to take on a life of their own and inevitably
> lead to statistics being pulled out of thin air.

For what it's worth setroubleshoot was designed to allow sending it's 
analysis to a central server to coalesce all the reports to get a global 
view (and to allow notifications to be sent back to the reporter when 
their issue was fixed if it was a bug). This was never fully implemented 
for the following reasons:

* audit data is security sensitive, transmitting it to a central server 
raises a host of issues.

* we needed a host to run the server on, at the time none existed 
(fedoraproject might be a viable option today).

* no one thought it was important.

The code in setroubleshoot still has all the logic built into it to 
support central aggregation, as it has from day one. But we would have 
to build the central server and solve the security issues. But this 
would occur if and only if there was a consensus this was important and 
volunteers stepped forward to perform the work.

-- 
John Dennis <jdennis at redhat.com>




More information about the fedora-devel-list mailing list