Another selinux rant

Jonathan Underwood jonathan.underwood at gmail.com
Fri Jan 4 22:30:36 UTC 2008


On 04/01/2008, John Dennis <jdennis at redhat.com> wrote:
> Ed Swierk wrote:
> > People who already know about SELinux can of course just learn to type
> > ls -l --lcontext, but showing the extra information by default would
> > at least give clueless users like me a hint that files have these
> > extra attributes that might somehow be relevant to those strange
> > openvpn failures. IMHO this would be the single best usability
> > improvement to SELinux
>
> Re SELinux usability issues:
>
> We wrote the setroubleshoot package precisely to help SELinux novice
> users so they wouldn't suffer with hidden obscure failures of the type
> which have frustrated you. If it had been installed you would have
> received notifications in real time on your desktop describing the
> failure and suggestions on how to fix it.

The problem is, the notifications don't tell you much more than the
obscure avc denial in most cases. But there's a bigger problem than
that. Here's what happens when most people have an avc denial:

1) setroubleshoot pops up detailing the denial. The only really
intelligible part of the information there to the non expert is
"please file a report in bugzilla".

2) User thinks "oh, must be yet another problem with the selinux
policy" and files a bug.

3) Dan or his team fix the problem with the policy extremely rapidly.
New policy packages are installed.

4) Goto 1.

The problem is: setroubleshoot teaches average users that avc denials
come about due to bugs in selinux policy. If there was some massive
security problem right now on my machine causing avc denials I'd
probably react by filing a stack of bug reports. This is the
fundamental problem as it stands with SElinux. If it was working, we
would be in a situation where the first responce to an avc denial is
"OMG there's a security issue with something running on my machine, I
must fix that".




More information about the fedora-devel-list mailing list