[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Another selinux rant

On 04/01/2008, Arthur Pemberton <pemboa gmail com> wrote:
> > 2) User thinks "oh, must be yet another problem with the selinux
> > policy" and files a bug.
> Why wouldn't they think "oh the program I am using and which is being
> denied by SELInux might have a bug" ?

Because most of the time it's an selinux policy bug. Granted, not
always, but often enough to make ones first thought be "oh, must be an
selinux problem, Ill turn it off" or "must be an selinux polciy
problem I'll run audit2allow and report a bug" - both of which are
suggested EVERY TIME by setroubleshoot. A naive user is then led to
think that this is the right thing to do in all instances.

> > 3) Dan or his team fix the problem with the policy extremely rapidly.
> > New policy packages are installed.
> Are you referring to a specific policy?

Yep, the Fedora ones of the last few releases :)

> > 4) Goto 1.
> >
> > The problem is: setroubleshoot teaches average users that avc denials
> > come about due to bugs in selinux policy.
> I get the feeling you're refering to some specific incident(s) as I
> have never had a avn denial due to a SELinux bug (as far as I can
> remember)
> > If there was some massive
> > security problem right now on my machine causing avc denials I'd
> > probably react by filing a stack of bug reports. This is the
> > fundamental problem as it stands with SElinux.
> No offence, but you _really_ should check the message before you file
> a bug as is often makes sense.

Of course, I know that. Many users may not, however.

> Or has SELinux taken a nose dive in F8
> that I don't know about?

No, things are improving all the time.:)

> >If it was working, we
> > would be in a situation where the first responce to an avc denial is
> > "OMG there's a security issue with something running on my machine, I
> > must fix that".
> Again, I'm maybe missing information...but that's my first response
> when I see an SELinux denial, esp. after it saved me from being rooted
> once.

I fear you're in the minority of users. Look over at the users
forum/lists and see how many times you see people turning off


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]