Re: Another selinux rant

[Ralf Corsepius <rc040203 freenet de>]

On Fri, 2008-01-04 at 12:07 -0500, John Dennis wrote:
> Ed Swierk wrote:
> > People who already know about SELinux can of course just learn to type
> > ls -l --lcontext, but showing the extra information by default would
> > at least give clueless users like me a hint that files have these
> > extra attributes that might somehow be relevant to those strange
> > openvpn failures. IMHO this would be the single best usability
> > improvement to SELinux
> 
> Re SELinux usability issues:
> 
> We wrote the setroubleshoot package precisely to help SELinux novice
> users so they wouldn't suffer with hidden obscure failures of the type
> which have frustrated you. If it had been installed you would have
> received notifications in real time on your desktop describing the
> failure and suggestions on how to fix it.
Well, honorable goal, but does it actually achieve this goal?

* On one machine (FC8/x86_64), for me, all setroubleshoot does is to die
shortly after bootup and first-time login (I haven't tried to
investigate, but as it seems to me some serelated daemon is
segfaulting).

* Is it appropriate to inform arbitrary ordinary users about SELinux
issues? May-be this on single user/non-networked machines, but I don't
think this is the right concept for a networked environment in which
"ordinary user" normally isn't the system admin.

Ralf