[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Another selinux rant

Michael Wiktowy wrote:
On Jan 4, 2008 6:54 PM, Jonathan Underwood <jonathan underwood gmail com> wrote:
That could be the case. Perhaps there's something that could be added
to Smolt to allow the history of avc denials to be uploaded as part of
the profile - that would allow some really interesting analysis.

That is a great idea!

Even just something that indicates the proportion of people using
enforcing/permissive/disabled. That would be useful to either support
or refute the periodic SELinux rant threads based on people's personal
usage patterns and seem to take on a life of their own and inevitably
lead to statistics being pulled out of thin air.

For what it's worth setroubleshoot was designed to allow sending it's analysis to a central server to coalesce all the reports to get a global view (and to allow notifications to be sent back to the reporter when their issue was fixed if it was a bug). This was never fully implemented for the following reasons:

* audit data is security sensitive, transmitting it to a central server raises a host of issues.

* we needed a host to run the server on, at the time none existed (fedoraproject might be a viable option today).

* no one thought it was important.

The code in setroubleshoot still has all the logic built into it to support central aggregation, as it has from day one. But we would have to build the central server and solve the security issues. But this would occur if and only if there was a consensus this was important and volunteers stepped forward to perform the work.

John Dennis <jdennis redhat com>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]