[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux removed from desktop cd spin?

Valent Turkovic wrote:

On Jan 16, 2008 10:00 PM, Alan Cox <alan redhat com> wrote:

On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:

I believe that SELinux is a great linux server security hardening tool
but that has little use in desktop linux usage and it confuses
ordinary desktop users.

Desktop users are the people it is most important for.  If it is still confusing
people we need to fix the confusions. Perhaps you can explain more ?


AVC denials that SELinux Troubleshoot Tool pops up really scare me :)
There is half of screen of text and I can't figure out anything
important form that. I see no information of value to me as a desktop
user. I don't know is my laptop about to blow up or is it some minor
error I can safely ignore.

I have about 20 AVC denial messages in SE Tool right now... the all
make zero sense to me. I just got one from NetworkManager after my
laptop returned from sleep... and I see a bunch of them regarding
VirtualBox temporary files... etc... etc...
That tool should not be running for users who do not understand it. The typical user (assuming the policy is *correct* and no longer buggy, future use case) does not need to care about avc denials, they do not need to know about them. The typical user will happily go along doing what they want to do, and having selinux protecting their machine from doing things it should not. (obviously due to buggy policy and the ever changing needs of various packages this is not a stable condition yet!)
If selinux troubleshoot scares you, turn it off, its for development and debugging. A user should not need to know when denials happen, unless they are 1) helping to debug policy, or 2) looking for security breaches. 

--
Andrew Farris <lordmorgul gmail com> <ajfarris gmail com>
 gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]