Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

[Stewart Adam]

Hi,

After the recent SELinux discussion (and the several ones before it),
it's pretty clear that users are having problems with SELinux but at the
same time SELinux is an important aspect to system security so it isn't
going anywhere. Instead of asking to turn SELinux off, let's work
towards making SELinux "just work" since that will provide the good user
experience and the extra security.

I was thinking of ways that Fedora could improve user <--> SELinux
interaction, and I thought that creating a kerneloops-like plugin for
setroubleshoot would be a good way to collect data about denials.
Similar to kerneloops, this would allow for statistics on where denials
occur most and that way the policy can be modified accordingly.
Ultimately, this leads to a better user experience with Fedora. I took a
quick look at the setroubleshoot plugin system and it shouldn't be too
hard to get this started but some extra more help would be great.

Beyond this it would probably be good to rework the interface of
system-config-selinux tool to make it easier to use for the average
user. Sure, editing /etc/sysconfig/selinux is easy but the average user
doesn't know how and shouldn't have to spend an hour trying to figure it
out, especially if this is their first time using Linux.

Feedback, ideas and comments are welcome. I'd like to know what you
think before starting any work on any of this.

Stewart