Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

[Arthur Pemberton]

On Thu, Jul 17, 2008 at 12:42 PM, Stewart Adam <maillist at diffingo.com> wrote:
> Hi,
>
> After the recent SELinux discussion (and the several ones before it),
> it's pretty clear that users are having problems with SELinux but at the
> same time SELinux is an important aspect to system security so it isn't
> going anywhere. Instead of asking to turn SELinux off, let's work
> towards making SELinux "just work" since that will provide the good user
> experience and the extra security.

Seems to me there are three problems in all
 1. Some people are lazy
 2. Some people want to have more control at all points
 3. SELinux does meet unexpected situations

> I was thinking of ways that Fedora could improve user <--> SELinux
> interaction, and I thought that creating a kerneloops-like plugin for
> setroubleshoot would be a good way to collect data about denials.
> Similar to kerneloops, this would allow for statistics on where denials
> occur most and that way the policy can be modified accordingly.
> Ultimately, this leads to a better user experience with Fedora. I took a
> quick look at the setroubleshoot plugin system and it shouldn't be too
> hard to get this started but some extra more help would be great.
>
> Beyond this it would probably be good to rework the interface of
> system-config-selinux tool to make it easier to use for the average
> user. Sure, editing /etc/sysconfig/selinux is easy but the average user
> doesn't know how and shouldn't have to spend an hour trying to figure it
> out, especially if this is their first time using Linux.
>
> Feedback, ideas and comments are welcome. I'd like to know what you
> think before starting any work on any of this.
>
> Stewart

If you're referring to a an automated/semi-automated opt-in reporter
SELinux seems like a great idea to me.

I'm guessing at the least it will help with data collection.

-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )