Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

Daniel J Walsh dwalsh at redhat.com
Thu Jul 17 19:17:03 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stewart Adam wrote:
> Hi,
> 
> After the recent SELinux discussion (and the several ones before it),
> it's pretty clear that users are having problems with SELinux but at the
> same time SELinux is an important aspect to system security so it isn't
> going anywhere. Instead of asking to turn SELinux off, let's work
> towards making SELinux "just work" since that will provide the good user
> experience and the extra security.
> 
> I was thinking of ways that Fedora could improve user <--> SELinux
> interaction, and I thought that creating a kerneloops-like plugin for
> setroubleshoot would be a good way to collect data about denials.
> Similar to kerneloops, this would allow for statistics on where denials
> occur most and that way the policy can be modified accordingly.
> Ultimately, this leads to a better user experience with Fedora. I took a
> quick look at the setroubleshoot plugin system and it shouldn't be too
> hard to get this started but some extra more help would be great.
> 
> Beyond this it would probably be good to rework the interface of
> system-config-selinux tool to make it easier to use for the average
> user. Sure, editing /etc/sysconfig/selinux is easy but the average user
> doesn't know how and shouldn't have to spend an hour trying to figure it
> out, especially if this is their first time using Linux.
> 
> Feedback, ideas and comments are welcome. I'd like to know what you
> think before starting any work on any of this.
> 
> Stewart
> 

John Dennis designed setroubleshoot to be able to send its messages to
an upstream collector, it seems to me that adding a button to report the
message upstream would be easy.  The problem is where is the upstream
infrastructure to handle all the messages.

dwalsh at redhat.com.  Is probably not a good place.

:^)

Of course if we took the XML data we could run it through some tools to
see if the AVC was fixed by a newer version of policy.

audit2why will report when policy is fixed by the current policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkh/mq8ACgkQrlYvE4MpobMelwCbBWO87xHrhcR0oXLaCvB9VFOR
RvoAn2L1pbj8bmZW2Z2xU72Z8wVLQTzT
=CQ+3
-----END PGP SIGNATURE-----

More information about the fedora-devel-list mailing list