Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

Arthur Pemberton pemboa at gmail.com
Thu Jul 17 20:47:14 UTC 2008


On Thu, Jul 17, 2008 at 3:24 PM, Ahmed Kamal
<email.ahmedkamal at googlemail.com> wrote:
> another idea, is when a denial occurs, and we get this nice balloon,
> it would contain 2 buttons
> - AutoFix: automatically attempts changing the offending file's
> context, as per the recommended action

Fair solution, setroubleshoot is normally on the money.

> - Exempt: changes the policy such that the offended application runs
> in an unrestricted selinux domain.

While this would get the job done. It is really a bad idea as it makes
having SELinux on useless for most folks -- they might as well just
disable it

Plus it reminds me of the deny||allow stories i hear about in MS Vista.


> IMHO, the policies will never be perfect. Mortals can't really "fix"
> the policy coz it's too complex. The Exempt is what the end users
> need, or they turn off the whole thing


-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )




More information about the fedora-devel-list mailing list