Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

Arthur Pemberton pemboa at gmail.com
Thu Jul 17 23:46:56 UTC 2008


On Thu, Jul 17, 2008 at 6:26 PM, Ahmed Kamal
<email.ahmedkamal at googlemail.com> wrote:
> I'd say I am a pretty knowledgeable Linux user. However, when I see an
> AVC denial, and the recommended chcon doesn't fix it, I'm pretty much
> lost! I need to launch that server or that application NOW, and
> selinux is stopping that ... and the policy won't be fixed for days,
> it won't even be fixed at all if that's a 3rd party app! I need
> something to help me launch my apps if I so choose! a 95% selinux
> protected system, is so much better than one with it disabled, which
> what I always seem to end up doing to get my work done!
>
> PS: To all security-aholics, helping the user launch his apps and get
> his work done, is every bit as important as having a well secured
> system, if not a tad bit more important

While I understand your sentiments, I have problems empathizing with
it as I haven't had such a problem with SELinux since FC2.

I do agree that having a user be able to launch an important
app/service should take precedence, though I am not sure that a 80%
SELinux protected machine is better than one with SELinux disabled --
that's debatable I guess.

-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )




More information about the fedora-devel-list mailing list