Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

Daniel J Walsh dwalsh at redhat.com
Fri Jul 18 13:03:00 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Arthur Pemberton wrote:
> On Thu, Jul 17, 2008 at 5:53 PM, Dave Airlie <airlied at redhat.com> wrote:
>> On Fri, 2008-07-18 at 00:07 +0300, Ahmed Kamal wrote:
>>> - Autofix seems like a good idea
>>> - Perhaps Exempt button should only appear, if AutoFix doesn't work
>>> (not sure how to detect that)
>>> - To avoid a system user clicking Exempt, perhaps Exempt should only
>>> exempt the application only this time. i.e., when the application is
>>> launched again, it will generate a selinux warning again. That way,
>>> the user still reports the issue to get it properly fixed, but at the
>>> time, has the tools to get his work done and his apps running when he
>>> needs them
>>>
>> NO NO NO ... DOING IT WRONG.
>>
>> Don't ever ask the user for this kind of info, it would be better to go
>> ping a remote server and download a newer policy than ask the user.
> 
> Well I think in his suggested use case, he's assuming a genuine bug in
> the policy which hasn't yet been fixed.
> 
> 
>> The user is not going to have a freaking clue wtf exempting means.
> 
> Agreed
> 
>> Didn't you guys see the Mac vs Windows ADs on TV?
> 
> That came to mind, was kinda scary.
> 
> 
>> kerneloops does it right, opt in, send somewhere useful, next step if
>> somewhere useful has seen the AVC and we knows its safe, maybe send
>> something back saying continue and ignore, but don't involve the user in
>> the mess other than asking for opt-in.
> 
> This may be a good idea. Have the service make a decision to continue
> deny on temporarily allow based on available knowledge from the
> server.
> 
> How much private info if any would be in the average AVC?
> 
Hostname, filename, potentially username, rpm information.  What apps
they are running.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiAlIQACgkQrlYvE4MpobNqnACgv8xf7VjaM7xG2oZnge4Lf6Ya
gwcAnAvi3UyIjC7ryCrHxKGTa1H6cc7D
=M+Nj
-----END PGP SIGNATURE-----

More information about the fedora-devel-list mailing list