Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux
pemboa at gmail.com
Thu Jul 17 19:19:07 UTC 2008
On Thu, Jul 17, 2008 at 2:17 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Stewart Adam wrote:
>> After the recent SELinux discussion (and the several ones before it),
>> it's pretty clear that users are having problems with SELinux but at the
>> same time SELinux is an important aspect to system security so it isn't
>> going anywhere. Instead of asking to turn SELinux off, let's work
>> towards making SELinux "just work" since that will provide the good user
>> experience and the extra security.
>> I was thinking of ways that Fedora could improve user <--> SELinux
>> interaction, and I thought that creating a kerneloops-like plugin for
>> setroubleshoot would be a good way to collect data about denials.
>> Similar to kerneloops, this would allow for statistics on where denials
>> occur most and that way the policy can be modified accordingly.
>> Ultimately, this leads to a better user experience with Fedora. I took a
>> quick look at the setroubleshoot plugin system and it shouldn't be too
>> hard to get this started but some extra more help would be great.
>> Beyond this it would probably be good to rework the interface of
>> system-config-selinux tool to make it easier to use for the average
>> user. Sure, editing /etc/sysconfig/selinux is easy but the average user
>> doesn't know how and shouldn't have to spend an hour trying to figure it
>> out, especially if this is their first time using Linux.
>> Feedback, ideas and comments are welcome. I'd like to know what you
>> think before starting any work on any of this.
> John Dennis designed setroubleshoot to be able to send its messages to
> an upstream collector, it seems to me that adding a button to report the
> message upstream would be easy. The problem is where is the upstream
> infrastructure to handle all the messages.
> dwalsh at redhat.com. Is probably not a good place.
I would think not. Does the infrastructure team have any web service
or sorts that can accept these log messages?
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )
More information about the fedora-devel-list