Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux
Arthur Pemberton
pemboa at gmail.com
Thu Jul 17 20:47:14 UTC 2008
On Thu, Jul 17, 2008 at 3:24 PM, Ahmed Kamal
<email.ahmedkamal at googlemail.com> wrote:
> another idea, is when a denial occurs, and we get this nice balloon,
> it would contain 2 buttons
> - AutoFix: automatically attempts changing the offending file's
> context, as per the recommended action
Fair solution, setroubleshoot is normally on the money.
> - Exempt: changes the policy such that the offended application runs
> in an unrestricted selinux domain.
While this would get the job done. It is really a bad idea as it makes
having SELinux on useless for most folks -- they might as well just
disable it
Plus it reminds me of the deny||allow stories i hear about in MS Vista.
> IMHO, the policies will never be perfect. Mortals can't really "fix"
> the policy coz it's too complex. The Exempt is what the end users
> need, or they turn off the whole thing
--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )
More information about the fedora-devel-list
mailing list