Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

Ahmed Kamal email.ahmedkamal at googlemail.com
Thu Jul 17 21:07:02 UTC 2008


- Autofix seems like a good idea
- Perhaps Exempt button should only appear, if AutoFix doesn't work
(not sure how to detect that)
- To avoid a system user clicking Exempt, perhaps Exempt should only
exempt the application only this time. i.e., when the application is
launched again, it will generate a selinux warning again. That way,
the user still reports the issue to get it properly fixed, but at the
time, has the tools to get his work done and his apps running when he
needs them

On Fri, Jul 18, 2008 at 12:03 AM, Stewart Adam <maillist at diffingo.com> wrote:
>
>
> On Thu, 2008-07-17 at 15:47 -0500, Arthur Pemberton wrote:
>>
>> While this would get the job done. It is really a bad idea as it makes
>> having SELinux on useless for most folks -- they might as well just
>> disable it
>>
>> Plus it reminds me of the deny||allow stories i hear about in MS Vista.
> +1 - The idea of this is to get users to report what's going wrong and
> get it fixed in the policy instead of exempt/disable which defeats the
> purpose and trains the user to hit "Exempt" without reading anything.
>
> Stewart
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>




More information about the fedora-devel-list mailing list