Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux
Dave Airlie
airlied at redhat.com
Thu Jul 17 22:53:37 UTC 2008
On Fri, 2008-07-18 at 00:07 +0300, Ahmed Kamal wrote:
> - Autofix seems like a good idea
> - Perhaps Exempt button should only appear, if AutoFix doesn't work
> (not sure how to detect that)
> - To avoid a system user clicking Exempt, perhaps Exempt should only
> exempt the application only this time. i.e., when the application is
> launched again, it will generate a selinux warning again. That way,
> the user still reports the issue to get it properly fixed, but at the
> time, has the tools to get his work done and his apps running when he
> needs them
>
NO NO NO ... DOING IT WRONG.
Don't ever ask the user for this kind of info, it would be better to go
ping a remote server and download a newer policy than ask the user.
The user is not going to have a freaking clue wtf exempting means.
Didn't you guys see the Mac vs Windows ADs on TV?
kerneloops does it right, opt in, send somewhere useful, next step if
somewhere useful has seen the AVC and we knows its safe, maybe send
something back saying continue and ignore, but don't involve the user in
the mess other than asking for opt-in.
Dave.
More information about the fedora-devel-list
mailing list