Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux
Arthur Pemberton
pemboa at gmail.com
Thu Jul 17 23:40:24 UTC 2008
2008/7/17 Andrew Bartlett <abartlet at samba.org>:
> On Fri, 2008-07-18 at 09:00 +1000, Dave Airlie wrote:
>> On Thu, 2008-07-17 at 17:57 -0500, Arthur Pemberton wrote:
>> > On Thu, Jul 17, 2008 at 5:53 PM, Dave Airlie <airlied at redhat.com> wrote:
>
>> > > kerneloops does it right, opt in, send somewhere useful, next step if
>> > > somewhere useful has seen the AVC and we knows its safe, maybe send
>> > > something back saying continue and ignore, but don't involve the user in
>> > > the mess other than asking for opt-in.
>> >
>> > This may be a good idea. Have the service make a decision to continue
>> > deny on temporarily allow based on available knowledge from the
>> > server.
>> >
>> > How much private info if any would be in the average AVC?
>>
>> Good point I am reminded of some of those totem backtraces with porn
>> movies in the backtrace :)
>
> Perhaps flag backtraces including files covered by (Fedora) RPMs
> differently to backtraces that reference user files (and specific other
> files, like .xsession-errors)?
>
> (and yes, I realise this might be difficult to do, but is probably the
> only sane line between private and not-so-private files on a system).
By backtrace I'm assuming you mean AVC. Finding an RPM file is as easy
as `rpm -qf` so that's probably a good idea.
--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )
More information about the fedora-devel-list
mailing list