Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux
Arthur Pemberton
pemboa at gmail.com
Thu Jul 17 23:43:35 UTC 2008
On Thu, Jul 17, 2008 at 6:21 PM, Dave Airlie <airlied at redhat.com> wrote:
> On Thu, 2008-07-17 at 18:15 -0500, Arthur Pemberton wrote:
>> On Thu, Jul 17, 2008 at 6:00 PM, Dave Airlie <airlied at redhat.com> wrote:
>> > Even so, don't let the user know, clearly they won't do the right thing,
>> > and you end up training them with the wrong behaviour. stop thinking of
>> > the user being someone who knows or cares what a policy/selinux or an
>> > exemption is.
>>
>> While I agree with your statement as is, it is my unverified suspicion
>> that 'fedora user' is significantly different from 'user'.
>>
>> Thankfully, Fedora is not Ubuntu, and I may be idealistic, but I think
>> we may be able to expect a bit more from the average Fedora user...
>>
>> which leads me to another idea. Would probably be great if we could
>> have all AVCs copied easily to a central machine for those who use
>> Fedora in enterprise type environments.
>
> You know you just contradicted yourself :)
>
> If we want Fedora and by inheritance RHEL/CentOS to be useable on
> enterprise desktops or even consumer desktops we cannot assume we know
> what a "Fedora user" is. So we shouldn't be basing any decisions on the
> fact we might think a Fedora user is inherently smarter than an Ubuntu
> user.
Fair enough. I wish we had some evidence either way. A lot of
decisions seem to be made with the weakest user in mind.
>>
>> - Emplyee A does something acceptable, encounters and AVC
>> - AVC reported to sysadmin
>> - Auto fix attempts fail
>> - request denied
>> - sysadmin reviews, decided to allow all such AVCs
>>
>> then
>>
>> - Emplyee A does same acceptable thing, encounters and AVC
>> - AVC reported to sysadmin
>> - activity found whitelisted
>> - auto fix tool allows
>
> For Enterprise desktops and RHEL something like that is what I would
> rather see. For non sysadmin maintained desktop, a community AVC dump
> with some responsible person who can allow/disallow things.
Agreed, except I'd pluralize your 'person' to 'persons'
> Eventually the policy would be updated of course and rolled out.
Of course. I'll admit that I do have SELinux disabled on my desktops
and testboxes. But if such a tool was implemented, I would enable it
if only to help out.
--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )
More information about the fedora-devel-list
mailing list