Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux
Daniel J Walsh
dwalsh at redhat.com
Fri Jul 18 12:56:21 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dave Airlie wrote:
> On Thu, 2008-07-17 at 18:15 -0500, Arthur Pemberton wrote:
>> On Thu, Jul 17, 2008 at 6:00 PM, Dave Airlie <airlied at redhat.com> wrote:
>>> Even so, don't let the user know, clearly they won't do the right thing,
>>> and you end up training them with the wrong behaviour. stop thinking of
>>> the user being someone who knows or cares what a policy/selinux or an
>>> exemption is.
>> While I agree with your statement as is, it is my unverified suspicion
>> that 'fedora user' is significantly different from 'user'.
>>
>> Thankfully, Fedora is not Ubuntu, and I may be idealistic, but I think
>> we may be able to expect a bit more from the average Fedora user...
>>
>> which leads me to another idea. Would probably be great if we could
>> have all AVCs copied easily to a central machine for those who use
>> Fedora in enterprise type environments.
>
> You know you just contradicted yourself :)
>
> If we want Fedora and by inheritance RHEL/CentOS to be useable on
> enterprise desktops or even consumer desktops we cannot assume we know
> what a "Fedora user" is. So we shouldn't be basing any decisions on the
> fact we might think a Fedora user is inherently smarter than an Ubuntu
> user.
>
>
>> - Emplyee A does something acceptable, encounters and AVC
>> - AVC reported to sysadmin
>> - Auto fix attempts fail
>> - request denied
>> - sysadmin reviews, decided to allow all such AVCs
>>
>> then
>>
>> - Emplyee A does same acceptable thing, encounters and AVC
>> - AVC reported to sysadmin
>> - activity found whitelisted
>> - auto fix tool allows
>
> For Enterprise desktops and RHEL something like that is what I would
> rather see. For non sysadmin maintained desktop, a community AVC dump
> with some responsible person who can allow/disallow things.
>
> Eventually the policy would be updated of course and rolled out.
>
> Dave.
>
Managed desktops in RHEL/Centos should not even be running sealert these
messages should be going to a centralized location for the sysadm to
monitor.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkiAkvUACgkQrlYvE4MpobOk9ACbBKW5Ixynklr6RYSiYmQbgpb2
bt4An3+Javb+yz3D5prGRQK+3EuSrv18
=kJIc
-----END PGP SIGNATURE-----
More information about the fedora-devel-list
mailing list