Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux
Gilboa Davara
gilboad at gmail.com
Tue Jul 22 14:15:44 UTC 2008
On Thu, 2008-07-17 at 17:03 -0400, Casey Dahlin wrote:
> Ahmed Kamal wrote:
> > another idea, is when a denial occurs, and we get this nice balloon,
> > it would contain 2 buttons
> > - AutoFix: automatically attempts changing the offending file's
> > context, as per the recommended action
> >
>
> This is a sharp edge for users to cut themselves on. It would be nice if
> we would detect when the error was a result of inconsistencies though
> (such as the file label not matching policy).
>
> IMHO, we should be able to do the following:
>
> - We should have exempt, which ignores the denial for now. It also flags
> the issue upstream. Denial messages for the exempt process are then
> rerouted to a safe place.
> - Whenever policy-kit is updated, the exemptions are reevaluated and
> removed if they should be addressed.
> - We should come up with some secure way of quickly propagating
> information about known selinux issues, so that denial warnings can be
> suppressed until a fix is available
> - There should be more graphical tools for manipulating policy itself.
> The user should be able to see a list of local policy exceptions they
> have made.
>
> --CJD
>
Couldn't exempt be (ab)used to an attacker if/when it becomes common
knowledge?
- Gilboa
More information about the fedora-devel-list
mailing list