Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux
Dave Airlie
airlied at redhat.com
Thu Jul 17 23:00:56 UTC 2008
On Thu, 2008-07-17 at 17:57 -0500, Arthur Pemberton wrote:
> On Thu, Jul 17, 2008 at 5:53 PM, Dave Airlie <airlied at redhat.com> wrote:
> > On Fri, 2008-07-18 at 00:07 +0300, Ahmed Kamal wrote:
> >> - Autofix seems like a good idea
> >> - Perhaps Exempt button should only appear, if AutoFix doesn't work
> >> (not sure how to detect that)
> >> - To avoid a system user clicking Exempt, perhaps Exempt should only
> >> exempt the application only this time. i.e., when the application is
> >> launched again, it will generate a selinux warning again. That way,
> >> the user still reports the issue to get it properly fixed, but at the
> >> time, has the tools to get his work done and his apps running when he
> >> needs them
> >>
> >
> > NO NO NO ... DOING IT WRONG.
> >
> > Don't ever ask the user for this kind of info, it would be better to go
> > ping a remote server and download a newer policy than ask the user.
>
> Well I think in his suggested use case, he's assuming a genuine bug in
> the policy which hasn't yet been fixed.
Even so, don't let the user know, clearly they won't do the right thing,
and you end up training them with the wrong behaviour. stop thinking of
the user being someone who knows or cares what a policy/selinux or an
exemption is.
>
> > The user is not going to have a freaking clue wtf exempting means.
>
> Agreed
>
> > Didn't you guys see the Mac vs Windows ADs on TV?
>
> That came to mind, was kinda scary.
>
>
> > kerneloops does it right, opt in, send somewhere useful, next step if
> > somewhere useful has seen the AVC and we knows its safe, maybe send
> > something back saying continue and ignore, but don't involve the user in
> > the mess other than asking for opt-in.
>
> This may be a good idea. Have the service make a decision to continue
> deny on temporarily allow based on available knowledge from the
> server.
>
> How much private info if any would be in the average AVC?
Good point I am reminded of some of those totem backtraces with porn
movies in the backtrace :)
Dave.
More information about the fedora-devel-list
mailing list