Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux
Daniel J Walsh
dwalsh at redhat.com
Fri Jul 18 13:12:09 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel J Walsh wrote:
> Arthur Pemberton wrote:
>> On Thu, Jul 17, 2008 at 5:53 PM, Dave Airlie <airlied at redhat.com> wrote:
>>> On Fri, 2008-07-18 at 00:07 +0300, Ahmed Kamal wrote:
>>>> - Autofix seems like a good idea
>>>> - Perhaps Exempt button should only appear, if AutoFix doesn't work
>>>> (not sure how to detect that)
>>>> - To avoid a system user clicking Exempt, perhaps Exempt should only
>>>> exempt the application only this time. i.e., when the application is
>>>> launched again, it will generate a selinux warning again. That way,
>>>> the user still reports the issue to get it properly fixed, but at the
>>>> time, has the tools to get his work done and his apps running when he
>>>> needs them
>>>>
>>> NO NO NO ... DOING IT WRONG.
>>>
>>> Don't ever ask the user for this kind of info, it would be better to go
>>> ping a remote server and download a newer policy than ask the user.
>> Well I think in his suggested use case, he's assuming a genuine bug in
>> the policy which hasn't yet been fixed.
>
>
>>> The user is not going to have a freaking clue wtf exempting means.
>> Agreed
>
>>> Didn't you guys see the Mac vs Windows ADs on TV?
>> That came to mind, was kinda scary.
>
>
>>> kerneloops does it right, opt in, send somewhere useful, next step if
>>> somewhere useful has seen the AVC and we knows its safe, maybe send
>>> something back saying continue and ignore, but don't involve the user in
>>> the mess other than asking for opt-in.
>> This may be a good idea. Have the service make a decision to continue
>> deny on temporarily allow based on available knowledge from the
>> server.
>
>> How much private info if any would be in the average AVC?
>
> Hostname, filename, potentially username, rpm information. What apps
> they are running.
One other concern about report this AVC upstream, is a lot of these
avc's are handled properly by the troubleshooter. As an example the
ldap query about the mislabled file. Some of the plugins currently have
a please bugzilla this context while others are pretty sure they know
the problem. So we maybe want to have the report this upstream button,
only show up when setroubleshoot is baffled.
A lot of bugzilla's I get cut and paste the setroubleshoot window and
then I respond by saying "Do what the troubleshouter told you to do!"
Closed Not a Bug.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkiAlqkACgkQrlYvE4MpobP8CACgsXuUINAzvqkZKOSDN/mqF3Ip
56AAoOXEga5M8UyxlVYzcZKquP1C8dsb
=pDkk
-----END PGP SIGNATURE-----
More information about the fedora-devel-list
mailing list