Another selinux rant

[Arthur Pemberton]

On Jan 4, 2008 4:30 PM, Jonathan Underwood <jonathan.underwood at gmail.com> wrote:
> On 04/01/2008, John Dennis <jdennis at redhat.com> wrote:
> > Ed Swierk wrote:
> > > People who already know about SELinux can of course just learn to type
> > > ls -l --lcontext, but showing the extra information by default would
> > > at least give clueless users like me a hint that files have these
> > > extra attributes that might somehow be relevant to those strange
> > > openvpn failures. IMHO this would be the single best usability
> > > improvement to SELinux
> >
> > Re SELinux usability issues:
> >
> > We wrote the setroubleshoot package precisely to help SELinux novice
> > users so they wouldn't suffer with hidden obscure failures of the type
> > which have frustrated you. If it had been installed you would have
> > received notifications in real time on your desktop describing the
> > failure and suggestions on how to fix it.
>
> The problem is, the notifications don't tell you much more than the
> obscure avc denial in most cases. But there's a bigger problem than
> that. Here's what happens when most people have an avc denial:
>
> 1) setroubleshoot pops up detailing the denial. The only really
> intelligible part of the information there to the non expert is
> "please file a report in bugzilla".

I don't know how the GUI version works, maybe you should try the
console version.

>
> 2) User thinks "oh, must be yet another problem with the selinux
> policy" and files a bug.

Why wouldn't they think "oh the program I am using and which is being
denied by SELInux might have a bug" ?

> 3) Dan or his team fix the problem with the policy extremely rapidly.
> New policy packages are installed.

Are you referring to a specific policy?

> 4) Goto 1.
>
> The problem is: setroubleshoot teaches average users that avc denials
> come about due to bugs in selinux policy.

I get the feeling you're refering to some specific incident(s) as I
have never had a avn denial due to a SELinux bug (as far as I can
remember)

> If there was some massive
> security problem right now on my machine causing avc denials I'd
> probably react by filing a stack of bug reports. This is the
> fundamental problem as it stands with SElinux.

No offence, but you _really_ should check the message before you file
a bug as is often makes sense. Or has SELinux taken a nose dive in F8
that I don't know about?

>If it was working, we
> would be in a situation where the first responce to an avc denial is
> "OMG there's a security issue with something running on my machine, I
> must fix that".

Again, I'm maybe missing information...but that's my first response
when I see an SELinux denial, esp. after it saved me from being rooted
once.

-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )