Another selinux rant

[Arthur Pemberton]

On Jan 5, 2008 12:33 AM, Ralf Corsepius <rc040203 at freenet.de> wrote:
>
> On Fri, 2008-01-04 at 12:07 -0500, John Dennis wrote:
> > Ed Swierk wrote:
> > > People who already know about SELinux can of course just learn to type
> > > ls -l --lcontext, but showing the extra information by default would
> > > at least give clueless users like me a hint that files have these
> > > extra attributes that might somehow be relevant to those strange
> > > openvpn failures. IMHO this would be the single best usability
> > > improvement to SELinux
> >
> > Re SELinux usability issues:
> >
> > We wrote the setroubleshoot package precisely to help SELinux novice
> > users so they wouldn't suffer with hidden obscure failures of the type
> > which have frustrated you. If it had been installed you would have
> > received notifications in real time on your desktop describing the
> > failure and suggestions on how to fix it.
> Well, honorable goal, but does it actually achieve this goal?
>
> * On one machine (FC8/x86_64), for me, all setroubleshoot does is to die
> shortly after bootup and first-time login (I haven't tried to
> investigate, but as it seems to me some serelated daemon is
> segfaulting).

You don't possibly think that this is the regular behaviour of
setroubleshoot on which you cna judge it?

> * Is it appropriate to inform arbitrary ordinary users about SELinux
> issues? May-be this on single user/non-networked machines, but I don't
> think this is the right concept for a networked environment in which
> "ordinary user" normally isn't the system admin.

I'm not sure i understand the criticism here.

-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )