[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Request to re-add option to disable SELinux



Mike Chambers wrote:
On Thu, 2008-07-03 at 04:29 -0400, Alan Cox wrote:

Sorry if I sound fed up of all of this but I spent 9 months fighting people
years back to get firewalling enabled by default, and that had all the same
arguments. Today nobody (even Microsoft) would propose otherwise.

This is the same thing ..

As to Setroubleshoot it would be nicer if it spoke more "end user" ese and
could prompt/fix common mislabelling (eg html files)

I agree with Alan here, that if selinux is indeed a great program to
help secure the OS and anything else, it at least needs to be a LOT more
user friendly.
Ok, don't give me this MS to linux compare bit on what I am comparing
next, it's the comparing of wording and concept it's done in, not
details and stuff LOL.  Anyway, Vista came out with that (I forget the
damn program name) program that when certain programs/files run, you get
a dialog box that you have to continue (to allow it to run) or cancel.
Now, no this isn't exactly the same, but it is in a way.  They both
provide a little better security than with out it.  BUT, in Vista, the
user doesn't have to relabel something, or go to the CLI, or whatever.
They get a little question stating this program wants to run, do you
give it permission.  That's it, nothing else (might not like that dialog
all the time though, I am sure).  And that is what I am trying to say
for selinux, that it needs to allow things to do what they need, and if
not, a simple little question or whatever to allow it.  The user should
NOT have to go to the CLI for anything.  They shouldn't have to do this
command or that command, JUST HIT YES OR NO!!

Working to add a simple 'press yes or no' is an exercise in futility... general users unquestioningly press yes and go on with their business whether they should have or not. There is no effective difference from turning SELinux off. If/When a program misbehaves and represents a security risk the user will have no means to know whether it should or should not be allowed... and training to say yes just because its an action they 'initiated by clicking' is horrible.

I would agree that some GUI tools would be a great fix, but not in the way Vista has chosen to do them, because that is a fake and pointless security comfort blanket and nothing more. For these actions the user should at minimum have to type an administrator password (for instance any user/pass combo that has adequate PolicyKit authorization to make selinux policy changes).

Well anyway, not ranting or raving.  Just trying to maybe help clarify
what Jon was talking about, and what Alan was saying.  SELinux I am sure
is a wonderful thing, and just needs to be I guess, dumbed down or
whatever so the user clearly understands what it is doing or not doing
and to present the user with simple to do questions/answers/buttons or
whatever to push/answer.

The problem is that the general user does NOT understand even with the explanation given. I've been struggling to understand selinux myself for several years and it is far from clear what is happening and why all the time. What is more difficult is knowing whether that application should have been allowed to do what it tried to do, and I'm far from a general desktop user.

SETroubleshoot is a great step forward for helping users know why selinux denials occur, but a simple dialog box will NEVER be adequate for a general user to know whether the application is doing something inappropriate, and whether they should force it to be allowed or not.

--
Andrew Farris <lordmorgul gmail com> www.lordmorgul.net
 gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB  5BD5 5F89 8E1B 8300 BF29


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]