[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux



On Thu, Jul 17, 2008 at 3:24 PM, Ahmed Kamal
<email ahmedkamal googlemail com> wrote:
> another idea, is when a denial occurs, and we get this nice balloon,
> it would contain 2 buttons
> - AutoFix: automatically attempts changing the offending file's
> context, as per the recommended action

Fair solution, setroubleshoot is normally on the money.

> - Exempt: changes the policy such that the offended application runs
> in an unrestricted selinux domain.

While this would get the job done. It is really a bad idea as it makes
having SELinux on useless for most folks -- they might as well just
disable it

Plus it reminds me of the deny||allow stories i hear about in MS Vista.


> IMHO, the policies will never be perfect. Mortals can't really "fix"
> the policy coz it's too complex. The Exempt is what the end users
> need, or they turn off the whole thing


-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]