[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux



Ahmed Kamal wrote:
another idea, is when a denial occurs, and we get this nice balloon,
it would contain 2 buttons
- AutoFix: automatically attempts changing the offending file's
context, as per the recommended action

This is a sharp edge for users to cut themselves on. It would be nice if we would detect when the error was a result of inconsistencies though (such as the file label not matching policy).

IMHO, we should be able to do the following:

- We should have exempt, which ignores the denial for now. It also flags the issue upstream. Denial messages for the exempt process are then rerouted to a safe place. - Whenever policy-kit is updated, the exemptions are reevaluated and removed if they should be addressed. - We should come up with some secure way of quickly propagating information about known selinux issues, so that denial warnings can be suppressed until a fix is available - There should be more graphical tools for manipulating policy itself. The user should be able to see a list of local policy exceptions they have made.

--CJD


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]