Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux
Casey Dahlin
cdahlin at redhat.com
Thu Jul 17 21:03:56 UTC 2008
Ahmed Kamal wrote:
> another idea, is when a denial occurs, and we get this nice balloon,
> it would contain 2 buttons
> - AutoFix: automatically attempts changing the offending file's
> context, as per the recommended action
>
This is a sharp edge for users to cut themselves on. It would be nice if
we would detect when the error was a result of inconsistencies though
(such as the file label not matching policy).
IMHO, we should be able to do the following:
- We should have exempt, which ignores the denial for now. It also flags
the issue upstream. Denial messages for the exempt process are then
rerouted to a safe place.
- Whenever policy-kit is updated, the exemptions are reevaluated and
removed if they should be addressed.
- We should come up with some secure way of quickly propagating
information about known selinux issues, so that denial warnings can be
suppressed until a fix is available
- There should be more graphical tools for manipulating policy itself.
The user should be able to see a list of local policy exceptions they
have made.
--CJD
More information about the fedora-devel-list
mailing list