[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux



On Thu, Jul 17, 2008 at 5:53 PM, Dave Airlie <airlied redhat com> wrote:
> On Fri, 2008-07-18 at 00:07 +0300, Ahmed Kamal wrote:
>> - Autofix seems like a good idea
>> - Perhaps Exempt button should only appear, if AutoFix doesn't work
>> (not sure how to detect that)
>> - To avoid a system user clicking Exempt, perhaps Exempt should only
>> exempt the application only this time. i.e., when the application is
>> launched again, it will generate a selinux warning again. That way,
>> the user still reports the issue to get it properly fixed, but at the
>> time, has the tools to get his work done and his apps running when he
>> needs them
>>
>
> NO NO NO ... DOING IT WRONG.
>
> Don't ever ask the user for this kind of info, it would be better to go
> ping a remote server and download a newer policy than ask the user.

Well I think in his suggested use case, he's assuming a genuine bug in
the policy which hasn't yet been fixed.


> The user is not going to have a freaking clue wtf exempting means.

Agreed

> Didn't you guys see the Mac vs Windows ADs on TV?

That came to mind, was kinda scary.


> kerneloops does it right, opt in, send somewhere useful, next step if
> somewhere useful has seen the AVC and we knows its safe, maybe send
> something back saying continue and ignore, but don't involve the user in
> the mess other than asking for opt-in.

This may be a good idea. Have the service make a decision to continue
deny on temporarily allow based on available knowledge from the
server.

How much private info if any would be in the average AVC?

-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]