Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux
Ahmed Kamal
email.ahmedkamal at googlemail.com
Thu Jul 17 23:26:23 UTC 2008
I'd say I am a pretty knowledgeable Linux user. However, when I see an
AVC denial, and the recommended chcon doesn't fix it, I'm pretty much
lost! I need to launch that server or that application NOW, and
selinux is stopping that ... and the policy won't be fixed for days,
it won't even be fixed at all if that's a 3rd party app! I need
something to help me launch my apps if I so choose! a 95% selinux
protected system, is so much better than one with it disabled, which
what I always seem to end up doing to get my work done!
PS: To all security-aholics, helping the user launch his apps and get
his work done, is every bit as important as having a well secured
system, if not a tad bit more important
On Fri, Jul 18, 2008 at 2:15 AM, Arthur Pemberton <pemboa at gmail.com> wrote:
> On Thu, Jul 17, 2008 at 6:00 PM, Dave Airlie <airlied at redhat.com> wrote:
>> Even so, don't let the user know, clearly they won't do the right thing,
>> and you end up training them with the wrong behaviour. stop thinking of
>> the user being someone who knows or cares what a policy/selinux or an
>> exemption is.
>
> While I agree with your statement as is, it is my unverified suspicion
> that 'fedora user' is significantly different from 'user'.
>
> Thankfully, Fedora is not Ubuntu, and I may be idealistic, but I think
> we may be able to expect a bit more from the average Fedora user...
>
> which leads me to another idea. Would probably be great if we could
> have all AVCs copied easily to a central machine for those who use
> Fedora in enterprise type environments.
>
> Example:
>
> - Emplyee A does something acceptable, encounters and AVC
> - AVC reported to sysadmin
> - Auto fix attempts fail
> - request denied
> - sysadmin reviews, decided to allow all such AVCs
>
> then
>
> - Emplyee A does same acceptable thing, encounters and AVC
> - AVC reported to sysadmin
> - activity found whitelisted
> - auto fix tool allows
>
> But that may be overkill.
>
> --
> Fedora 7 : sipping some of that moonshine
> ( www.pembo13.com )
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>
More information about the fedora-devel-list
mailing list