Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

[Dave Airlie]

On Thu, 2008-07-17 at 18:46 -0500, Arthur Pemberton wrote:
> On Thu, Jul 17, 2008 at 6:26 PM, Ahmed Kamal
> <email.ahmedkamal at googlemail.com> wrote:
> > I'd say I am a pretty knowledgeable Linux user. However, when I see an
> > AVC denial, and the recommended chcon doesn't fix it, I'm pretty much
> > lost! I need to launch that server or that application NOW, and
> > selinux is stopping that ... and the policy won't be fixed for days,
> > it won't even be fixed at all if that's a 3rd party app! I need
> > something to help me launch my apps if I so choose! a 95% selinux
> > protected system, is so much better than one with it disabled, which
> > what I always seem to end up doing to get my work done!
> >
> > PS: To all security-aholics, helping the user launch his apps and get
> > his work done, is every bit as important as having a well secured
> > system, if not a tad bit more important
> 
> While I understand your sentiments, I have problems empathizing with
> it as I haven't had such a problem with SELinux since FC2.
> 
> I do agree that having a user be able to launch an important
> app/service should take precedence, though I am not sure that a 80%
> SELinux protected machine is better than one with SELinux disabled --
> that's debatable I guess.

Now how do we distinguish between a user launching his essential work to
get done app, and a user being pwned. Both scenarios will look the same
and if both scenarios end up in a dialog box with exempt in it, the
guess what will happen.

Dave.