Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

Tue Jul 22 23:47:16 UTC 2008

On Tue, Jul 22, 2008 at 6:37 PM, max bianco <maximilianbianco at gmail.com> wrote:
> 2008/7/22 David Nielsen <gnomeuser at gmail.com>:
>>
>> Any suggested solution that starts with "open a terminal" scares users,
>
> I understand. However I don't think adding an allow/deny button is the
> answer. I think the main problem is that most people don't understand
> what SELinux does, or more accurately how it does things.
>
>
>> additionally if they are required to be root in said terminal I would
>> hestitate to guess that we lose everyone except a bare minimum of users when
>> looking at the big picture - my mother surely should not be asked to do
>> this, the mere thought of her with the root password in hand terrifies me
>> add to that firing off random commands she has no idea what does - it's a
>> wonder Hollywood has yet to make a blockbuster horror movie following this
>> plot.
>
> It would make for a good movie:^) My mother uses Fedora and hasn't had
> any issues that were SELinux related. Email, music, web surfing are
> all she does. I doubt Aunt Tily is doing much more than that.
>
>
>> In terms of what SELinux does currently, it's an improvement over the
>> older releases but it's still far from being something I would let my mother
>> ticker with - and the policy currently has plenty of holes in terms of what
>> an average user might do, just the other day I discovered SELinux utter fail
>> when plugging in my iPod (this was fixed within days of being filed and as I
>> recall an update was pushed soon there after, so the response is generally
>> good but that is still some 2 weeks where aunt tilly can't use her iPod).
>> Should asking the user to drop to a terminal as root and issue commands
>> really be our first line of defence.. I certainly hope not. We really need
>> to be more proactive in gathering failures instead of relying on the user to
>> patch up the policy with mysterious cli magic.
>
> I agree a better job needs to done but until F9 it was optional was it
> not? Now you can turn it off but it is enabled by default,

On by default does not mean not optional. And if you meant opt-out, it
was opt-out, still is.

[ snip ]

-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )