On Jan 4, 2008 4:30 PM, Jonathan Underwood <jonathan.underwood@xxxxxxxxx> wrote: > On 04/01/2008, John Dennis <jdennis@xxxxxxxxxx> wrote: > > Ed Swierk wrote: > > > People who already know about SELinux can of course just learn to type > > > ls -l --lcontext, but showing the extra information by default would > > > at least give clueless users like me a hint that files have these > > > extra attributes that might somehow be relevant to those strange > > > openvpn failures. IMHO this would be the single best usability > > > improvement to SELinux > > > > Re SELinux usability issues: > > > > We wrote the setroubleshoot package precisely to help SELinux novice > > users so they wouldn't suffer with hidden obscure failures of the type > > which have frustrated you. If it had been installed you would have > > received notifications in real time on your desktop describing the > > failure and suggestions on how to fix it. > > The problem is, the notifications don't tell you much more than the > obscure avc denial in most cases. But there's a bigger problem than > that. Here's what happens when most people have an avc denial: > > 1) setroubleshoot pops up detailing the denial. The only really > intelligible part of the information there to the non expert is > "please file a report in bugzilla". I don't know how the GUI version works, maybe you should try the console version. > > 2) User thinks "oh, must be yet another problem with the selinux > policy" and files a bug. Why wouldn't they think "oh the program I am using and which is being denied by SELInux might have a bug" ? > 3) Dan or his team fix the problem with the policy extremely rapidly. > New policy packages are installed. Are you referring to a specific policy? > 4) Goto 1. > > The problem is: setroubleshoot teaches average users that avc denials > come about due to bugs in selinux policy. I get the feeling you're refering to some specific incident(s) as I have never had a avn denial due to a SELinux bug (as far as I can remember) > If there was some massive > security problem right now on my machine causing avc denials I'd > probably react by filing a stack of bug reports. This is the > fundamental problem as it stands with SElinux. No offence, but you _really_ should check the message before you file a bug as is often makes sense. Or has SELinux taken a nose dive in F8 that I don't know about? >If it was working, we > would be in a situation where the first responce to an avc denial is > "OMG there's a security issue with something running on my machine, I > must fix that". Again, I'm maybe missing information...but that's my first response when I see an SELinux denial, esp. after it saved me from being rooted once. -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com ) -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
