-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stewart Adam wrote: > Hi, > > After the recent SELinux discussion (and the several ones before it), > it's pretty clear that users are having problems with SELinux but at the > same time SELinux is an important aspect to system security so it isn't > going anywhere. Instead of asking to turn SELinux off, let's work > towards making SELinux "just work" since that will provide the good user > experience and the extra security. > > I was thinking of ways that Fedora could improve user <--> SELinux > interaction, and I thought that creating a kerneloops-like plugin for > setroubleshoot would be a good way to collect data about denials. > Similar to kerneloops, this would allow for statistics on where denials > occur most and that way the policy can be modified accordingly. > Ultimately, this leads to a better user experience with Fedora. I took a > quick look at the setroubleshoot plugin system and it shouldn't be too > hard to get this started but some extra more help would be great. > > Beyond this it would probably be good to rework the interface of > system-config-selinux tool to make it easier to use for the average > user. Sure, editing /etc/sysconfig/selinux is easy but the average user > doesn't know how and shouldn't have to spend an hour trying to figure it > out, especially if this is their first time using Linux. > > Feedback, ideas and comments are welcome. I'd like to know what you > think before starting any work on any of this. > > Stewart > John Dennis designed setroubleshoot to be able to send its messages to an upstream collector, it seems to me that adding a button to report the message upstream would be easy. The problem is where is the upstream infrastructure to handle all the messages. dwalsh@xxxxxxxxxxx Is probably not a good place. :^) Of course if we took the XML data we could run it through some tools to see if the AVC was fixed by a newer version of policy. audit2why will report when policy is fixed by the current policy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkh/mq8ACgkQrlYvE4MpobMelwCbBWO87xHrhcR0oXLaCvB9VFOR RvoAn2L1pbj8bmZW2Z2xU72Z8wVLQTzT =CQ+3 -----END PGP SIGNATURE----- -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
