I'd say I am a pretty knowledgeable Linux user. However, when I see an AVC denial, and the recommended chcon doesn't fix it, I'm pretty much lost! I need to launch that server or that application NOW, and selinux is stopping that ... and the policy won't be fixed for days, it won't even be fixed at all if that's a 3rd party app! I need something to help me launch my apps if I so choose! a 95% selinux protected system, is so much better than one with it disabled, which what I always seem to end up doing to get my work done! PS: To all security-aholics, helping the user launch his apps and get his work done, is every bit as important as having a well secured system, if not a tad bit more important On Fri, Jul 18, 2008 at 2:15 AM, Arthur Pemberton <pemboa@xxxxxxxxx> wrote: > On Thu, Jul 17, 2008 at 6:00 PM, Dave Airlie <airlied@xxxxxxxxxx> wrote: >> Even so, don't let the user know, clearly they won't do the right thing, >> and you end up training them with the wrong behaviour. stop thinking of >> the user being someone who knows or cares what a policy/selinux or an >> exemption is. > > While I agree with your statement as is, it is my unverified suspicion > that 'fedora user' is significantly different from 'user'. > > Thankfully, Fedora is not Ubuntu, and I may be idealistic, but I think > we may be able to expect a bit more from the average Fedora user... > > which leads me to another idea. Would probably be great if we could > have all AVCs copied easily to a central machine for those who use > Fedora in enterprise type environments. > > Example: > > - Emplyee A does something acceptable, encounters and AVC > - AVC reported to sysadmin > - Auto fix attempts fail > - request denied > - sysadmin reviews, decided to allow all such AVCs > > then > > - Emplyee A does same acceptable thing, encounters and AVC > - AVC reported to sysadmin > - activity found whitelisted > - auto fix tool allows > > But that may be overkill. > > -- > Fedora 7 : sipping some of that moonshine > ( www.pembo13.com ) > > -- > fedora-devel-list mailing list > fedora-devel-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-devel-list > -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
