-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Arthur Pemberton wrote: > On Thu, Jul 17, 2008 at 5:53 PM, Dave Airlie <airlied@xxxxxxxxxx> wrote: >> On Fri, 2008-07-18 at 00:07 +0300, Ahmed Kamal wrote: >>> - Autofix seems like a good idea >>> - Perhaps Exempt button should only appear, if AutoFix doesn't work >>> (not sure how to detect that) >>> - To avoid a system user clicking Exempt, perhaps Exempt should only >>> exempt the application only this time. i.e., when the application is >>> launched again, it will generate a selinux warning again. That way, >>> the user still reports the issue to get it properly fixed, but at the >>> time, has the tools to get his work done and his apps running when he >>> needs them >>> >> NO NO NO ... DOING IT WRONG. >> >> Don't ever ask the user for this kind of info, it would be better to go >> ping a remote server and download a newer policy than ask the user. > > Well I think in his suggested use case, he's assuming a genuine bug in > the policy which hasn't yet been fixed. > > >> The user is not going to have a freaking clue wtf exempting means. > > Agreed > >> Didn't you guys see the Mac vs Windows ADs on TV? > > That came to mind, was kinda scary. > > >> kerneloops does it right, opt in, send somewhere useful, next step if >> somewhere useful has seen the AVC and we knows its safe, maybe send >> something back saying continue and ignore, but don't involve the user in >> the mess other than asking for opt-in. > > This may be a good idea. Have the service make a decision to continue > deny on temporarily allow based on available knowledge from the > server. > > How much private info if any would be in the average AVC? > Hostname, filename, potentially username, rpm information. What apps they are running. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkiAlIQACgkQrlYvE4MpobNqnACgv8xf7VjaM7xG2oZnge4Lf6Ya gwcAnAvi3UyIjC7ryCrHxKGTa1H6cc7D =M+Nj -----END PGP SIGNATURE----- -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
