Re: Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jul 18, 2008 at 8:03 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Arthur Pemberton wrote:
>> On Thu, Jul 17, 2008 at 5:53 PM, Dave Airlie <airlied@xxxxxxxxxx> wrote:
>>> On Fri, 2008-07-18 at 00:07 +0300, Ahmed Kamal wrote:
>>>> - Autofix seems like a good idea
>>>> - Perhaps Exempt button should only appear, if AutoFix doesn't work
>>>> (not sure how to detect that)
>>>> - To avoid a system user clicking Exempt, perhaps Exempt should only
>>>> exempt the application only this time. i.e., when the application is
>>>> launched again, it will generate a selinux warning again. That way,
>>>> the user still reports the issue to get it properly fixed, but at the
>>>> time, has the tools to get his work done and his apps running when he
>>>> needs them
>>>>
>>> NO NO NO ... DOING IT WRONG.
>>>
>>> Don't ever ask the user for this kind of info, it would be better to go
>>> ping a remote server and download a newer policy than ask the user.
>>
>> Well I think in his suggested use case, he's assuming a genuine bug in
>> the policy which hasn't yet been fixed.
>>
>>
>>> The user is not going to have a freaking clue wtf exempting means.
>>
>> Agreed
>>
>>> Didn't you guys see the Mac vs Windows ADs on TV?
>>
>> That came to mind, was kinda scary.
>>
>>
>>> kerneloops does it right, opt in, send somewhere useful, next step if
>>> somewhere useful has seen the AVC and we knows its safe, maybe send
>>> something back saying continue and ignore, but don't involve the user in
>>> the mess other than asking for opt-in.
>>
>> This may be a good idea. Have the service make a decision to continue
>> deny on temporarily allow based on available knowledge from the
>> server.
>>
>> How much private info if any would be in the average AVC?
>>
> Hostname, filename, potentially username, rpm information.  What apps
> they are running.

Okay. So definitely can't be an auto service, must be opt-in


-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux