On Fri, Jul 18, 2008 at 8:03 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Arthur Pemberton wrote: >> On Thu, Jul 17, 2008 at 5:53 PM, Dave Airlie <airlied@xxxxxxxxxx> wrote: >>> On Fri, 2008-07-18 at 00:07 +0300, Ahmed Kamal wrote: >>>> - Autofix seems like a good idea >>>> - Perhaps Exempt button should only appear, if AutoFix doesn't work >>>> (not sure how to detect that) >>>> - To avoid a system user clicking Exempt, perhaps Exempt should only >>>> exempt the application only this time. i.e., when the application is >>>> launched again, it will generate a selinux warning again. That way, >>>> the user still reports the issue to get it properly fixed, but at the >>>> time, has the tools to get his work done and his apps running when he >>>> needs them >>>> >>> NO NO NO ... DOING IT WRONG. >>> >>> Don't ever ask the user for this kind of info, it would be better to go >>> ping a remote server and download a newer policy than ask the user. >> >> Well I think in his suggested use case, he's assuming a genuine bug in >> the policy which hasn't yet been fixed. >> >> >>> The user is not going to have a freaking clue wtf exempting means. >> >> Agreed >> >>> Didn't you guys see the Mac vs Windows ADs on TV? >> >> That came to mind, was kinda scary. >> >> >>> kerneloops does it right, opt in, send somewhere useful, next step if >>> somewhere useful has seen the AVC and we knows its safe, maybe send >>> something back saying continue and ignore, but don't involve the user in >>> the mess other than asking for opt-in. >> >> This may be a good idea. Have the service make a decision to continue >> deny on temporarily allow based on available knowledge from the >> server. >> >> How much private info if any would be in the average AVC? >> > Hostname, filename, potentially username, rpm information. What apps > they are running. Okay. So definitely can't be an auto service, must be opt-in -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com ) -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
