On Thu, 2008-07-17 at 17:03 -0400, Casey Dahlin wrote: > Ahmed Kamal wrote: > > another idea, is when a denial occurs, and we get this nice balloon, > > it would contain 2 buttons > > - AutoFix: automatically attempts changing the offending file's > > context, as per the recommended action > > > > This is a sharp edge for users to cut themselves on. It would be nice if > we would detect when the error was a result of inconsistencies though > (such as the file label not matching policy). > > IMHO, we should be able to do the following: > > - We should have exempt, which ignores the denial for now. It also flags > the issue upstream. Denial messages for the exempt process are then > rerouted to a safe place. > - Whenever policy-kit is updated, the exemptions are reevaluated and > removed if they should be addressed. > - We should come up with some secure way of quickly propagating > information about known selinux issues, so that denial warnings can be > suppressed until a fix is available > - There should be more graphical tools for manipulating policy itself. > The user should be able to see a list of local policy exceptions they > have made. > > --CJD > Couldn't exempt be (ab)used to an attacker if/when it becomes common knowledge? - Gilboa -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
