On Tue, Jul 22, 2008 at 9:15 AM, Gilboa Davara <gilboad@xxxxxxxxx> wrote: > > On Thu, 2008-07-17 at 17:03 -0400, Casey Dahlin wrote: >> Ahmed Kamal wrote: >> > another idea, is when a denial occurs, and we get this nice balloon, >> > it would contain 2 buttons >> > - AutoFix: automatically attempts changing the offending file's >> > context, as per the recommended action >> > >> >> This is a sharp edge for users to cut themselves on. It would be nice if >> we would detect when the error was a result of inconsistencies though >> (such as the file label not matching policy). >> >> IMHO, we should be able to do the following: >> >> - We should have exempt, which ignores the denial for now. It also flags >> the issue upstream. Denial messages for the exempt process are then >> rerouted to a safe place. >> - Whenever policy-kit is updated, the exemptions are reevaluated and >> removed if they should be addressed. >> - We should come up with some secure way of quickly propagating >> information about known selinux issues, so that denial warnings can be >> suppressed until a fix is available >> - There should be more graphical tools for manipulating policy itself. >> The user should be able to see a list of local policy exceptions they >> have made. >> >> --CJD >> > > Couldn't exempt be (ab)used to an attacker if/when it becomes common > knowledge? Through social engineering, yes. That's why it's a terrible solution, but I'm not sure there is any good way around it. -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com ) -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
