Re: Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jul 22, 2008 at 9:15 AM, Gilboa Davara <gilboad@xxxxxxxxx> wrote:
>
> On Thu, 2008-07-17 at 17:03 -0400, Casey Dahlin wrote:
>> Ahmed Kamal wrote:
>> > another idea, is when a denial occurs, and we get this nice balloon,
>> > it would contain 2 buttons
>> > - AutoFix: automatically attempts changing the offending file's
>> > context, as per the recommended action
>> >
>>
>> This is a sharp edge for users to cut themselves on. It would be nice if
>> we would detect when the error was a result of inconsistencies though
>> (such as the file label not matching policy).
>>
>> IMHO, we should be able to do the following:
>>
>> - We should have exempt, which ignores the denial for now. It also flags
>> the issue upstream. Denial messages for the exempt process are then
>> rerouted to a safe place.
>> - Whenever policy-kit is updated, the exemptions are reevaluated and
>> removed if they should be addressed.
>> - We should come up with some secure way of quickly propagating
>> information about known selinux issues, so that denial warnings can be
>> suppressed until a fix is available
>> - There should be more graphical tools for manipulating policy itself.
>> The user should be able to see a list of local policy exceptions they
>> have made.
>>
>> --CJD
>>
>
> Couldn't exempt be (ab)used to an attacker if/when it becomes common
> knowledge?

Through social engineering, yes. That's why it's a terrible solution,
but I'm not sure there is any good way around it.

-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux