On Jan 4, 2008 4:30 PM, Jonathan Underwood jonathan.underwood@gmail.com wrote:
On 04/01/2008, John Dennis jdennis@redhat.com wrote:
Ed Swierk wrote:
People who already know about SELinux can of course just learn to type ls -l --lcontext, but showing the extra information by default would at least give clueless users like me a hint that files have these extra attributes that might somehow be relevant to those strange openvpn failures. IMHO this would be the single best usability improvement to SELinux
Re SELinux usability issues:
We wrote the setroubleshoot package precisely to help SELinux novice users so they wouldn't suffer with hidden obscure failures of the type which have frustrated you. If it had been installed you would have received notifications in real time on your desktop describing the failure and suggestions on how to fix it.
The problem is, the notifications don't tell you much more than the obscure avc denial in most cases. But there's a bigger problem than that. Here's what happens when most people have an avc denial:
- setroubleshoot pops up detailing the denial. The only really
intelligible part of the information there to the non expert is "please file a report in bugzilla".
I don't know how the GUI version works, maybe you should try the console version.
- User thinks "oh, must be yet another problem with the selinux
policy" and files a bug.
Why wouldn't they think "oh the program I am using and which is being denied by SELInux might have a bug" ?
- Dan or his team fix the problem with the policy extremely rapidly.
New policy packages are installed.
Are you referring to a specific policy?
- Goto 1.
The problem is: setroubleshoot teaches average users that avc denials come about due to bugs in selinux policy.
I get the feeling you're refering to some specific incident(s) as I have never had a avn denial due to a SELinux bug (as far as I can remember)
If there was some massive security problem right now on my machine causing avc denials I'd probably react by filing a stack of bug reports. This is the fundamental problem as it stands with SElinux.
No offence, but you _really_ should check the message before you file a bug as is often makes sense. Or has SELinux taken a nose dive in F8 that I don't know about?
If it was working, we would be in a situation where the first responce to an avc denial is "OMG there's a security issue with something running on my machine, I must fix that".
Again, I'm maybe missing information...but that's my first response when I see an SELinux denial, esp. after it saved me from being rooted once.