From the point of view of security usability, this is cardinal sin:
http://file.status.net/identica/tieguy-20091208T063036-ngc2rhp.png
If we start the warning message with "SELinux has detected suspicious behaviour on your system" and end it with "You can safely ignore this avc," then we are doing everyone a nasty disservice. Please, let's fix it as soon as possible. I understand the need for SELinux to log things purely for auditing purposes, but the user must NOT see those alerts, or we'll condition everyone to just dismiss them.
I'm fairly certain this is a bug, but I've not yet bz'd it, as I wanted to make sure that this is not "intended behaviour."
Regards,
2009/12/8 Konstantin Ryabitsev icon@fedoraproject.org:
From the point of view of security usability, this is cardinal sin:
http://file.status.net/identica/tieguy-20091208T063036-ngc2rhp.png
If we start the warning message with "SELinux has detected suspicious behaviour on your system" and end it with "You can safely ignore this avc," then we are doing everyone a nasty disservice. Please, let's fix it as soon as possible. I understand the need for SELinux to log things purely for auditing purposes, but the user must NOT see those alerts, or we'll condition everyone to just dismiss them.
I'm fairly certain this is a bug, but I've not yet bz'd it, as I wanted to make sure that this is not "intended behaviour."
If it is then it is proof of insanity. I shy away from any "Yet Another SELinux Rant" type stuff but this is plain ridiculous. I had Gnome-terminal up this morning and was shelled into a remote box. Thats it. Then I got a warning of the above - something to do with bash and prelink. Couldn't care less really.
The end result is me disabling SELinux on my box. Sorry, I don't have time or inclination to file a bug on this constant irritant ever since it was introduced as nobody seems to take notice. Instead I'm asked to:
# chcon_text_rel_slib insert_irritating_long_option_here add_some_random_characters_for_good_measure_}{)(&)(*^&^$%$"1
or something. SELinux was quite good on F11 and F12. Now it would seem it is starting to regress again.
</rant>