On Jan 4, 2008 4:30 PM, Jonathan Underwood <jonathan.underwood(a)gmail.com> wrote:
On 04/01/2008, John Dennis <jdennis(a)redhat.com> wrote:
> Ed Swierk wrote:
> > People who already know about SELinux can of course just learn to type
> > ls -l --lcontext, but showing the extra information by default would
> > at least give clueless users like me a hint that files have these
> > extra attributes that might somehow be relevant to those strange
> > openvpn failures. IMHO this would be the single best usability
> > improvement to SELinux
>
> Re SELinux usability issues:
>
> We wrote the setroubleshoot package precisely to help SELinux novice
> users so they wouldn't suffer with hidden obscure failures of the type
> which have frustrated you. If it had been installed you would have
> received notifications in real time on your desktop describing the
> failure and suggestions on how to fix it.
The problem is, the notifications don't tell you much more than the
obscure avc denial in most cases. But there's a bigger problem than
that. Here's what happens when most people have an avc denial:
1) setroubleshoot pops up detailing the denial. The only really
intelligible part of the information there to the non expert is
"please file a report in bugzilla".
I don't know how the GUI version works, maybe you should try the
console version.
2) User thinks "oh, must be yet another problem with the selinux
policy" and files a bug.
Why wouldn't they think "oh the program I am using and which is being
denied by SELInux might have a bug" ?
3) Dan or his team fix the problem with the policy extremely
rapidly.
New policy packages are installed.
Are you referring to a specific policy?
4) Goto 1.
The problem is: setroubleshoot teaches average users that avc denials
come about due to bugs in selinux policy.
I get the feeling you're refering to some specific incident(s) as I
have never had a avn denial due to a SELinux bug (as far as I can
remember)
If there was some massive
security problem right now on my machine causing avc denials I'd
probably react by filing a stack of bug reports. This is the
fundamental problem as it stands with SElinux.
No offence, but you _really_ should check the message before you file
a bug as is often makes sense. Or has SELinux taken a nose dive in F8
that I don't know about?
If it was working, we
would be in a situation where the first responce to an avc denial is
"OMG there's a security issue with something running on my machine, I
must fix that".
Again, I'm maybe missing information...but that's my first response
when I see an SELinux denial, esp. after it saved me from being rooted
once.
--
Fedora 7 : sipping some of that moonshine
(
www.pembo13.com )