Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

Arthur Pemberton pemboa at gmail.com
Thu Jul 17 19:19:07 UTC 2008


On Thu, Jul 17, 2008 at 2:17 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Stewart Adam wrote:
>> Hi,
>>
>> After the recent SELinux discussion (and the several ones before it),
>> it's pretty clear that users are having problems with SELinux but at the
>> same time SELinux is an important aspect to system security so it isn't
>> going anywhere. Instead of asking to turn SELinux off, let's work
>> towards making SELinux "just work" since that will provide the good user
>> experience and the extra security.
>>
>> I was thinking of ways that Fedora could improve user <--> SELinux
>> interaction, and I thought that creating a kerneloops-like plugin for
>> setroubleshoot would be a good way to collect data about denials.
>> Similar to kerneloops, this would allow for statistics on where denials
>> occur most and that way the policy can be modified accordingly.
>> Ultimately, this leads to a better user experience with Fedora. I took a
>> quick look at the setroubleshoot plugin system and it shouldn't be too
>> hard to get this started but some extra more help would be great.
>>
>> Beyond this it would probably be good to rework the interface of
>> system-config-selinux tool to make it easier to use for the average
>> user. Sure, editing /etc/sysconfig/selinux is easy but the average user
>> doesn't know how and shouldn't have to spend an hour trying to figure it
>> out, especially if this is their first time using Linux.
>>
>> Feedback, ideas and comments are welcome. I'd like to know what you
>> think before starting any work on any of this.
>>
>> Stewart
>>
>
> John Dennis designed setroubleshoot to be able to send its messages to
> an upstream collector, it seems to me that adding a button to report the
> message upstream would be easy.  The problem is where is the upstream
> infrastructure to handle all the messages.
>
> dwalsh at redhat.com.  Is probably not a good place.


I would think not. Does the infrastructure team have any web service
or sorts that can accept these log messages?


-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )




More information about the devel mailing list