Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux
Dave Airlie
airlied at redhat.com
Thu Jul 17 23:21:47 UTC 2008
On Thu, 2008-07-17 at 18:15 -0500, Arthur Pemberton wrote:
> On Thu, Jul 17, 2008 at 6:00 PM, Dave Airlie <airlied at redhat.com> wrote:
> > Even so, don't let the user know, clearly they won't do the right thing,
> > and you end up training them with the wrong behaviour. stop thinking of
> > the user being someone who knows or cares what a policy/selinux or an
> > exemption is.
>
> While I agree with your statement as is, it is my unverified suspicion
> that 'fedora user' is significantly different from 'user'.
>
> Thankfully, Fedora is not Ubuntu, and I may be idealistic, but I think
> we may be able to expect a bit more from the average Fedora user...
>
> which leads me to another idea. Would probably be great if we could
> have all AVCs copied easily to a central machine for those who use
> Fedora in enterprise type environments.
You know you just contradicted yourself :)
If we want Fedora and by inheritance RHEL/CentOS to be useable on
enterprise desktops or even consumer desktops we cannot assume we know
what a "Fedora user" is. So we shouldn't be basing any decisions on the
fact we might think a Fedora user is inherently smarter than an Ubuntu
user.
>
> - Emplyee A does something acceptable, encounters and AVC
> - AVC reported to sysadmin
> - Auto fix attempts fail
> - request denied
> - sysadmin reviews, decided to allow all such AVCs
>
> then
>
> - Emplyee A does same acceptable thing, encounters and AVC
> - AVC reported to sysadmin
> - activity found whitelisted
> - auto fix tool allows
For Enterprise desktops and RHEL something like that is what I would
rather see. For non sysadmin maintained desktop, a community AVC dump
with some responsible person who can allow/disallow things.
Eventually the policy would be updated of course and rolled out.
Dave.
More information about the devel
mailing list