Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

Daniel J Walsh dwalsh at redhat.com
Fri Jul 18 12:56:21 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave Airlie wrote:
> On Thu, 2008-07-17 at 18:15 -0500, Arthur Pemberton wrote:
>> On Thu, Jul 17, 2008 at 6:00 PM, Dave Airlie <airlied at redhat.com> wrote:
>>> Even so, don't let the user know, clearly they won't do the right thing,
>>> and you end up training them with the wrong behaviour. stop thinking of
>>> the user being someone who knows or cares what a policy/selinux or an
>>> exemption is.
>> While I agree with your statement as is, it is my unverified suspicion
>> that 'fedora user' is significantly different from 'user'.
>>
>> Thankfully, Fedora is not Ubuntu, and I may be idealistic, but I think
>> we may be able to expect a bit more from the average Fedora user...
>>
>> which leads me to another idea. Would probably be great if we could
>> have all AVCs copied easily to a central machine for those who use
>> Fedora in enterprise type environments.
> 
> You know you just contradicted yourself :)
> 
> If we want Fedora and by inheritance RHEL/CentOS to be useable on
> enterprise desktops or even consumer desktops we cannot assume we know
> what a "Fedora user" is. So we shouldn't be basing any decisions on the
> fact we might think a Fedora user is inherently smarter than an Ubuntu
> user.
> 
> 
>> - Emplyee A does something acceptable, encounters and AVC
>> - AVC reported to sysadmin
>> - Auto fix attempts fail
>> - request denied
>> - sysadmin reviews, decided to allow all such AVCs
>>
>> then
>>
>> - Emplyee A does same acceptable thing, encounters and AVC
>> - AVC reported to sysadmin
>> - activity found whitelisted
>> - auto fix tool allows
> 
> For Enterprise desktops and RHEL something like that is what I would
> rather see. For non sysadmin maintained desktop, a community AVC dump
> with some responsible person who can allow/disallow things.
> 
> Eventually the policy would be updated of course and rolled out.
> 
> Dave.
> 
Managed desktops in RHEL/Centos should not even be running sealert these
messages should be going to a centralized location for the sysadm to
monitor.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiAkvUACgkQrlYvE4MpobOk9ACbBKW5Ixynklr6RYSiYmQbgpb2
bt4An3+Javb+yz3D5prGRQK+3EuSrv18
=kJIc
-----END PGP SIGNATURE-----

More information about the devel mailing list