allowing programs to open ports

[Bastien Nocera]

----- Original Message -----
> On 5.1.2015 15:57, Bastien Nocera wrote:
> > ----- Original Message -----
> >> Björn Persson wrote:
> >>> I bet! I worry that the questions would quickly become annoying. But if
> >>> ports are going to be blocked by default, then there needs to be some
> >>> way for non-sysadmin users to open them.
> >>
> >> No, why? The ports just need to be closed, period. Non-sysadmin users
> >> shouldn't be allowed to open any ports.
> > 
> > Which leads to users being frustrated at the default firewall, which leads
> > to
> > them throwing in the towel and disabling the firewall altogether, leading
> > to
> > worse security.
> 
> Many people claim this AFAIK nobody posted link to an article/any hard data
> about this. (I'm not saying that this statement is not correct, I'm saying
> that I don't have reason to believe it without hard data.)

I don't claim to have hard data on this, this is the result of discussions with
my co-workers, Fedora developers that use GNOME, and Fedora users. Evidence of
this is always going to be circumstantial but when I hear of other GNOME developers
that end up using GNOME on Ubuntu with all the problems it brings rather than
deal with SELinux or Fedora's firewall, alarm bells start ringing.

> IMHO solution to this problem is what Stephen Gallagher proposed in other
> part
> of this thread:
> > I'd argue that something similar to the SELinux Troubleshooter would be
> > a useful solution here, if interfaces could be added to support it.

The SELinux Troubleshooter is positively awful UI for anyone that didn't go
read SELinux introductory articles. It's also a bug reporting tool, not an
authorisation request as a (bad) firewall UI would need to be.