Bug 599145
| Summary: | Add GUI button to "Add Exception" to SELinux policy when something is detected | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mike Putnam <mike> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-06-02 18:42:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Mike Putnam
2010-06-02 18:26:11 UTC
You want a button that says allow this activity. Machine gets hacked, user gets avc notification, user presses button that says allow. No. Not even if the user were prompted to also provide root credentials before taking the action? This does not seem different than editing the policy files directly to allow the same exception. Most cases you should not be writing your own policy, You should be reading the description and setting a boolean or fixing the label. http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf This talk shows that there are four reasons for SELinux to give you an error. These go down in probability quite quickly. 1 Labeling Problem (restorecon/semanage fcontext) 2 Setup Problem. (setsebool/semanage command) 3 Bug in policy (yum update/audit2allow) 4 You have been cracked If the gui defaults to #3 we are going to make the chance of preventing #4 quite bad. |