Bug 808389
Summary: | RFE: wizard style interface | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Karel Volný <kvolny> |
Component: | setroubleshoot | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-04-24 19:45:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Karel Volný
2012-03-30 10:24:09 UTC
What we are trying to do is not have the users first action be, report a bug. Since in a lot of cases he just needs to turn on a boolean or fix a label. I think a message at the top telling the User to select the "If" statement that matches his expectations, might be the best way to fix the issue you saw. (In reply to comment #1) > What we are trying to do is not have the users first action be, report a bug. I bet removing the report button completely would have greater effect on discouraging users from reporting bugs ;-) > Since in a lot of cases he just needs to turn on a boolean or fix a label. this really should not be needed in a day-to-day usage, such need indicates a bug - selinux should deny only actions that are illegal, not those that are okay to be allowed as the bug is not necesarily in the selinux/preconfigured policies itself, maybe the default could be reporting for the component that caused the denial, and then switching to selinux only if found that a valid action was denied, but it should be reported and fixed in any case > I think a message at the top telling the User to select the "If" statement that > matches his expectations, might be the best way to fix the issue you saw. whatever that makes it clear(er) what do I need to do before trying to use the buttons on the right would be good ... (In reply to comment #2) > (In reply to comment #1) > > What we are trying to do is not have the users first action be, report a bug. > > I bet removing the report button completely would have greater effect on > discouraging users from reporting bugs ;-) > > > Since in a lot of cases he just needs to turn on a boolean or fix a label. > > this really should not be needed in a day-to-day usage, such need indicates a > bug - selinux should deny only actions that are illegal, not those that are > okay to be allowed Well, I don't agree. Of course, we have man pages, but ... So we try to tell users what they could do if they have a configuration. For example you can use NFS/CIFS, you have a specific configuration for a daemon and so on. And sure we can talk about security/usability but I believe we do a lot for it. > > as the bug is not necesarily in the selinux/preconfigured policies itself, > maybe the default could be reporting for the component that caused the denial, > and then switching to selinux only if found that a valid action was denied, but > it should be reported and fixed in any case > > > I think a message at the top telling the User to select the "If" statement that > > matches his expectations, might be the best way to fix the issue you saw. > > whatever that makes it clear(er) what do I need to do before trying to use the > buttons on the right would be good ... Systems can be setup in a variety ways. Booleans are all about configuring a confined application in a way that is as tight as possible. Apache for example can do just about anything an operating system is allowed to do . But allowing it to read the credit card data out of my homedir, just because it might be setup that ways is not a good idea. Similarly allowing the default apache setup to become a spam bot just because someone might want to setup apache to send mail, is not good security. setroubleshoot is an effort to take a permission denied to an application and try to figure out the best solution for the problem. Getting permission denied on DAC/Ownership/Permissions does not have any such app. But admins understand what is going on here, but no so much when SELinux denies access. |