Bug 599145 - Add GUI button to "Add Exception" to SELinux policy when something is detected
Summary: Add GUI button to "Add Exception" to SELinux policy when something is detected
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: rawhide
Hardware: All Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-02 18:26 UTC by Mike Putnam
Modified: 2010-06-02 19:19 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-02 18:42:47 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Mike Putnam 2010-06-02 18:26:11 UTC
Description of problem:
Upon SELinux detecting an issue, it would be handy to be able to add an exception for that behavior directly from the gui component that pops up and notifies.

Version-Release number of selected component (if applicable):
Whatever vanilla F12 is running.

How reproducible:
N/A

Steps to Reproduce:
N/A
  
Actual results:
N/A

Expected results:
N/A

Additional info:
N/A

Comment 1 Daniel Walsh 2010-06-02 18:42:47 UTC
You want a button that says allow this activity.  Machine gets hacked, user gets avc notification, user presses button that says allow.

No.

Comment 2 Mike Putnam 2010-06-02 18:57:55 UTC
Not even if the user were prompted to also provide root credentials before taking the action?  This does not seem different than editing the policy files directly to allow the same exception.

Comment 3 Daniel Walsh 2010-06-02 19:19:44 UTC
Most cases you should not be writing your own policy, You should be reading the description and setting a boolean or fixing the label.

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf

This talk shows that there are four reasons for SELinux to give you an error.  These go down in probability quite quickly.

1 Labeling Problem (restorecon/semanage fcontext)
2 Setup Problem.  (setsebool/semanage command)
3 Bug in policy (yum update/audit2allow)
4 You have been cracked

If the gui defaults to #3 we are going to make the chance of preventing #4 quite bad.


Note You need to log in before you can comment on or make changes to this bug.