Red Hat Bugzilla – Bug 599145
Add GUI button to "Add Exception" to SELinux policy when something is detected
Last modified: 2010-06-02 15:19:44 EDT
Description of problem:
Upon SELinux detecting an issue, it would be handy to be able to add an exception for that behavior directly from the gui component that pops up and notifies.
Version-Release number of selected component (if applicable):
Whatever vanilla F12 is running.
Steps to Reproduce:
You want a button that says allow this activity. Machine gets hacked, user gets avc notification, user presses button that says allow.
Not even if the user were prompted to also provide root credentials before taking the action? This does not seem different than editing the policy files directly to allow the same exception.
Most cases you should not be writing your own policy, You should be reading the description and setting a boolean or fixing the label.
This talk shows that there are four reasons for SELinux to give you an error. These go down in probability quite quickly.
1 Labeling Problem (restorecon/semanage fcontext)
2 Setup Problem. (setsebool/semanage command)
3 Bug in policy (yum update/audit2allow)
4 You have been cracked
If the gui defaults to #3 we are going to make the chance of preventing #4 quite bad.