Bug 599145 - Add GUI button to "Add Exception" to SELinux policy when something is detected
Add GUI button to "Add Exception" to SELinux policy when something is detected
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-02 14:26 EDT by Mike Putnam
Modified: 2010-06-02 15:19 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-02 14:42:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike Putnam 2010-06-02 14:26:11 EDT
Description of problem:
Upon SELinux detecting an issue, it would be handy to be able to add an exception for that behavior directly from the gui component that pops up and notifies.

Version-Release number of selected component (if applicable):
Whatever vanilla F12 is running.

How reproducible:
N/A

Steps to Reproduce:
N/A
  
Actual results:
N/A

Expected results:
N/A

Additional info:
N/A
Comment 1 Daniel Walsh 2010-06-02 14:42:47 EDT
You want a button that says allow this activity.  Machine gets hacked, user gets avc notification, user presses button that says allow.

No.
Comment 2 Mike Putnam 2010-06-02 14:57:55 EDT
Not even if the user were prompted to also provide root credentials before taking the action?  This does not seem different than editing the policy files directly to allow the same exception.
Comment 3 Daniel Walsh 2010-06-02 15:19:44 EDT
Most cases you should not be writing your own policy, You should be reading the description and setting a boolean or fixing the label.

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf

This talk shows that there are four reasons for SELinux to give you an error.  These go down in probability quite quickly.

1 Labeling Problem (restorecon/semanage fcontext)
2 Setup Problem.  (setsebool/semanage command)
3 Bug in policy (yum update/audit2allow)
4 You have been cracked

If the gui defaults to #3 we are going to make the chance of preventing #4 quite bad.

Note You need to log in before you can comment on or make changes to this bug.