FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 07-17-2008, 05:42 PM
Stewart Adam
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

Hi,

After the recent SELinux discussion (and the several ones before it),
it's pretty clear that users are having problems with SELinux but at the
same time SELinux is an important aspect to system security so it isn't
going anywhere. Instead of asking to turn SELinux off, let's work
towards making SELinux "just work" since that will provide the good user
experience and the extra security.

I was thinking of ways that Fedora could improve user <--> SELinux
interaction, and I thought that creating a kerneloops-like plugin for
setroubleshoot would be a good way to collect data about denials.
Similar to kerneloops, this would allow for statistics on where denials
occur most and that way the policy can be modified accordingly.
Ultimately, this leads to a better user experience with Fedora. I took a
quick look at the setroubleshoot plugin system and it shouldn't be too
hard to get this started but some extra more help would be great.

Beyond this it would probably be good to rework the interface of
system-config-selinux tool to make it easier to use for the average
user. Sure, editing /etc/sysconfig/selinux is easy but the average user
doesn't know how and shouldn't have to spend an hour trying to figure it
out, especially if this is their first time using Linux.

Feedback, ideas and comments are welcome. I'd like to know what you
think before starting any work on any of this.

Stewart

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 05:47 PM
"Tom "spot" Callaway"
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

On Thu, 2008-07-17 at 13:42 -0400, Stewart Adam wrote:
> I was thinking of ways that Fedora could improve user <--> SELinux
> interaction, and I thought that creating a kerneloops-like plugin for
> setroubleshoot would be a good way to collect data about denials.
> Similar to kerneloops, this would allow for statistics on where
> denials occur most and that way the policy can be modified
> accordingly. Ultimately, this leads to a better user experience with
> Fedora. I took a quick look at the setroubleshoot plugin system and it
> shouldn't be too hard to get this started but some extra more help
> would be great.

Great! Do it!

Keep in mind that like kerneloops, someone should need to know
absolutely nothing about SELinux to use it.

~spot

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 07:17 PM
Daniel J Walsh
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stewart Adam wrote:
> Hi,
>
> After the recent SELinux discussion (and the several ones before it),
> it's pretty clear that users are having problems with SELinux but at the
> same time SELinux is an important aspect to system security so it isn't
> going anywhere. Instead of asking to turn SELinux off, let's work
> towards making SELinux "just work" since that will provide the good user
> experience and the extra security.
>
> I was thinking of ways that Fedora could improve user <--> SELinux
> interaction, and I thought that creating a kerneloops-like plugin for
> setroubleshoot would be a good way to collect data about denials.
> Similar to kerneloops, this would allow for statistics on where denials
> occur most and that way the policy can be modified accordingly.
> Ultimately, this leads to a better user experience with Fedora. I took a
> quick look at the setroubleshoot plugin system and it shouldn't be too
> hard to get this started but some extra more help would be great.
>
> Beyond this it would probably be good to rework the interface of
> system-config-selinux tool to make it easier to use for the average
> user. Sure, editing /etc/sysconfig/selinux is easy but the average user
> doesn't know how and shouldn't have to spend an hour trying to figure it
> out, especially if this is their first time using Linux.
>
> Feedback, ideas and comments are welcome. I'd like to know what you
> think before starting any work on any of this.
>
> Stewart
>

John Dennis designed setroubleshoot to be able to send its messages to
an upstream collector, it seems to me that adding a button to report the
message upstream would be easy. The problem is where is the upstream
infrastructure to handle all the messages.

dwalsh@redhat.com. Is probably not a good place.

:^)

Of course if we took the XML data we could run it through some tools to
see if the AVC was fixed by a newer version of policy.

audit2why will report when policy is fixed by the current policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkh/mq8ACgkQrlYvE4MpobMelwCbBWO87xHrhcR0oXLaCvB9VFOR
RvoAn2L1pbj8bmZW2Z2xU72Z8wVLQTzT
=CQ+3
-----END PGP SIGNATURE-----

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 07:55 PM
Robin Norwood
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

On Thu, 17 Jul 2008 14:19:07 -0500
"Arthur Pemberton" <pemboa@gmail.com> wrote:

> On Thu, Jul 17, 2008 at 2:17 PM, Daniel J Walsh <dwalsh@redhat.com>
> > John Dennis designed setroubleshoot to be able to send its messages
> > to an upstream collector, it seems to me that adding a button to
> > report the message upstream would be easy. The problem is where is
> > the upstream infrastructure to handle all the messages.
> >
> > dwalsh@redhat.com. Is probably not a good place.
>
>
> I would think not. Does the infrastructure team have any web service
> or sorts that can accept these log messages?

Probably not, but it sounds like a fairly easy turbogears project. The
data is in XML? Is the format defined anywhere? The app would need to
process the XML to check for duplicates, and display the results. If
the format is well-defined and we can say "If fields x, y, and z are
the same, then this is a duplicate report", then it should be nearly
trivial.

-RN

--
Robin Norwood
Red Hat, Inc.

"The Sage does nothing, yet nothing remains undone."
-Lao Tzu, Te Tao Ching

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 08:52 PM
Daniel J Walsh
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ahmed Kamal wrote:
> another idea, is when a denial occurs, and we get this nice balloon,
> it would contain 2 buttons
> - AutoFix: automatically attempts changing the offending file's
> context, as per the recommended action
> - Exempt: changes the policy such that the offended application runs
> in an unrestricted selinux domain.
>
> IMHO, the policies will never be perfect. Mortals can't really "fix"
> the policy coz it's too complex. The Exempt is what the end users
> need, or they turn off the whole thing
>
exempt is coming, (permissive domains) available in Rawhide now.

The problem with this is when you get an AVC that really did not block
anything. Teaching people to press a button to tell SELinux to disable
protection will get them to disable it when a real attack comes a long.

Most avc's are caused by mislabled files, leaked or redirected file
descriptors, bugs in policy/code. And a hole lot of them can be ignored.

As an example, if you run system-config-services from the launch panel.
It has stdout redirected to ~/.xsession-errors

If you restart a confined domain from this tool, you will generate an
avc saying the confined domain tried to write to user_home_t. This is a
fairly bogus avc and users should not disable protection since nothing
was really blocked. Our job is to figure out how to get rid of the false
noice and get to real security problems.

We have just added a new access called open. Before we had only
read/write. You could get read/write errors from open file descriptors
being passed around as explained above. useradd dwalsh > ~/myhome will
generate an Read/write avc. This is not some thing to worry about,
however if named suddenly got an "open" avc on user_home_t you know you
have a problem. Since named should never be opening files in the homedir.


> On Thu, Jul 17, 2008 at 10:55 PM, Robin Norwood <rnorwood@redhat.com> wrote:
>> On Thu, 17 Jul 2008 14:19:07 -0500
>> "Arthur Pemberton" <pemboa@gmail.com> wrote:
>>
>>> On Thu, Jul 17, 2008 at 2:17 PM, Daniel J Walsh <dwalsh@redhat.com>
>>>> John Dennis designed setroubleshoot to be able to send its messages
>>>> to an upstream collector, it seems to me that adding a button to
>>>> report the message upstream would be easy. The problem is where is
>>>> the upstream infrastructure to handle all the messages.
>>>>
>>>> dwalsh@redhat.com. Is probably not a good place.
>>>
>>> I would think not. Does the infrastructure team have any web service
>>> or sorts that can accept these log messages?
>> Probably not, but it sounds like a fairly easy turbogears project. The
>> data is in XML? Is the format defined anywhere? The app would need to
>> process the XML to check for duplicates, and display the results. If
>> the format is well-defined and we can say "If fields x, y, and z are
>> the same, then this is a duplicate report", then it should be nearly
>> trivial.
>>
>> -RN
>>
>> --
>> Robin Norwood
>> Red Hat, Inc.
>>
>> "The Sage does nothing, yet nothing remains undone."
>> -Lao Tzu, Te Tao Ching
>>
>> --
>> fedora-devel-list mailing list
>> fedora-devel-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkh/sR0ACgkQrlYvE4MpobMunQCdE461uwubJxxsrOPZK1w1pzGv
MjYAoMSussoCH57VB6jB21yILPfScviA
=cavG
-----END PGP SIGNATURE-----

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 09:03 PM
Stewart Adam
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

On Thu, 2008-07-17 at 15:47 -0500, Arthur Pemberton wrote:
>
> While this would get the job done. It is really a bad idea as it makes
> having SELinux on useless for most folks -- they might as well just
> disable it
>
> Plus it reminds me of the deny||allow stories i hear about in MS Vista.
+1 - The idea of this is to get users to report what's going wrong and
get it fixed in the policy instead of exempt/disable which defeats the
purpose and trains the user to hit "Exempt" without reading anything.

Stewart

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 09:03 PM
Casey Dahlin
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

Ahmed Kamal wrote:

another idea, is when a denial occurs, and we get this nice balloon,
it would contain 2 buttons
- AutoFix: automatically attempts changing the offending file's
context, as per the recommended action



This is a sharp edge for users to cut themselves on. It would be nice if
we would detect when the error was a result of inconsistencies though
(such as the file label not matching policy).


IMHO, we should be able to do the following:

- We should have exempt, which ignores the denial for now. It also flags
the issue upstream. Denial messages for the exempt process are then
rerouted to a safe place.
- Whenever policy-kit is updated, the exemptions are reevaluated and
removed if they should be addressed.
- We should come up with some secure way of quickly propagating
information about known selinux issues, so that denial warnings can be
suppressed until a fix is available
- There should be more graphical tools for manipulating policy itself.
The user should be able to see a list of local policy exceptions they
have made.


--CJD

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 09:05 PM
Stewart Adam
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

On Thu, 2008-07-17 at 15:55 -0400, Robin Norwood wrote:
>
> Probably not, but it sounds like a fairly easy turbogears project. The
> data is in XML? Is the format defined anywhere? The app would need to
> process the XML to check for duplicates, and display the results. If
> the format is well-defined and we can say "If fields x, y, and z are
> the same, then this is a duplicate report", then it should be nearly
> trivial.
>
> -RN

I didn't think of using TurboGears - You're right, so then all that's
needed is a (very simple) script, a SQL database.

Stewart

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 09:10 PM
Benjamin Lewis
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

Ahmed Kamal wrote:

another idea, is when a denial occurs, and we get this nice balloon,
it would contain 2 buttons
- AutoFix: automatically attempts changing the offending file's
context, as per the recommended action
- Exempt: changes the policy such that the offended application runs
in an unrestricted selinux domain.


Whilst this can definitely be an option, I would be very, very, wary
about putting it on the first screen the user sees, else they will get
into the habit of clicking it. Could it be possible, perhaps, to use
permissive domains (or whatever they are called) from the .26 kernel
inside of s-c-selinux or s-c-services to fulfill this role?




IMHO, the policies will never be perfect. Mortals can't really "fix"
the policy coz it's too complex. The Exempt is what the end users
need, or they turn off the whole thing

On Thu, Jul 17, 2008 at 10:55 PM, Robin Norwood <rnorwood@redhat.com> wrote:

On Thu, 17 Jul 2008 14:19:07 -0500
"Arthur Pemberton" <pemboa@gmail.com> wrote:


On Thu, Jul 17, 2008 at 2:17 PM, Daniel J Walsh <dwalsh@redhat.com>

John Dennis designed setroubleshoot to be able to send its messages
to an upstream collector, it seems to me that adding a button to
report the message upstream would be easy. The problem is where is
the upstream infrastructure to handle all the messages.

dwalsh@redhat.com. Is probably not a good place.


I would think not. Does the infrastructure team have any web service
or sorts that can accept these log messages?

Probably not, but it sounds like a fairly easy turbogears project. The
data is in XML? Is the format defined anywhere? The app would need to
process the XML to check for duplicates, and display the results. If
the format is well-defined and we can say "If fields x, y, and z are
the same, then this is a duplicate report", then it should be nearly
trivial.

-RN

--
Robin Norwood
Red Hat, Inc.

"The Sage does nothing, yet nothing remains undone."
-Lao Tzu, Te Tao Ching

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list






--

Benjamin Lewis
Fedora Ambassador
ben.lewis@benl.co.uk

-----------------------------------------------------------------------
http://benl.co.uk./ PGP Key: 0x647E480C

"In cases of major discrepancy, it is always reality that got it wrong"
-- RFC 1118
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-18-2008, 12:51 PM
Daniel J Walsh
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Arthur Pemberton wrote:
> On Thu, Jul 17, 2008 at 4:07 PM, Ahmed Kamal
> <email.ahmedkamal@googlemail.com> wrote:
>> - Autofix seems like a good idea
>> - Perhaps Exempt button should only appear, if AutoFix doesn't work
>> (not sure how to detect that)
>> - To avoid a system user clicking Exempt, perhaps Exempt should only
>> exempt the application only this time. i.e., when the application is
>> launched again, it will generate a selinux warning again. That way,
>> the user still reports the issue to get it properly fixed, but at the
>> time, has the tools to get his work done and his apps running when he
>> needs them
>
> While this doesn't avoid the Vistaesque problem, it may be a fair
> compromise to consider.
>
> One more issue however, is there any way to hide the unimportant
> denials? There are some denials that have no observable side effects.
>
Sure if you could write code to understand that this is a denial without
side effect. So far I have not figured out a way to do this.
setroubleshoot does have an ignore button also. Which will allow a user
to ignore avc's that he has deemed to be not important.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiAkeIACgkQrlYvE4MpobNfJgCdGj9Gjsm7Sx CBiTYj9GBDzRV5
A+4An1671n1pVR8FE/2d/LvEsuh/svKy
=95Y+
-----END PGP SIGNATURE-----

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 09:00 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org