FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 07-17-2008, 06:43 PM
"Arthur Pemberton"
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

On Thu, Jul 17, 2008 at 12:42 PM, Stewart Adam <maillist@diffingo.com> wrote:
> Hi,
>
> After the recent SELinux discussion (and the several ones before it),
> it's pretty clear that users are having problems with SELinux but at the
> same time SELinux is an important aspect to system security so it isn't
> going anywhere. Instead of asking to turn SELinux off, let's work
> towards making SELinux "just work" since that will provide the good user
> experience and the extra security.

Seems to me there are three problems in all
1. Some people are lazy
2. Some people want to have more control at all points
3. SELinux does meet unexpected situations

> I was thinking of ways that Fedora could improve user <--> SELinux
> interaction, and I thought that creating a kerneloops-like plugin for
> setroubleshoot would be a good way to collect data about denials.
> Similar to kerneloops, this would allow for statistics on where denials
> occur most and that way the policy can be modified accordingly.
> Ultimately, this leads to a better user experience with Fedora. I took a
> quick look at the setroubleshoot plugin system and it shouldn't be too
> hard to get this started but some extra more help would be great.
>
> Beyond this it would probably be good to rework the interface of
> system-config-selinux tool to make it easier to use for the average
> user. Sure, editing /etc/sysconfig/selinux is easy but the average user
> doesn't know how and shouldn't have to spend an hour trying to figure it
> out, especially if this is their first time using Linux.
>
> Feedback, ideas and comments are welcome. I'd like to know what you
> think before starting any work on any of this.
>
> Stewart

If you're referring to a an automated/semi-automated opt-in reporter
SELinux seems like a great idea to me.

I'm guessing at the least it will help with data collection.

--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 07:19 PM
"Arthur Pemberton"
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

On Thu, Jul 17, 2008 at 2:17 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Stewart Adam wrote:
>> Hi,
>>
>> After the recent SELinux discussion (and the several ones before it),
>> it's pretty clear that users are having problems with SELinux but at the
>> same time SELinux is an important aspect to system security so it isn't
>> going anywhere. Instead of asking to turn SELinux off, let's work
>> towards making SELinux "just work" since that will provide the good user
>> experience and the extra security.
>>
>> I was thinking of ways that Fedora could improve user <--> SELinux
>> interaction, and I thought that creating a kerneloops-like plugin for
>> setroubleshoot would be a good way to collect data about denials.
>> Similar to kerneloops, this would allow for statistics on where denials
>> occur most and that way the policy can be modified accordingly.
>> Ultimately, this leads to a better user experience with Fedora. I took a
>> quick look at the setroubleshoot plugin system and it shouldn't be too
>> hard to get this started but some extra more help would be great.
>>
>> Beyond this it would probably be good to rework the interface of
>> system-config-selinux tool to make it easier to use for the average
>> user. Sure, editing /etc/sysconfig/selinux is easy but the average user
>> doesn't know how and shouldn't have to spend an hour trying to figure it
>> out, especially if this is their first time using Linux.
>>
>> Feedback, ideas and comments are welcome. I'd like to know what you
>> think before starting any work on any of this.
>>
>> Stewart
>>
>
> John Dennis designed setroubleshoot to be able to send its messages to
> an upstream collector, it seems to me that adding a button to report the
> message upstream would be easy. The problem is where is the upstream
> infrastructure to handle all the messages.
>
> dwalsh@redhat.com. Is probably not a good place.


I would think not. Does the infrastructure team have any web service
or sorts that can accept these log messages?


--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 08:24 PM
"Ahmed Kamal"
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

another idea, is when a denial occurs, and we get this nice balloon,
it would contain 2 buttons
- AutoFix: automatically attempts changing the offending file's
context, as per the recommended action
- Exempt: changes the policy such that the offended application runs
in an unrestricted selinux domain.

IMHO, the policies will never be perfect. Mortals can't really "fix"
the policy coz it's too complex. The Exempt is what the end users
need, or they turn off the whole thing

On Thu, Jul 17, 2008 at 10:55 PM, Robin Norwood <rnorwood@redhat.com> wrote:
> On Thu, 17 Jul 2008 14:19:07 -0500
> "Arthur Pemberton" <pemboa@gmail.com> wrote:
>
>> On Thu, Jul 17, 2008 at 2:17 PM, Daniel J Walsh <dwalsh@redhat.com>
>> > John Dennis designed setroubleshoot to be able to send its messages
>> > to an upstream collector, it seems to me that adding a button to
>> > report the message upstream would be easy. The problem is where is
>> > the upstream infrastructure to handle all the messages.
>> >
>> > dwalsh@redhat.com. Is probably not a good place.
>>
>>
>> I would think not. Does the infrastructure team have any web service
>> or sorts that can accept these log messages?
>
> Probably not, but it sounds like a fairly easy turbogears project. The
> data is in XML? Is the format defined anywhere? The app would need to
> process the XML to check for duplicates, and display the results. If
> the format is well-defined and we can say "If fields x, y, and z are
> the same, then this is a duplicate report", then it should be nearly
> trivial.
>
> -RN
>
> --
> Robin Norwood
> Red Hat, Inc.
>
> "The Sage does nothing, yet nothing remains undone."
> -Lao Tzu, Te Tao Ching
>
> --
> fedora-devel-list mailing list
> fedora-devel-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 08:47 PM
"Arthur Pemberton"
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

On Thu, Jul 17, 2008 at 3:24 PM, Ahmed Kamal
<email.ahmedkamal@googlemail.com> wrote:
> another idea, is when a denial occurs, and we get this nice balloon,
> it would contain 2 buttons
> - AutoFix: automatically attempts changing the offending file's
> context, as per the recommended action

Fair solution, setroubleshoot is normally on the money.

> - Exempt: changes the policy such that the offended application runs
> in an unrestricted selinux domain.

While this would get the job done. It is really a bad idea as it makes
having SELinux on useless for most folks -- they might as well just
disable it

Plus it reminds me of the deny||allow stories i hear about in MS Vista.


> IMHO, the policies will never be perfect. Mortals can't really "fix"
> the policy coz it's too complex. The Exempt is what the end users
> need, or they turn off the whole thing


--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 09:07 PM
"Ahmed Kamal"
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

- Autofix seems like a good idea
- Perhaps Exempt button should only appear, if AutoFix doesn't work
(not sure how to detect that)
- To avoid a system user clicking Exempt, perhaps Exempt should only
exempt the application only this time. i.e., when the application is
launched again, it will generate a selinux warning again. That way,
the user still reports the issue to get it properly fixed, but at the
time, has the tools to get his work done and his apps running when he
needs them

On Fri, Jul 18, 2008 at 12:03 AM, Stewart Adam <maillist@diffingo.com> wrote:
>
>
> On Thu, 2008-07-17 at 15:47 -0500, Arthur Pemberton wrote:
>>
>> While this would get the job done. It is really a bad idea as it makes
>> having SELinux on useless for most folks -- they might as well just
>> disable it
>>
>> Plus it reminds me of the deny||allow stories i hear about in MS Vista.
> +1 - The idea of this is to get users to report what's going wrong and
> get it fixed in the policy instead of exempt/disable which defeats the
> purpose and trains the user to hit "Exempt" without reading anything.
>
> Stewart
>
> --
> fedora-devel-list mailing list
> fedora-devel-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 09:20 PM
"Arthur Pemberton"
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

On Thu, Jul 17, 2008 at 4:07 PM, Ahmed Kamal
<email.ahmedkamal@googlemail.com> wrote:
> - Autofix seems like a good idea
> - Perhaps Exempt button should only appear, if AutoFix doesn't work
> (not sure how to detect that)
> - To avoid a system user clicking Exempt, perhaps Exempt should only
> exempt the application only this time. i.e., when the application is
> launched again, it will generate a selinux warning again. That way,
> the user still reports the issue to get it properly fixed, but at the
> time, has the tools to get his work done and his apps running when he
> needs them

While this doesn't avoid the Vistaesque problem, it may be a fair
compromise to consider.

One more issue however, is there any way to hide the unimportant
denials? There are some denials that have no observable side effects.

--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 10:53 PM
Dave Airlie
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

On Fri, 2008-07-18 at 00:07 +0300, Ahmed Kamal wrote:
> - Autofix seems like a good idea
> - Perhaps Exempt button should only appear, if AutoFix doesn't work
> (not sure how to detect that)
> - To avoid a system user clicking Exempt, perhaps Exempt should only
> exempt the application only this time. i.e., when the application is
> launched again, it will generate a selinux warning again. That way,
> the user still reports the issue to get it properly fixed, but at the
> time, has the tools to get his work done and his apps running when he
> needs them
>

NO NO NO ... DOING IT WRONG.

Don't ever ask the user for this kind of info, it would be better to go
ping a remote server and download a newer policy than ask the user.

The user is not going to have a freaking clue wtf exempting means.

Didn't you guys see the Mac vs Windows ADs on TV?

kerneloops does it right, opt in, send somewhere useful, next step if
somewhere useful has seen the AVC and we knows its safe, maybe send
something back saying continue and ignore, but don't involve the user in
the mess other than asking for opt-in.

Dave.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 10:57 PM
"Arthur Pemberton"
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

On Thu, Jul 17, 2008 at 5:53 PM, Dave Airlie <airlied@redhat.com> wrote:
> On Fri, 2008-07-18 at 00:07 +0300, Ahmed Kamal wrote:
>> - Autofix seems like a good idea
>> - Perhaps Exempt button should only appear, if AutoFix doesn't work
>> (not sure how to detect that)
>> - To avoid a system user clicking Exempt, perhaps Exempt should only
>> exempt the application only this time. i.e., when the application is
>> launched again, it will generate a selinux warning again. That way,
>> the user still reports the issue to get it properly fixed, but at the
>> time, has the tools to get his work done and his apps running when he
>> needs them
>>
>
> NO NO NO ... DOING IT WRONG.
>
> Don't ever ask the user for this kind of info, it would be better to go
> ping a remote server and download a newer policy than ask the user.

Well I think in his suggested use case, he's assuming a genuine bug in
the policy which hasn't yet been fixed.


> The user is not going to have a freaking clue wtf exempting means.

Agreed

> Didn't you guys see the Mac vs Windows ADs on TV?

That came to mind, was kinda scary.


> kerneloops does it right, opt in, send somewhere useful, next step if
> somewhere useful has seen the AVC and we knows its safe, maybe send
> something back saying continue and ignore, but don't involve the user in
> the mess other than asking for opt-in.

This may be a good idea. Have the service make a decision to continue
deny on temporarily allow based on available knowledge from the
server.

How much private info if any would be in the average AVC?

--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 11:00 PM
Dave Airlie
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

On Thu, 2008-07-17 at 17:57 -0500, Arthur Pemberton wrote:
> On Thu, Jul 17, 2008 at 5:53 PM, Dave Airlie <airlied@redhat.com> wrote:
> > On Fri, 2008-07-18 at 00:07 +0300, Ahmed Kamal wrote:
> >> - Autofix seems like a good idea
> >> - Perhaps Exempt button should only appear, if AutoFix doesn't work
> >> (not sure how to detect that)
> >> - To avoid a system user clicking Exempt, perhaps Exempt should only
> >> exempt the application only this time. i.e., when the application is
> >> launched again, it will generate a selinux warning again. That way,
> >> the user still reports the issue to get it properly fixed, but at the
> >> time, has the tools to get his work done and his apps running when he
> >> needs them
> >>
> >
> > NO NO NO ... DOING IT WRONG.
> >
> > Don't ever ask the user for this kind of info, it would be better to go
> > ping a remote server and download a newer policy than ask the user.
>
> Well I think in his suggested use case, he's assuming a genuine bug in
> the policy which hasn't yet been fixed.


Even so, don't let the user know, clearly they won't do the right thing,
and you end up training them with the wrong behaviour. stop thinking of
the user being someone who knows or cares what a policy/selinux or an
exemption is.

>
> > The user is not going to have a freaking clue wtf exempting means.
>
> Agreed
>
> > Didn't you guys see the Mac vs Windows ADs on TV?
>
> That came to mind, was kinda scary.
>
>
> > kerneloops does it right, opt in, send somewhere useful, next step if
> > somewhere useful has seen the AVC and we knows its safe, maybe send
> > something back saying continue and ignore, but don't involve the user in
> > the mess other than asking for opt-in.
>
> This may be a good idea. Have the service make a decision to continue
> deny on temporarily allow based on available knowledge from the
> server.
>
> How much private info if any would be in the average AVC?

Good point I am reminded of some of those totem backtraces with porn
movies in the backtrace

Dave.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-17-2008, 11:15 PM
"Arthur Pemberton"
 
Default Proposal: Improving SELinux <--> user interaction on Fedora - Kerneloops for SELinux

On Thu, Jul 17, 2008 at 6:00 PM, Dave Airlie <airlied@redhat.com> wrote:
> Even so, don't let the user know, clearly they won't do the right thing,
> and you end up training them with the wrong behaviour. stop thinking of
> the user being someone who knows or cares what a policy/selinux or an
> exemption is.

While I agree with your statement as is, it is my unverified suspicion
that 'fedora user' is significantly different from 'user'.

Thankfully, Fedora is not Ubuntu, and I may be idealistic, but I think
we may be able to expect a bit more from the average Fedora user...

which leads me to another idea. Would probably be great if we could
have all AVCs copied easily to a central machine for those who use
Fedora in enterprise type environments.

Example:

- Emplyee A does something acceptable, encounters and AVC
- AVC reported to sysadmin
- Auto fix attempts fail
- request denied
- sysadmin reviews, decided to allow all such AVCs

then

- Emplyee A does same acceptable thing, encounters and AVC
- AVC reported to sysadmin
- activity found whitelisted
- auto fix tool allows

But that may be overkill.

--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 07:44 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org