FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 01-04-2008, 04:07 PM
John Dennis
 
Default Another selinux rant

Ed Swierk wrote:

People who already know about SELinux can of course just learn to type
ls -l --lcontext, but showing the extra information by default would
at least give clueless users like me a hint that files have these
extra attributes that might somehow be relevant to those strange
openvpn failures. IMHO this would be the single best usability
improvement to SELinux


Re SELinux usability issues:

We wrote the setroubleshoot package precisely to help SELinux novice
users so they wouldn't suffer with hidden obscure failures of the type
which have frustrated you. If it had been installed you would have
received notifications in real time on your desktop describing the
failure and suggestions on how to fix it.
--
John Dennis <jdennis@redhat.com>

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 04:19 PM
"Ed Swierk"
 
Default Another selinux rant

On 1/3/08, Andrew Farris <lordmorgul@gmail.com> wrote:
> Ok I understand then, however I'd just comment that as a gauge of usability I
> think your situation (moving configurations across platforms, from no selinux to
> selinux) is somewhat of a fringe case. I realize that MANY admins would be
> doing just that in the process of adopting selinux since rewriting
> configurations is a major pain, but its still something that can almost be
> expected to cause headache (and requires labeling). Just my 2c on usability, it
> still seems to work best when you start out from install with selinux enabled
> and avoid deliberately circumventing it.

Believe me, as an engineer I understand how annoying it is to learn
that a user has given up in frustration after 10 minutes just because
they ran into trivial issue like a bug in the installer. Unfortunately
the most luxuriously smooth freeway in the world will lie unused if
the on-ramps are full of land mines. :-)

> Would you say that documentation on that specific issue (migrating
> configurations) needs more attention?

I think improving error messages and warnings and default behavior
(see my earlier comments on tar and ls) is more worthwhile than
writing documentation, as the latter tends not to get read.

--Ed

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 04:24 PM
James Antill
 
Default Another selinux rant

On Fri, 2008-01-04 at 08:40 -0800, Ed Swierk wrote:
> On 1/4/08, Tomasz Torcz <tomek@crocom.com.pl> wrote:
> > tar with "--xattrs"?
>
> No, I didn't realize --xattrs existed; the tar info page doesn't
> mention it. Oh, there it is in the man page.

If I do "info tar" on Fed-8 the second hit for a search on "selinux"
gives the --selinux option and the --xattrs option is visible just below
it (--xattrs includes --selinux).

> Is there some reason why storing extended attributes by default would
> be undesirable? I normally expect tar to carry all relevant metadata
> with it; that's sort of the point of using tar.

Well we didn't want to do this until the patch for xattrs/ACLs/SELinux
is upstream as it changes the default tar format and GNU tars without
the patch will display a bunch of annoying warnings.
Esp. given how much tar is used to distribute software, where
perms/xattrs aren't really wanted.

--
James Antill <james.antill@redhat.com>
Red Hat
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 04:26 PM
"Ed Swierk"
 
Default Another selinux rant

On 1/4/08, John Dennis <jdennis@redhat.com> wrote:
> Re SELinux usability issues:
>
> We wrote the setroubleshoot package precisely to help SELinux novice
> users so they wouldn't suffer with hidden obscure failures of the type
> which have frustrated you. If it had been installed you would have
> received notifications in real time on your desktop describing the
> failure and suggestions on how to fix it.

The machine in question is a server with no graphical applications; is
there a command-line version of setroubleshoot?

--Ed

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 04:41 PM
"Ed Swierk"
 
Default Another selinux rant

On 1/4/08, James Antill <james.antill@redhat.com> wrote:
> If I do "info tar" on Fed-8 the second hit for a search on "selinux"
> gives the --selinux option and the --xattrs option is visible just below
> it (--xattrs includes --selinux).

Oh, I see. I was looking in the "All tar options" section (3.4).

--Ed

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 04:49 PM
"Arthur Pemberton"
 
Default Another selinux rant

On Jan 4, 2008 11:26 AM, Ed Swierk <eswierk@arastra.com> wrote:
> On 1/4/08, John Dennis <jdennis@redhat.com> wrote:
> > Re SELinux usability issues:
> >
> > We wrote the setroubleshoot package precisely to help SELinux novice
> > users so they wouldn't suffer with hidden obscure failures of the type
> > which have frustrated you. If it had been installed you would have
> > received notifications in real time on your desktop describing the
> > failure and suggestions on how to fix it.
>
> The machine in question is a server with no graphical applications; is
> there a command-line version of setroubleshoot?


One would hope you would have installed it by now. There is a very
nice command-line usage of setroubleshoot. I have never used the UI
myself. Frankly, I don't know how you've been using SELinux without
setroubleshoot.

--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 05:01 PM
Steve Grubb
 
Default Another selinux rant

On Friday 04 January 2008 12:24:24 James Antill wrote:
> > Is there some reason why storing extended attributes by default would
> > be undesirable? I normally expect tar to carry all relevant metadata
> > with it; that's sort of the point of using tar.
>
> *Well we didn't want to do this until the patch for xattrs/ACLs/SELinux
> is upstream as it changes the default tar format and GNU tars without
> the patch will display a bunch of annoying warnings.

And furthermore...if you tar a directory up on Fedora 8 and untar it on
OpenBSD machine...its not going to know what to do with the extended
attributes for SE Linux. Since open source software is used across many
platforms, its wasteful to turn it on by default.

-Steve

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 05:03 PM
Rahul Sundaram
 
Default Another selinux rant

Arthur Pemberton wrote:


Yah. I'm not fond of how it is packaged myself... but since I can't do
better, i don't complain about it... it really does drag in too much
stuff however.


Complaining in bugzilla would be a useful contribution.

Rahul

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 05:04 PM
John Dennis
 
Default Another selinux rant

Ed Swierk wrote:

On 1/4/08, John Dennis <jdennis@redhat.com> wrote:

Re SELinux usability issues:

We wrote the setroubleshoot package precisely to help SELinux novice
users so they wouldn't suffer with hidden obscure failures of the type
which have frustrated you. If it had been installed you would have
received notifications in real time on your desktop describing the
failure and suggestions on how to fix it.


The machine in question is a server with no graphical applications; is
there a command-line version of setroubleshoot?


Yes, setroubleshoot-server.

You have two options for receiving the alerts from the headless server.
You can either run the gui on a machine with a head and point it at the
headless server (requires modifying the config file to use TCP rather
than the default Unix domain sockets).


On the headless server edit /etc/setroubleshoot/setroubleshoot.cfg and
in the listen_for_client section set the address_list parameter to
{inet}server.ip.addr. Then on the GUI system do the same thing except
set the address_list in the client_connect_to section.


-OR-

You can choose to have the headless server send you emails with the
alert by editing the file


/var/lib/setroubleshoot/email_alert_recipients

and adding a line like this:

user@example.com filter_type=after_first

The filter_type specifies whether to filter the email alert, the 3
possible values are:


after_first filter the email after the first notification
always always filter, thus never send an email alert
never never filter, thus always send an email alert
--
John Dennis <jdennis@redhat.com>

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 05:11 PM
"Arthur Pemberton"
 
Default Another selinux rant

On Jan 4, 2008 12:01 PM, Ed Swierk <eswierk@arastra.com> wrote:
> On 1/4/08, Arthur Pemberton <pemboa@gmail.com> wrote:
> > One would hope you would have installed it by now. There is a very
> > nice command-line usage of setroubleshoot. I have never used the UI
> > myself. Frankly, I don't know how you've been using SELinux without
> > setroubleshoot.
>
> It wasn't installed by default and I don't know how I should have
> known to look for it (again, the audit log messages don't even mention
> SELinux). If this is considered a key part of SELinux then Anaconda
> shouldn't enable SELinux without it.

Well it's a key component to managing SELinux, it doesn't actually
help SELinux to work.

> I assumed it was graphics-only because yum wants to drag in all sorts
> of gnome and gtk2-related packages when I install it.


Yah. I'm not fond of how it is packaged myself... but since I can't do
better, i don't complain about it... it really does drag in too much
stuff however.

--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 02:45 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org