Wayne Feick wrote:
Generally speaking, in the security world you default to the most
restrictive behavior and administrators loosen up the restrictions as
needed. This, of course, tends to annoy everyday users who don't
realize all the insecurities of what they want to do, and just want it
to work. I mean, all those flashing red lights and sirens can be
annoying when all I want to do is start a little campfire over there
next to the gas cans.
Make sense?
Well, yes. But we're not talking about setting a campfire next to gas
cans. I think we're overdoing the analogies.
I understand your rationale, but at some point, a security tool that
gets in the way will cease being a security tool - and generally in a
very dangerous way. If we want to extend your already tortured analogy
a little, it's kind of like having a wall between the gas can and the
campfire, but the only way to get to the wood to start the fire is to
enter a code into a little door in the wall. And you can only take out
one at a time. Eventually you'll just chop down the wall, and to hell
with the consequences. And possibly use it for wood, but that's a
different analogy that doesn't yet have a real world case. I'm sure
we'll find one. :-)
It would be at least a nice thing to have a tool that asks you if you're
doing some common things that selinux doesn't by default allow, make
sure that's what you want to do, and set up selinux to allow them. At
least then most people won't need to worry about it, but it might make
common tasks easier for someone who really doesn't know what they're doing.
But I still maintain that things like firefox, which is a default
install with no real changes to it, should never trigger an AVC alarm.
A default Fedora install, with no local modifications to it, should
never trigger AVC denials. But it happens frequently.
--Russell
Wayne.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
