[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-selinux-list
Subject: Re: AVC Decision Tree.
From: Daniel J Walsh <dwalsh () redhat ! com>
Date: 2006-03-31 17:03:43
Message-ID: 442D60EF.1030303 () redhat ! com
[Download RAW message or body]
Thorsten Scherf wrote:
> On Thu, 2006-03-30 at 14:51 -0500, Daniel J Walsh wrote:
>
>> http://fedoraproject.org/wiki/SELinux/Troubleshooting/AVCDecisions#preview
>>
>> Trying to build a analysys tool to be able to translate avc messages
>> into possible boolean/file_context solutions.
>>
>> The idea is that we can look at the AVC messages that are generated and
>> figure out what the servers were trying to do. Then we can give some
>> advise to the administrator on the corrective measures. So what we are
>> looking for are expected code paths where there is a file context of
>> boolean available.
>>
>
> Usually if a AVC denied is fixed with a corresponding rule, the next AVC
> comes up in the log (allow getattr, after that ACV:denied read, and so
> on). Probably we don't want to annoy the administrator with several
> pop-ups coming up on his screen.
>
> What do you think about that?
>
>
Yes the idea would be to continue gathering all of the AVC's while the
app is running. I do not believe they will be able
close the window faster than the AVC MEssages. The app should have a
disable button built in so that if their is a real labeling problem, it
will not keep popping up. So we will have to watch our usability. :^)
But hopefully there will not be a lot of AVC messages :^)
Dan
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic