Re: Nautilus integration with SELinux

From: Alexander Larsson <alexl redhat com>
To: Ivan Gyurdiev <ivg2 cornell edu>
Cc: nautilus-list gnome org, Daniel J Walsh <dwalsh redhat com>
Subject: Re: Nautilus integration with SELinux
Date: Fri, 03 Mar 2006 11:49:18 +0100
On Wed, 2006-03-01 at 07:54 -0500, Ivan Gyurdiev wrote:
> >> I think we want the users to be aware of SELinux and proactively manage 
> >> it. It would be nice if SELinux would auto-manage itself, without the 
> >> user needing to do anything, but it just doesn't work that way - it's 
> >> another permissions system, which does the right thing most of the time, 
> >> but needs oversight to do the right thing all the time.
> >>     
> >
> > I'm pretty sure most desktop users would never want to touch SELinux
> > settings (and I'd say the same of e.g. the setuid bit and the full unix
> > permission set). If they have to its probably because it "broke" in some
> > interesting way, and not because they had a wish to use it. 
> >   
> I think the permissions of the file are certainly more important than 
> say...emblems, or notes, or any of the other features Fedora nautilus 
> currently presents in the Properties dialog. If the file can't be 
> accessed properly by whatever needs to access it, then any emblems and 
> notes on it are useless to me.

In a way I agree. Its fundamentally important that the permissions of a
file are right, or the file is useless to the user. However, that is not
a very interesting observation to base a UI design on. In practice, the
majority of users will be mostly managing files in their home directory,
where most files already have the correct permissions. Thus, in almost
all cases the permissions page is not very interesting, and things that
the user might actually want to use (such as notes and emblems) are more
important.

Now, there *are* cases where you want to modify the permissions. I'd
classify most such times in either of these categories:
* for some reason the permissions of a file is wrong, so you can't read
or write to it, and you want to fix this
* You want to share a file/folder with someone else
* You're doing system administration work

The focus of Nautilus is for user work, so of these categories the first
two are more important. If we can make that easier at the expense of an
extra click in the last case that is perfectly ok. I think something
like i describe at
http://mail.gnome.org/archives/nautilus-list/2006-January/msg00064.html
strikes a pretty good balance.

Its possible that there are some aspects or features of selinux that we
can make easily understandable and that are generally useful that we
could put on the main page, but the full selinux set of operations
probably has to go on the details page (along with things like setuid,
sticky bit, write-only permissions (or other even weirder unix
permission combinations), and ACLs).

> I suspect there are classes of users who are very 
> conscious of permissions and document security, and it would be wrong to 
> generalize that "users don't care about permissions".

There clearly are, and I'm not saying that we should make it impossible
for them to do what they want. But you have to realise that people like
this is a small fraction of the userbase, and we aren't optimising for
them.

> Nautilus should be moving in the opposite direction - provide 
> users with more powerful management utilities, rather than strip out 
> functionality further.

I've never said anything about stripping out functionality.
   
> I hear this assertion made repeatedly in places like fedora-devel, 
> without any specific suggestions to back it up.
>
> There are many people working to make this technology better - it would 
> be nice if we could be told why this is "overcomplicated black magic," 
> so we can correct the problem. We certainly aim to make SELinux easier 
> to work, and integration with nautilus is a step in that direction.

>From my perspective as a developer, these are the issues I have with
selinux:

* Neither the setup (files in /etc somehow magically gets applied to the
  filesystem) nor the terminology is immediately obvious
* Needs quite some time to learn (and I don't have time for that, I
  need to get my work done)
* Seems to have no interesting usecases for me personally
* I only see it when it breaks something (and that is not uncommon)

I think this is pretty common amongst developers. This leads to
developers not learning how selinux work => black magic, and a feeling
of it being fragile due to it breaking stuff => overcomplicated.

I realise this is not a fair judgement. It probably wouldn't be black
magic if you learnt it, and it probably isn't overcomplicated for what
it achieves. However, I still personally feel all the above. 

I'm not sure what you could do to change this perception of selinux.
Maybe just chug along working on it until all the kinks are worked out
and it stops causing issues. Or maybe you could come up with some
usecases that really exite the developers and make them really keen on
learning selinux so they can use it.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
                   alexl redhat com    alla lysator liu se 
He's an uncontrollable guerilla senator plagued by the memory of his family's 
brutal murder. She's a cold-hearted insomniac bodyguard who believes she is 
the reincarnation of an ancient Egyptian queen. They fight crime!
References:
- Re: Nautilus integration with SELinux
  - From: Alexander Larsson
- Re: Nautilus integration with SELinux
  - From: Ivan Gyurdiev
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]