On Monday 30 November 2009 15:43:26 Bill Nottingham wrote: > Gene Czarcinski (gene@xxxxxxxxx) said: > > > Keep it simple (KISS) for the initial attempt. It will grow more > > complicated all by itself as time passes. > > > > BTW, the security policy should assume that a grub password is in use so > > that a user cannot do something like disabling selinux by editing the > > kernel command line. This should be tested by the security QA. > > That seems very broken. A security policy that is violated on every > single out of the box install that doesn't do customization? > Agreed ... it is broken. As I see it, the problem is that without a grub password, then an un- privileged user can edit the command line to disable selinux or bootup in single user mode. On the other hand, there is also "good enough" versus perfect. In a perfect world, a user would (by default) be required to enter that password. In a "good enough" world, have the option to set the password. A "split the difference" (better) world (this is a change from existing implementation): have the grub password default to being root's password. [I have not tested this in install but I assume that root's password cannot be null.] I do not want to see the goal for Fedora to be perfect ... simply "good enough". Gene -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
