On Wednesday 18 November 2009 04:45:05 pm James Antill wrote: > On Wed, 2009-11-18 at 16:04 -0500, Steve Grubb wrote: > > > The problem is the *Default* not the fact that you can consciously > > > allow users to update without a password. > > > > And I wonder what the audit trail will show? Does it show which user > > installed these packages? > > PK has it's own logging, it logs the user the API is running from > there. But it doesn't set loginuid, so "yum history", auditd, SELinux, > etc. don't know. That is a big problem. If I have the following audit rule: -a always,exit -F dir=/usr -F perm=w It needs to show which user was able to write into /usr or the audit trail is broken. -Steve -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
