2009/11/19 Richard Hughes <hughsient@xxxxxxxxx>
Why not choose them all?
What about having packaged policy profiles?> So if I pick "personal desktop", the change you made makes sense. If onSurely if you're deploying a workstation (1000s of workstations?) you
> the other hand, I choose "workstation" profile, I would obviously need a
> more locked down profile.
would just ship an extra package that set the PolicyKit policies
according to the domain policy, so if I was a school, I would allow
the active users to unplug removable drives, but not detach physical
drives. I would also stop them installing and upgrading (not even give
them the option to enter a root password) and also lock down who can
change the clock. I would also prevent them from installing debuginfo
files and being able to set thier audio system to real-time priority.
The real argument is what set of users upstream software should
target. There's an argument for upstream to default to "no" for all
actions and for the admin to install a policy for "desktop",
"workstation" etc, but then there's just the related problem of what
policy package to choose by default for "Fedora".
Why not choose them all?
policykit-profile-i-am-paranoid
policykit-profile-server
policykit-profile-controlled-deployment
policykit-profile-personal-desktop
In the live CD install the last one by default, on the DVD, choose the server option. Either way, since it is a packaged profile, all someone will need to do to change to a different one is replace the RPM package with something appropriate.
In this case, I do not think it is an either/or situation.
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
