Re: Security policy oversight needed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2009/11/19 Richard Hughes <hughsient@xxxxxxxxx>
> So if I pick "personal desktop", the change you made makes sense. If on
> the other hand, I choose "workstation" profile, I would obviously need a
> more locked down profile.

Surely if you're deploying a workstation (1000s of workstations?) you
would just ship an extra package that set the PolicyKit policies
according to the domain policy, so if I was a school, I would allow
the active users to unplug removable drives, but not detach physical
drives. I would also stop them installing and upgrading (not even give
them the option to enter a root password) and also lock down who can
change the clock. I would also prevent them from installing debuginfo
files and being able to set thier audio system to real-time priority.

The real argument is what set of users upstream software should
target. There's an argument for upstream to default to "no" for all
actions and for the admin to install a policy for "desktop",
"workstation" etc, but then there's just the related problem of what
policy package to choose by default for "Fedora".

Why not choose them all?

What about having packaged policy profiles?

policykit-profile-i-am-paranoid
policykit-profile-server
policykit-profile-controlled-deployment
policykit-profile-personal-desktop

In the live CD install the last one by default, on the DVD, choose the server option. Either way, since it is a packaged profile, all someone will need to do to change to a different one is replace the RPM package with something appropriate.

In this case, I do not think it is an either/or situation.
-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux