On Tue, 2009-11-24 at 10:27 -0500, Seth Vidal wrote: > > On Tue, 24 Nov 2009, James Antill wrote: > > > On Mon, 2009-11-23 at 22:32 +0000, Colin Walters wrote: > >> On Mon, Nov 23, 2009 at 10:02 PM, James Morris <jmorris@xxxxxxxxx> wrote: > >>> > >>> > >>> Possibly (it could simply be that an updated policy is weaker for some > >>> reason) -- but it doesn't matter, there should be no way to change MAC > >>> policy without MAC privilege. > >> > >> It'd be nice here if we had the ability to only grant the ability to > >> install applications, not packages. > > > > "applications" is still way too broad, IMO. Even if you limit it to > > what I assume you meant, "Desktop applications", it's not obvious that > > is good enough. > > > > A useful end goal seems more likely to be something like "allow 'local' > > users to update/install signed/trusted versions of: fonts, codecs, > > themes, games, editors". For bonus points you could make it possible for > > them to remove packages they have installed. > > If done well this should even allow things like the "webadmin" role > > being allowed to update/install apache related packages. > > See, this is the problem, with all the exceptions you'd need to > codify it would make much more sense to document how to set them up and > make it relatively easy to do so that the local admin can do so. Think of > it like documentation for sudo but with docs that don't make everyone cry. Oh, I agree 100%. My bad for not explaining what I meant. I'm not saying the GUI pkg installer should come with the above as defaults, just that it should work towards being able to "easily" provide the above functionality. -- James Antill - james@xxxxxxxxxxxxxxxxx http://yum.baseurl.org/wiki/releases http://yum.baseurl.org/wiki/whatsnew/3.2.25 http://yum.baseurl.org/wiki/YumMultipleMachineCaching -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
