On Thu, 2008-07-17 at 18:15 -0500, Arthur Pemberton wrote: > On Thu, Jul 17, 2008 at 6:00 PM, Dave Airlie <airlied@xxxxxxxxxx> wrote: > > Even so, don't let the user know, clearly they won't do the right thing, > > and you end up training them with the wrong behaviour. stop thinking of > > the user being someone who knows or cares what a policy/selinux or an > > exemption is. > > While I agree with your statement as is, it is my unverified suspicion > that 'fedora user' is significantly different from 'user'. > > Thankfully, Fedora is not Ubuntu, and I may be idealistic, but I think > we may be able to expect a bit more from the average Fedora user... > > which leads me to another idea. Would probably be great if we could > have all AVCs copied easily to a central machine for those who use > Fedora in enterprise type environments. You know you just contradicted yourself :) If we want Fedora and by inheritance RHEL/CentOS to be useable on enterprise desktops or even consumer desktops we cannot assume we know what a "Fedora user" is. So we shouldn't be basing any decisions on the fact we might think a Fedora user is inherently smarter than an Ubuntu user. > > - Emplyee A does something acceptable, encounters and AVC > - AVC reported to sysadmin > - Auto fix attempts fail > - request denied > - sysadmin reviews, decided to allow all such AVCs > > then > > - Emplyee A does same acceptable thing, encounters and AVC > - AVC reported to sysadmin > - activity found whitelisted > - auto fix tool allows For Enterprise desktops and RHEL something like that is what I would rather see. For non sysadmin maintained desktop, a community AVC dump with some responsible person who can allow/disallow things. Eventually the policy would be updated of course and rolled out. Dave. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
