-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Airlie wrote: > On Thu, 2008-07-17 at 18:15 -0500, Arthur Pemberton wrote: >> On Thu, Jul 17, 2008 at 6:00 PM, Dave Airlie <airlied@xxxxxxxxxx> wrote: >>> Even so, don't let the user know, clearly they won't do the right thing, >>> and you end up training them with the wrong behaviour. stop thinking of >>> the user being someone who knows or cares what a policy/selinux or an >>> exemption is. >> While I agree with your statement as is, it is my unverified suspicion >> that 'fedora user' is significantly different from 'user'. >> >> Thankfully, Fedora is not Ubuntu, and I may be idealistic, but I think >> we may be able to expect a bit more from the average Fedora user... >> >> which leads me to another idea. Would probably be great if we could >> have all AVCs copied easily to a central machine for those who use >> Fedora in enterprise type environments. > > You know you just contradicted yourself :) > > If we want Fedora and by inheritance RHEL/CentOS to be useable on > enterprise desktops or even consumer desktops we cannot assume we know > what a "Fedora user" is. So we shouldn't be basing any decisions on the > fact we might think a Fedora user is inherently smarter than an Ubuntu > user. > > >> - Emplyee A does something acceptable, encounters and AVC >> - AVC reported to sysadmin >> - Auto fix attempts fail >> - request denied >> - sysadmin reviews, decided to allow all such AVCs >> >> then >> >> - Emplyee A does same acceptable thing, encounters and AVC >> - AVC reported to sysadmin >> - activity found whitelisted >> - auto fix tool allows > > For Enterprise desktops and RHEL something like that is what I would > rather see. For non sysadmin maintained desktop, a community AVC dump > with some responsible person who can allow/disallow things. > > Eventually the policy would be updated of course and rolled out. > > Dave. > Managed desktops in RHEL/Centos should not even be running sealert these messages should be going to a centralized location for the sysadm to monitor. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkiAkvUACgkQrlYvE4MpobOk9ACbBKW5Ixynklr6RYSiYmQbgpb2 bt4An3+Javb+yz3D5prGRQK+3EuSrv18 =kJIc -----END PGP SIGNATURE----- -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
