Security policy oversight needed?
Adam Williamson
awilliam at redhat.com
Thu Nov 19 20:49:30 UTC 2009
On Thu, 2009-11-19 at 08:48 -0800, Jesse Keating wrote:
> On Thu, 2009-11-19 at 09:14 -0500, Owen Taylor wrote:
> > It doesn't work practically: configuration for packages needs to live
> > with the package. Putting gigantic amounts of configuration into the
> > %post of a kickstart file quickly becomes unmanageable. And the idea
> > that we make configuration changes in the %post of the kickstart really
> > falls part badly once people start upgrading their install to the next
> > version of Fedora.
> Which is why you do it with specifically selected policy packages, and
> not trying to write out files in %post. Create a set of policy packages
> that define certain user cases, and pick from those as you construct a
> spin.
I can't resist pointing out the irony that the
currently-under-discussion issue would precisely allow an unprivileged
user to torpedo such a system of enforcement, if we were using one
already =)
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
More information about the devel
mailing list