Final (hopefully) privilege escalation policy draft

Richard W.M. Jones rjones at
Thu Feb 11 13:32:17 UTC 2010

On Wed, Feb 10, 2010 at 05:19:59PM -0500, Tony Nelson wrote:
> On 10-02-10 15:48:39, Adam Williamson wrote:
> > Hi, all. So the privilege escalation policy went to FESco, who
> > suggested some minor tweaks and a final run-by the mailing lists 
> > before it gets approved.
> > 
> > I have now adjusted the draft -
> >
> > Draft_Fedora_privilege_escalation_policy
> > - to reflect all feedback from this list and from FESco. It will be
> > reviewed again by FESco next week. Please raise any potential issues
> > or further suggestions for adjustments before then. Of course, even 
> > if the policy is accepted by FESCo it will not be set in stone and
> > changes and exceptions can be added in future as appropriate, but I'd
> > like to have it as good as possible at first :) thanks all!
> "Directly read or write directly to or from system memory" has an extra 
> (or out of order) "directly".

It's also going to be tricky to run any programs if they can't access
the memory in the system.  Can the definition be tightened up --
eg. "kernel memory and memory-mapped devices" or "memory other than
userspace pages allocated to the current user"?


Richard Jones, Virtualization Group, Red Hat
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.

More information about the devel mailing list