[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Security policy oversight needed?

On Thu, 2009-11-19 at 08:48 -0800, Jesse Keating wrote:
> On Thu, 2009-11-19 at 09:14 -0500, Owen Taylor wrote:
> > It doesn't work practically: configuration for packages needs to live
> > with the package. Putting gigantic amounts of configuration into the 
> > %post of a kickstart file quickly becomes unmanageable. And the idea
> > that we make configuration changes in the %post of the kickstart really
> > falls part badly once people start upgrading their install to the next
> > version of Fedora.

> Which is why you do it with specifically selected policy packages, and
> not trying to write out files in %post.  Create a set of policy packages
> that define certain user cases, and pick from those as you construct a
> spin.

I can't resist pointing out the irony that the
currently-under-discussion issue would precisely allow an unprivileged
user to torpedo such a system of enforcement, if we were using one
already =)

Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]