Mailinglist Archive: opensuse-factory (883 mails)
| < Previous | Next > |
Re: [opensuse-factory] Roles for security and convenience
- From: Hans Witvliet <suse@xxxxxxxxxxx>
- Date: Sat, 26 May 2012 01:16:05 +0200
- Message-id: <1337987765.4431.207.camel@t43.lan0.a-domani.nl>
On Thu, 2012-05-24 at 17:17 +0200, Andreas Jaeger wrote:
<trimmed>
Indeed: don't try to do it all at once,
Just add the granularity bit-by-bit.
At the moment it is all-or-nothing (root or mortal)
One candidate-role to start with is (using yast-terminology) "software"
if you are member of "software" you should be able to perform everything
related to it. Of course root is member of it, and if your system is
installed as beginner/enduser/simpleton/.. all new users will be part of
it.
Second role is "networking" for configuring any network device
Third for printing
Fourth for daemons/services (in general)
It that is accepted positively, you can add a finer level,
for instance with networking you can split it up in fixed/wifi/wlan
and within services split it up in dhcp/dns/ldap/...
Other approach might be to start with one (for instance "software") and
make that one fine-grained from the start:
individual roles for
-installing / uninstalling
-updating
-repo configuration
And the next time, a second group.
For instance "nfs", "samba", "iscsi"
If you implement it step-by-step, it would solve Johannes objections:
"I fear implementing roles becomes a huge piece of work - i.e. too much
for now (in particular too much with the limted manpower behind our
many YaST modules to implement roles therein).
I wish to start with something really simple but to really start
with implementing it right now and not discuss much longer about
an ultimate final solution."
Hans
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx
<trimmed>
AFAICS SELinux appears to be capable of implementing RBAC with MAC
though it seems though that not even Redhat seems to makes use of that
by default. Offering that with preconfigured roles for common tasks
seems like a massive undertaking, extending YaST to assign roles to
users in the user management modules is probably the easiest part.
Yeah, that's my fear as well. We need something practible. Fortunately
we might not need to do everything at once ;)
So, my call for help again: Please give some proposals on what kind of
roles/scenarios we want to offer - and be as precise on the different
roles/scenarios as possible.
Indeed: don't try to do it all at once,
Just add the granularity bit-by-bit.
At the moment it is all-or-nothing (root or mortal)
One candidate-role to start with is (using yast-terminology) "software"
if you are member of "software" you should be able to perform everything
related to it. Of course root is member of it, and if your system is
installed as beginner/enduser/simpleton/.. all new users will be part of
it.
Second role is "networking" for configuring any network device
Third for printing
Fourth for daemons/services (in general)
It that is accepted positively, you can add a finer level,
for instance with networking you can split it up in fixed/wifi/wlan
and within services split it up in dhcp/dns/ldap/...
Other approach might be to start with one (for instance "software") and
make that one fine-grained from the start:
individual roles for
-installing / uninstalling
-updating
-repo configuration
And the next time, a second group.
For instance "nfs", "samba", "iscsi"
If you implement it step-by-step, it would solve Johannes objections:
"I fear implementing roles becomes a huge piece of work - i.e. too much
for now (in particular too much with the limted manpower behind our
many YaST modules to implement roles therein).
I wish to start with something really simple but to really start
with implementing it right now and not discuss much longer about
an ultimate final solution."
Hans
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx
| < Previous | Next > |