More PATH fallout. Who decided this was a good idea?

Andrew Bartlett abartlet at
Mon Dec 8 00:55:27 UTC 2008

On Sun, 2008-12-07 at 14:29 -0900, Jeff Spaleta wrote:
> On Sun, Dec 7, 2008 at 5:54 AM, Steve Grubb <sgrubb at> wrote:
> > Hope you find this informtion useful.
> Well it's certainly going to make for a more rational discussion.
> I still come back to one thing.  Could the file permissions be
> implemented differently so that CAPP compliance could be a system
> install time choice, instead of being expressed in the configuration
> of all installs?
> Sort of how we make it possible for people who care about LSB
> compliance to be able to install the necessary bits without enforcing
> compliance on everyone else. Just sort of, I'm not suggesting security
> compliance and LSB compliance are anywhere close to the same thing in
> scope.
> But what I am saying is that I'm not sure the restrictions and
> assumptions behind the logic of CAPP makes a lot of sense for our
> default target usecases.  We don't currently have a server target for
> example, and I'm not sure CAPP can be applied to something like a
> laptop desktop case without warping spacetime.
> So taking a look at how CAPP compliance is handled now, could some of
> the restrictions like the permissions be handled in a more modular
> way? Could for example, things be changed so I could install a
> specialized fedora-CAPP package at install time which tightens up
> aspects of the system to bring it into CAPP compliance, instead of
> expressing those restrictions in the defualt settings of all installs?

Perhaps a bit like the 'bastille' hardening script?

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the fedora-devel-list mailing list