Upcoming Fedora Test Days ... DeviceKit and XFCE

[Adam Williamson]

On Mon, 2009-03-16 at 15:25 -0600, Michal Jaegermann wrote:

> > The security model for DeviceKit is 'use PolicyKit'. DeviceKit uses the
> > policies set by PolicyKit to regulate access to storage devices. If you
> > want a restrictive policy on such access, set it up in PolicyKit.
> 
> After his standard initial response "this is not a bug", or
> equivalent, David Zeuthen got convinced to look at
> https://bugzilla.redhat.com/show_bug.cgi?id=489397
> and apparently a fix should be simple in this case.
> 
> The general issue is that while on one hand things are getting
> tightened up with SELinux policies, from time to time beyond a point
> of usability, at the same moment big holes are opened due to a
> byzantine maze of dependencies between PolicyKit and DeviceKit and
> Nautilus and generally desktop things.  While so far it appears that
> it is possible to hack around issues one has to catch up first that
> there is a problem and this should not be required by default.  By
> all means looser restrictions should be available if desired but as
> a configured choice and not surprises.

FWIW I pretty much agree with you, I rather think the issue of PolicyKit
defaults and capabilities wrt to security has not been closely enough
examined. I just wanted to make sure the thread contained the
information that DeviceKit's behaviour can be configured and controlled
via PolicyKit.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net