FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Desktop

 
 
LinkBack Thread Tools
 
Old 01-07-2010, 06:20 PM
Daniel J Walsh
 
Default Managed Desktop...

A couple of years ago, when I introduced the idea of the xguest user in SELinux, I was working on a kiosk user. I have since added lots of other types of confined users. One of the biggest problems I have seen with this is the way our desktop is designed.

Our desktop is designed to be what I would call an administrative desktop. Tools like packagekit, setroubleshoot, abrt etc run by default. Pull down menus include lots of tools that prompt me for the root password. If I don't know the root password and am not an administrator of the machine, I should not be given options to run administrative tools in the menu.

I played with sabayon, but sabayon has it backwards, in my opinion. sabayon is a blacklist tool. sabayon tries to take away applications from the meno or stop applications from starting. I believe sabayon or another tool needs to be a white list tool. (sabaon++) If we had this tool the administrator or package developer could list the applications that will show up in the menus, and will autostart. Once I lock design the desktop for this type of user, no installation of an application will change the way this type of users desktop looks/runs. With current sabayon, everytime a new desktop feature shows up, I am forced to re-release xguest to remove the feature from the desktop.

I would like to see two default user types out of the box, Minimal Desktop, administrative desktop.

Administrative desktop, would be what we have now. You install an app that includes desktop files, they show up on the desktop.

Minimal desktop, would only have a minimal set of applications, for the user to use.

Firefox, Mail Client, Office products, NetworkManager, PowerManagement?

Then sabayon++ can add or remove applications from the menu system and autostarting.

Then I and other package maintainers could ship desktop users like xguest user, or corporate desktop user and only run the apps that are appropriate to that type of user.

The biggest benefit for the SELinux team is we can write policy that is appropriate to the type of user. Currently xguest policy has to dontaudit xguest_t sending dbus messages to packagekit, just because the packagekit client starts by default. If we have the ability to customize my xguest desktop environment, and future proof it, then we can remove the dontaudit. If a xguest user tries to start packagekit client, that would be an audited event.

Forgetting about SELinux, I believe this would be compelling to administrators of large networks of desktops.



--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
 
Old 01-07-2010, 07:05 PM
Bill Nottingham
 
Default Managed Desktop...

Daniel J Walsh (dwalsh@redhat.com) said:
> Once I lock design the desktop for this type of user, no installation of an application will
> change the way this type of users desktop looks/runs. With current sabayon, everytime a new
> desktop feature shows up, I am forced to re-release xguest to remove the feature from the desktop.

How much of this can be accomplished just by limiting the package set, and
not allowing package installs from the restricted UI?

Bill

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
 
Old 01-07-2010, 07:17 PM
Matthew Miller
 
Default Managed Desktop...

On Thu, Jan 07, 2010 at 02:20:28PM -0500, Daniel J Walsh wrote:
> Forgetting about SELinux, I believe this would be compelling to
> administrators of large networks of desktops.

Oh my yes.



--
Matthew Miller <mattdm@mattdm.org>
Senior Systems Architect
Cyberinfrastructure Labs / Instructional & Research Computing
Computing & Information Technology
Harvard School of Engineering & Applied Sciences

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
 
Old 01-07-2010, 07:20 PM
Matthew Miller
 
Default Managed Desktop...

On Thu, Jan 07, 2010 at 03:05:59PM -0500, Bill Nottingham wrote:
> How much of this can be accomplished just by limiting the package set, and
> not allowing package installs from the restricted UI?

That works for a single-user system, or a system where the same policy
applies to all users.


--
Matthew Miller <mattdm@mattdm.org>
Senior Systems Architect
Cyberinfrastructure Labs / Instructional & Research Computing
Computing & Information Technology
Harvard School of Engineering & Applied Sciences

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
 
Old 01-07-2010, 07:24 PM
Seth Vidal
 
Default Managed Desktop...

On Thu, 7 Jan 2010, Daniel J Walsh wrote:



Firefox, Mail Client, Office products, NetworkManager, PowerManagement?

Then sabayon++ can add or remove applications from the menu system and
autostarting.


Then I and other package maintainers could ship desktop users like
xguest user, or corporate desktop user and only run the apps that are
appropriate to that type of user.


The biggest benefit for the SELinux team is we can write policy that is
appropriate to the type of user. Currently xguest policy has to
dontaudit xguest_t sending dbus messages to packagekit, just because the
packagekit client starts by default. If we have the ability to
customize my xguest desktop environment, and future proof it, then we
can remove the dontaudit. If a xguest user tries to start packagekit
client, that would be an audited event.


Forgetting about SELinux, I believe this would be compelling to
administrators of large networks of desktops.


Isn't this what the reduced functionality/options interface that kde used
to offer (and maybe still do) is for?


-sv

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
 

Thread Tools




All times are GMT. The time now is 12:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org