Steve Grubb ([EMAIL PROTECTED]) said: > On Thursday 10 July 2008 14:13:13 Bill Nottingham wrote: > > - disabling pam_console handling of DRI devices, which has the effect > > of either: > > - making the devices 0666 > > - crippling the X server > > Which guide is doing anything with DRI devices?
http://www.nsa.gov/snac/os/redhat/rhel5-guide-i731.pdf 2.2.2.1 Restrict console device access. Explicitly suggests disabling the pam_console support for it, with commented config file examples. > > - removing module files shipped with the kernel to disable features, > > which is an impressively hacky and bad way to do it (Maintaining lists > > of modules to remove sounds like so much fun.) > > There is no other way of ensuring wireless cannot be used. This is definitely > hacky and I've asked for this to be made better. rm -rf is not acceptable as > a long term solution. The way to make it better is to not install the hardware. Period. It's a requisitioning issue, not a software issue. To be fair, the document spells this out as one option, but it really should be the only option. > > - has contradictory guidelines on the same page about yum > > - describes kudzu as allowing hardware configuration by unpriveleged users > > What they are talking about is that some hardware may not be desired to be > enabled. The thought was that kudzu can do some things that may suddenly > cause the hardware to be enabled. It only configures hardware that changes, and well, if you have physical access to *change the hardware*... all bets are off. Bill _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
