Re: Handling dconf Settings

Mon, 24 Feb 2014 15:19:32 -0800 

On 2/24/14, 6:07 PM, Maura Dailey wrote:
The GConf settings we've been using for login banners and disabling user lists have been replaced by Gnome 3's dconf parameters in RHEL 7 (and Fedora, obviously). dconf allows users and admins to set certain parameters with plain text key files. It also allows admins to bypass key files and set parameters with a GVariant binary blob file. There are some problems for us with both methods. I'll use the login banner text settings as an example. 


The recommended method in the RHEL 7 administration guide is to create 
a text file in /etc/dconf/db/gdm.d/ that looks something like the 
following:


[org/gnome/login-screen]
banner-message-enable=true
banner-message-text='Consent banner text'


After creating this file, the user must type dconf update, and the 
settings are applied, making this a two step process. However, there 
is a second way to apply the same settings, using the gsettings tool, 
which will write the data as a binary data blob into the home 
directory of whatever user runs the tool:



sudo -u gdm dbus-launch gsettings set org.gnome.login-screen 
banner-message-enable true



This achieves the same effect and the consent banner will be displayed 
to users in exactly the same way. This method is harder to test, since 
there is no parseable text file for OVAL to evaluate, but it is 
extremely easy to apply on the command line.




TLDR: Are we allowed to mandate that system administrators must use 
the Red Hat guide's method of using plain text key files?



dconf is verifiable, `gdm dbus-launch` is not. Seems reasonable to 
recommend implementations which can be machine verified.



Perhaps we could acknowledge the dbus-launch method in the description 
tag, noting that machines configured in such a way may report false 
positives (and to use dconf if this bothers the sysadmin)




On a related note, the login banner text only displays AFTER users 
have put in their user name, and there appears to be no way to edit 
the consent banner's appearance without altering the GDM theme. 
Instead, it's scrunched into a tiny window, with tiny grey text on a 
grey background, with a scroll bar. Is it too late to put this on my 
RHEL 7 final release wish list or can someone point me to the correct 
settings?


File an RFE ASAP:
https://access.redhat.com/support/cases/new/

_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide






















					Reply via email to