admin-local-* should include admin-global-* content

[rootkovska]

admin-local-{ro,rwx} should include admin-global-{ro,rwx} respectively -- if something's allowed to read (write) the global state, it should also be allowed to read (write) the per-VM state.

[rootkovska]

BTW, we should also make sure that our automatics tests cover all the cases: both positive (calls allowed), but even more importantly negative (e.g. W-calls dropped when test VM given R-rights, etc).

/cc @woju

[rootkovska]

BTW, we should also make sure that our automatics tests cover all the cases: both positive (calls allowed), but even more importantly negative (e.g. W-calls dropped when test VM given R-rights, etc).

/cc @woju

[marmarek]

Are you sure about that inclusion? I think it may be useful to allow admin-global-rwx calls (creating VMs, setting up defaults, managing storage etc), but do not allow to manipulate existing VMs (where the data lives).

[marmarek]

Are you sure about that inclusion? I think it may be useful to allow admin-global-rwx calls (creating VMs, setting up defaults, managing storage etc), but do not allow to manipulate existing VMs (where the data lives).

[rootkovska]

I assume we agree about inclusion of global-ro into local-ro, right?
But you would like to keep global-rwx apart from local-rwx, correct?

[rootkovska]

I assume we agree about inclusion of global-ro into local-ro, right?
But you would like to keep global-rwx apart from local-rwx, correct?

[marmarek]

Generally yes. But if you put it this way, I think such a difference may be confusing. So, I would not include it either for ro or rwx. This may mean some duplication of rules. But also, user (or rather: admin) can add such include when it suits particular use case.

[marmarek]

Generally yes. But if you put it this way, I think such a difference may be confusing. So, I would not include it either for ro or rwx. This may mean some duplication of rules. But also, user (or rather: admin) can add such include when it suits particular use case.

[woju]

Out of principle I don't think there should be too many includes, since this would be a risk for maintainers. This would be another thing to remember for example if we wanted to write a new API call. I don't think that gains in terms of administration simplicity are worth the ideological complication, for both us and the administrator.

And as Marek said, if administrators choose to make such an include, they're always free to do so.

[woju]

Out of principle I don't think there should be too many includes, since this would be a risk for maintainers. This would be another thing to remember for example if we wanted to write a new API call. I don't think that gains in terms of administration simplicity are worth the ideological complication, for both us and the administrator.

And as Marek said, if administrators choose to make such an include, they're always free to do so.

[rootkovska]

So, you guys say that we include make rwx -> ro inclusions, but not global -> local, correct?

I think I'm generally convinced by the "admin can add the include on her own" argument. Only worry is to make sure to add it in the "right direction". How about adding a commented includes (global -> local) to eliminate this potenotential mistake?

[rootkovska]

So, you guys say that we include make rwx -> ro inclusions, but not global -> local, correct?

I think I'm generally convinced by the "admin can add the include on her own" argument. Only worry is to make sure to add it in the "right direction". How about adding a commented includes (global -> local) to eliminate this potenotential mistake?

[marmarek]

Wrong issue referenced from commit.

[marmarek]

Wrong issue referenced from commit.

[qubesos-bot]

Automated announcement from builder-github

The package pykickstart-2.32-4.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package pykickstart-2.32-4.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update