Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)
Michał Piotrowski
mkkp4x4 at gmail.com
Mon Dec 6 23:38:07 UTC 2010
2010/12/7 Toshio Kuratomi <a.badger at gmail.com>:
> On Mon, Dec 06, 2010 at 06:55:20PM +0100, Michał Piotrowski wrote:
>> W dniu 6 grudnia 2010 18:43 użytkownik Kevin Fenzi <kevin at scrye.com> napisał:
>> > On Mon, 6 Dec 2010 18:17:51 +0100
>> > Michał Piotrowski <mkkp4x4 at gmail.com> wrote:
>> >
>> >> W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi <kevin at scrye.com>
>> >> napisał:
>> >
>> > ...snip...
>> >
>> >> > What are you trying to do?
>> >>
>> >> I'm trying to convert sysvinit scripts to systemd services (as many
>> >> as possible)
>> >
>> > If you're trying to determine what units should be enabled by default,
>> > please talk to the Fedora Packaging Comittee.
>> >
>> > See also:
>> > https://fedorahosted.org/fesco/ticket/504
>> >
>> > Where fesco decided:
>> >
>> > "Default is off, exceptions exist to allow proper functioning of the
>> > os. FPC to document exceptions and process exception requests."
>> >
>> > FPC was going to work on a exceptions list I think...
>>
>> This list will be useful.
>>
>> Dear FPC people, could you provide this list in the near future?
>>
> Feedback appreciated -- what do you think should be on? What do you think
> should be off? Right now I think we'd make an exception for ssh (a really
> big exception since it's a network facing service, even).
Ok
> Dbus and
> default syslog variant also spring to mind which might be.
Ok
> Those might be
> able to start defining a category of "things needed to run a desktop
> session" or something.
>
> iptables,
no chance to disable this
I guess ip6tables too?
> auditd, restorecond sound like keepers -- maybe a category here
> would be things that add to system security in a default install.
These are things related to core system security, so should be enabled.
> For this
> category we'd want to be careful, do we also want to allow fail2ban or
> denyhosts to run by default if they're installed?
No, other things not related with SELinux (or something that we could
call "core security subsystem") should be IMHO off by default.
>
> Other categories or specific examples would be good.
Cron - but should be activated only when cron files exist
It seems to me that the list:
- ssh
- Dbus
- syslog
- iptables
- ip6tables
- auditd
- restorecond
is an absolute minimum to get "working system".
- udev-post ? - is it needed for F15?
- mdmonitor and lvm2-monitor? - are they needed for proper working MD's/LVM's?
- network/Networkmanager ?
Everything else that is not essential for Fedora security, basic
desktop functionality should be IMO off by default.
>
> -Toshio
>
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
>
--
Best regards,
Michal
Sent from my iToaster
More information about the devel
mailing list