Fedora default services (was: Re: F15 Feature - convert as many service init files as possible to the native SystemD services)

Michał Piotrowski mkkp4x4 at gmail.com
Mon Dec 6 23:38:07 UTC 2010 

2010/12/7 Toshio Kuratomi <a.badger at gmail.com>:
> On Mon, Dec 06, 2010 at 06:55:20PM +0100, Michał Piotrowski wrote:
>> W dniu 6 grudnia 2010 18:43 użytkownik Kevin Fenzi <kevin at scrye.com> napisał:
>> > On Mon, 6 Dec 2010 18:17:51 +0100
>> > Michał Piotrowski <mkkp4x4 at gmail.com> wrote:
>> >
>> >> W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi <kevin at scrye.com>
>> >> napisał:
>> >
>> > ...snip...
>> >
>> >> > What are you trying to do?
>> >>
>> >> I'm trying to convert sysvinit scripts to systemd services (as many
>> >> as possible)
>> >
>> > If you're trying to determine what units should be enabled by default,
>> > please talk to the Fedora Packaging Comittee.
>> >
>> > See also:
>> > https://fedorahosted.org/fesco/ticket/504
>> >
>> > Where fesco decided:
>> >
>> > "Default is off, exceptions exist to allow proper functioning of the
>> > os. FPC to document exceptions and process exception requests."
>> >
>> > FPC was going to work on a exceptions list I think...
>>
>> This list will be useful.
>>
>> Dear FPC people, could you provide this list in the near future?
>>
> Feedback appreciated -- what do you think should be on?  What do you think
> should be off?  Right now I think we'd make an exception for ssh (a really
> big exception since it's a network facing service, even).

Ok

>  Dbus and
> default syslog variant also spring to mind which might be.

Ok

>  Those might be
> able to start defining a category of "things needed to run a desktop
> session" or something.
>
> iptables,

no chance to disable this

I guess ip6tables too?

> auditd, restorecond sound like keepers -- maybe a category here
> would be things that add to system security in a default install.

These are things related to core system security, so should be enabled.

>  For this
> category we'd want to be careful, do we also want to allow fail2ban or
> denyhosts to run by default if they're installed?

No, other things not related with SELinux (or something that we could
call "core security subsystem") should be IMHO off by default.

>
> Other categories or specific examples would be good.

Cron - but should be activated only when cron files exist

It seems to me that the list:
- ssh
- Dbus
- syslog
- iptables
- ip6tables
- auditd
- restorecond
is an absolute minimum to get "working system".

- udev-post ? - is it needed for F15?
- mdmonitor and lvm2-monitor? - are they needed for proper working MD's/LVM's?
- network/Networkmanager ?

Everything else that is not essential for Fedora security, basic
desktop functionality should be IMO off by default.

>
> -Toshio
>
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
>



-- 
Best regards,
Michal

Sent from my iToaster

More information about the devel mailing list