Default services enabled

Steve Grubb sgrubb at redhat.com
Mon Aug 22 00:34:58 UTC 2011 

On Sunday, August 21, 2011 08:01:33 PM Rahul Sundaram wrote:
> On 08/22/2011 05:24 AM, Steve Grubb wrote:
> > Imagine an updated xinetd + upstart. Would that not solve the
> > problems, cause less turmoil, and be more secure?
> 
> How?   Fedora has talked about moving to systemd much before the Fedora
> 14 release.

Sorry, I was very busy at the time. I am just beginning to look to the future and what 
might be coming my way for RHEL7 common criteria. I have a hard time with systemd 
being network aware. The requirements going into RHEL7 will likely be meeting what was 
known as GPOSPP which includes requirements for a minimal Intrusion Prevention System. 
Its also a harder protection profile than we have ever met. With init performing an 
xinetd role, I can't see how I am to kill it when it goes rogue.

> It was postponed to Fedora 15, has become the default in that release and we have
> already migrated dozens and dozens of services and we are nearing the Fedora 16
> Alpha release shortly and aiming for 100% conversion by the general release. 

I know. I added support in our audit package, but not upstream. I am not convinced yet 
this is a sound design. How many major throw away subsystems have we seen over the 
years? The code may be perfectly implemented. But do we really want to design systems 
with a new, expanded attack surface? This is a design problem that is more secure as 
separate processes. (Going from sysvinit to upstart was no problem because the attack 
surface change is minimal.)

> How is moving *back*  now to upstart going to be less turmoil?

You're not seeing the hundreds - no thousands of emails about systemd? You are not 
seeing that all the expected facilities of init are not covered? There is well founded 
rebellion here. How do I see all targets on a system? List all services 
enabled/disabled for each target in one shot? Chkconfig is not perfect, but its a 
trusted friend. Also, not preparing for both server/desktop targets at a minimum seems 
problematic in my opinion.

> I understand that you are busy and paying attention to this matter only now but I
> can't consider this as a serious proposal.

I am wondering if it was ever considered to give xinetd a makeover? I bet the coding 
would have been done in 2-3 weeks tops.

-Steve

More information about the devel mailing list