Default services enabled

Daniel J Walsh dwalsh at redhat.com
Wed Aug 24 13:05:01 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/23/2011 10:58 PM, Kevin Kofler wrote:
> Steve Grubb wrote:
>> I think it was mentioned before that systemd is consuming a lot
>> of memory.
> 
> The amount quoted was actually ridiculously small considering both
> today's memory sizes and the fact that systemd is a singleton
> process.
> 
> Plus, it can be reduced even further (by something like 90%!) by
> disabling SELinux. It's your security stuff which is consuming a
> lot of memory.
> 
> Kevin Kofler
> 
Well not wanting to get into this war, this is a little bit of the
chicken and the egg.  The reason systemd has SELinux memory usage is
because it wants to take on the functions that used to be done by
other processes, like udev labeling of /dev.  Impersonating processes
requires SELinux labeling, while listening on sockets.  Creating of
content on tmpfs /run requires SELinux Labeling.

So saying systemd has grown because of SELinux is stretching the truth
a little.

With that said, I like some of the features that systemd is bringing
to the table, from a security point of view.

Setting up CGroups properly.
Always starting services with a clean environment, IE the parent of a
service is init rather then some random admin that happened to restart
it.

SELinux has tons of AVC's over the years caused by an admin sitting in
a random directory like /home/dwalsh or /root and starting a service.
 Lots of bugs have had to be fixed by services using the environment
of the admin.

Allowing us to potentially eliminate all services from ever talking to
a tty.

I have railed over the years about random root running daemons using
/tmp, and I think systemd using namespacing to change a services view
of /tmp is a good idea.

I think using namespacing to eliminate the network is also a good
idea, especially when combined with SELinux.

One think we need to code up is some additional knowledge into systemd
to say which Types can manage which services.  For example we want to
say NetworkManager_t can start/stop ntpd but not start/stop the apache
server.  Similarly we want to have a confined admin type webadm_t that
can only start and stop the apache service.  In Fedora 14/15 we do
this by labeling the initrc script.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5U9vwACgkQrlYvE4MpobOuzgCgnyx3tceuOGuu5xpZNmMVzjaW
m28An1tXwchUnjdBASir+QwXijPa2eam
=w/w6
-----END PGP SIGNATURE-----

More information about the devel mailing list