raising warning flag on firewalld-default feature

Simon Lukasik isimluk at fedoraproject.org
Mon Nov 26 11:09:31 UTC 2012 

On 11/25/2012 05:12 PM, Richard W.M. Jones wrote:
> On Fri, Nov 23, 2012 at 11:43:01AM +0100, Simon Lukasik wrote:
>> On 11/22/2012 09:07 PM, Richard W.M. Jones wrote:
>>> On Tue, Nov 20, 2012 at 12:52:30PM -0500, Przemek Klosowski wrote:
>>>> Interpreters do not preclude simple data: they just scale better,
>>>> from simple linear declarative data to complex, Turing-cranking
>>>> swamp. The only argument against it is runtime overhead, which isn't
>>>> a problem in many, if not most, cases.
>>>
>>> It's NOT the only argument against it.  Having Turing-complete
>>> configuration files makes it impossible to have other programs parse
>>> and understand the configuration.  Programs including:
>>>
>>>  - OpenSCAP, or any other security scanner
>>>  - libvirt (hello, old Xen's python config files)
>>>  - multiple libguestfs tools like virt-sysprep
>>>  - Augeas and all the tools that use it
>>>
>>
>> Moreover, If the application (polkit) uses its embedded interpreter to
>> assess configuration and the scanner (OpenSCAP) uses it's own way how to
>> assess it (even if it differs in a version of the interpreter). --> It
>> only opens door for very subtle bugs.
>>
>> Which leads me to thinking that the applications (which use Turing
>> complete languages for configuration) shall provide a comprehensive API
>> to query the configuration.
> 
> This isn't going to work for SCAP.  SCAP (or more specifically, OVAL)
> is a standardized XML schema for assessing the configuration of
> systems.  Steve will correct me if I'm wrong here, but I don't believe
> there's no room for it to be calling out to arbitrary custom
> libraries.

Sure, there is no room for *arbitrary* and custom libraries. On the
other hand, there are libraries which are already in use. Consider
librpm which is even namely regarded by OVAL specification. Thus, If
there was comprehensive interface to query polkit configuration, I could
imagine SCAP using it in similar way how it uses librpm.

But my point was more like: If there was an comprehensive interface to
read and write that configuration, there couldn't be a complain about
compliance checks.

> http://oval.mitre.org/language/index.html
> http://oval.mitre.org/language/about/definition.html
> 
> Like it or not, this sort of scanning is extremely useful for cloud
> administrators who want to be able to automatically scan disk images
> uploaded from non-trusted sources and find out whether they contain
> vulnerabilities.  The requirements for configuration files to be
> simple and non-Turing-complete are not going to go away.
> 
> Rich.
> 

--
Simon Lukasik

More information about the devel mailing list