[Fedora-livecd-list] Use of lokkit in livecd-builder
Daniel P. Berrange
berrange at redhat.com
Thu Aug 28 14:30:15 UTC 2008
On Thu, Aug 28, 2008 at 10:21:44AM -0400, Jeremy Katz wrote:
> On Thu, 2008-08-28 at 15:07 +0100, Daniel P. Berrange wrote:
> > The way we currently do it is include lokkit packages at first, and then
> > use a %post script to uninstall python and everything using it. Unless
> > someone wants to re-implement entire of lokkit in C, I don't see any
> > other viable approach other than this uninstall in %post.
>
> The irony is that lokkit was originally written in C. But to add all of
> the functionality that people continued to want, it was rewritten in
> python years ago :)
The ever increasing functionality of lokkit is incredibly a poor design
choice :-( For libvirt to register iptables rules, SELinux policy had
to be changed to allow libvirtd to run lokkit. This has the dubious
side-effect of now giving libvirtd permission to turn off SELinux.
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the livecd
mailing list