2010/12/7 Toshio Kuratomi <a.badger@xxxxxxxxx>: > On Mon, Dec 06, 2010 at 06:55:20PM +0100, Michał Piotrowski wrote: >> W dniu 6 grudnia 2010 18:43 użytkownik Kevin Fenzi <kevin@xxxxxxxxx> napisał: >> > On Mon, 6 Dec 2010 18:17:51 +0100 >> > Michał Piotrowski <mkkp4x4@xxxxxxxxx> wrote: >> > >> >> W dniu 6 grudnia 2010 18:01 użytkownik Kevin Fenzi <kevin@xxxxxxxxx> >> >> napisał: >> > >> > ...snip... >> > >> >> > What are you trying to do? >> >> >> >> I'm trying to convert sysvinit scripts to systemd services (as many >> >> as possible) >> > >> > If you're trying to determine what units should be enabled by default, >> > please talk to the Fedora Packaging Comittee. >> > >> > See also: >> > https://fedorahosted.org/fesco/ticket/504 >> > >> > Where fesco decided: >> > >> > "Default is off, exceptions exist to allow proper functioning of the >> > os. FPC to document exceptions and process exception requests." >> > >> > FPC was going to work on a exceptions list I think... >> >> This list will be useful. >> >> Dear FPC people, could you provide this list in the near future? >> > Feedback appreciated -- what do you think should be on? What do you think > should be off? Right now I think we'd make an exception for ssh (a really > big exception since it's a network facing service, even). Ok > Dbus and > default syslog variant also spring to mind which might be. Ok > Those might be > able to start defining a category of "things needed to run a desktop > session" or something. > > iptables, no chance to disable this I guess ip6tables too? > auditd, restorecond sound like keepers -- maybe a category here > would be things that add to system security in a default install. These are things related to core system security, so should be enabled. > For this > category we'd want to be careful, do we also want to allow fail2ban or > denyhosts to run by default if they're installed? No, other things not related with SELinux (or something that we could call "core security subsystem") should be IMHO off by default. > > Other categories or specific examples would be good. Cron - but should be activated only when cron files exist It seems to me that the list: - ssh - Dbus - syslog - iptables - ip6tables - auditd - restorecond is an absolute minimum to get "working system". - udev-post ? - is it needed for F15? - mdmonitor and lvm2-monitor? - are they needed for proper working MD's/LVM's? - network/Networkmanager ? Everything else that is not essential for Fedora security, basic desktop functionality should be IMO off by default. > > -Toshio > > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > -- Best regards, Michal Sent from my iToaster -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
