Re: activating services by default, definition of network sockets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



----- Original Message -----
> I have a question about [1], the policy limiting what services may
> be started/enabled by default (when the RPM is installed).
> 
> #   If a service does not require configuration to be functional and
> #   does not listen on a network socket, it may be enabled by default
> #   [...]
> #   All other services must not be enabled by default.
> 
> I'm thinking about how this needs to apply to server processes
> associated with performance co-pilot (pcp).  The various daemons can
> be set to listen on any mixture IPv4 / IPv6 / AF_UNIX sockets.  We
> think it would be a fine performance-data-gathering background service
> to run (deeper than sar but still tiny overhead), but default-on
> appears to be precluded by the policy.  Or is it?
> 
> Is the intent of this policy to prevent unintentional remote access to
> the services from a network (ignoring the default firewall)?  If so,
> then a server restricted to localhost and/or AF_UNIX parts should be
> allowed to be enabled by default.

I’m pretty sure “network socket” is not interpreted to include AF_UNIX.  As for localhost, that’s less clear, but typically the policy does forbid such daemons, primarily not because of the unclear network socket but because many daemons that can (also) listen on localhost, like the pcp daemons, typically _need_ configuration to be used as the administrator wishes them to use.  (This gets us into another gray area, whether a service that is functional in the default configuration but often run in a different one “requires configuration to be functional”.)
    Mirek
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux