- Original Message -
I have a question about [1], the policy limiting what services may
be started/enabled by default (when the RPM is installed).
# If a service does not require configuration to be functional and
# does not listen on a network socket, it may be enabled by default
# [...]
# All other services must not be enabled by default.
I'm thinking about how this needs to apply to server processes
associated with performance co-pilot (pcp). The various daemons can
be set to listen on any mixture IPv4 / IPv6 / AF_UNIX sockets. We
think it would be a fine performance-data-gathering background service
to run (deeper than sar but still tiny overhead), but default-on
appears to be precluded by the policy. Or is it?
Is the intent of this policy to prevent unintentional remote access to
the services from a network (ignoring the default firewall)? If so,
then a server restricted to localhost and/or AF_UNIX parts should be
allowed to be enabled by default.
I’m pretty sure “network socket” is not interpreted to include AF_UNIX. As for
localhost, that’s less clear, but typically the policy does forbid such
daemons, primarily not because of the unclear network socket but because many
daemons that can (also) listen on localhost, like the pcp daemons, typically
_need_ configuration to be used as the administrator wishes them to use. (This
gets us into another gray area, whether a service that is functional in the
default configuration but often run in a different one “requires configuration
to be functional”.)
Mirek
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct