Anurag S. Maskey wrote: > NWAM would love to have refresh_on dependencies as mentioned in RFE CR > 6623159 refresh_on dependencies would help > (http://bugs.opensolaris.org/view_bug.do?bug_id=6623159). When nwam > installs a new location, it updates different configuration files > (ipsec, ike, ipfilter, etc) and a new SMF service (network/location) is > refreshed. This service has ipsec, ike, ipfilter, etc. as its > "restart_on refresh" dependents and thus these other services also get > restarted. This process is described in Section 8.3.2 at > http://www.opensolaris.org/os/project/nwam/p1spec/netsvcs/. > > Rather than restarting the dependent services, refreshing them would > provide more security. When these services are restarted, there is a > small open window of vulnerability between the stop and start where > policies are not enforced. The fix for CR 6623159 would eliminate this > as the services are never stopped. > > Where does this CR stand in the priority list of the SMF team?
Much lower than Enhanced Profiles, frankly. And on that note... if the configuration you're talking about was stored in a profile, when that config was updated the service would be refreshed by default. The work that's being done in Visual Panels with firewall configuration, as well as for apache is illustrative for configuration that can't be in SMF. I'm working on some scripts that should make basic profiles functionality available to NWAM very soon... more on that either this weekend or early next week. liane
