On 2014-08-08 15:47, Robert Moskowitz wrote:
On 08/08/2014 08:19 AM, Gordan Bobic wrote:
On 2014-08-08 12:35, Robert Moskowitz wrote:
On 08/08/2014 06:36 AM, Gordan Bobic wrote:
On 2014-08-08 11:17, Robert Moskowitz wrote:
On 08/08/2014 02:31 AM, Gordan Bobic wrote:
On 08/08/2014 02:26 AM, Robert Moskowitz wrote:
Where is iptables? No /etc/sysconfig/iptables (or ip6tables).
iptables
is running.
yum install iptables
?
Yeah, I guessed that after I vented.
But not having sshd in minimal? Strange, but then if I am
mismatched
on armv then that might explain it.
The idea of the rootfs is that it is _really minimal_, and you
yum
install whatever else you need after you get it up and running.
I am beginning to see how minimal it is!
It is deliberately so. The rootfs download is big as it is.
Minimal is one thing. Safe is another. I can understand ssh not
there, kind of. But not iptables.
Minimal takes precedence in this case.
iptables won't make any difference on a minimal image that hasn't
got any remotely accessible services listening.
Except to get additional software, and to apply updates, you TEND to
need network access and the scanners are out there. Just my natural
paranoia.
They may be able to tell the machine exists, but that won't help
them get into it if no services are listening; unless you have
a remotely exploitable kernel bug in your IP stack - and in that
case iptables and selinux are unlikely to help you.
I was thinking this after I posted. But then the installer better get
the order right in installing stuff.
To some extent, yes, depending on what services they are installing.
Some are less of an issue, while others do require the operator
to be paying attention (e.g. NFS). I just never assume anything
is secured by default.
I guess because security is my line of work. Granted I design
secure
communications and identity technology (I co-chaired IPsec, and am
the
author of HIP), but I do think more broadly of security.
ANd then I had a thought and no /etc/sysconfig/selinux, meaning no
selinux.
Vast majority of ARM machines ship with kernels that don't
have SELinux built in.
I will have to look into the SunXi kernel that I am using. And see
what the F21 has.
If you are using a kernel built by Fedora/Ubuntu/Debian guys,
those probably do include SELinux (or something equivalent and
incompatible). I am talking about the kernels that manufacturers
ship with their devices (e.g. the ChromeOS kernel on the
Chromeboooks).
I am working with the F19 remix which I believe was put together by
Hans de Goede who has a redhat.com email addr. And it does come with
selinux installed.
Sure, Anaconda installer puts it in by default. But I'm not using
the full "minimal" package set for the rootfs image because it
would nearly double it in size. That could be a problem for people
who run it from the internal NAND on a machine that only has 500MB
of it (e.g. SheevaPlug).
He is also doing the uboot work for the cubieboards. F21 already has
the CubieTruck included, but for my Cubieboard2, he has provided me
with the needed commands to pull down from his git repository and
build the uboot until he gets it rolled in directly.
Though I am working on the F21 arm testing, it is the F19 that I will
use for Redsleeve and of course Centos 7 for arm.
Yeah, I keep meaning to make enough progress on RedSleeve EL7
build to produce some public playable with packages and a
rootfs, but it's hard to find enough hours in a day after all
the problems various paying customers bring before me.
So back to it for now. I have figured out how to use parted to build
my card right. Next I need to work out how to tar the f19 files
together so I can more easily tar them onto a new card (or drive when
I get to that point). The real challenge will be working out the
fstab and then the monitor/kydb.
THEN I will get back to this other stuff.
Thanks.
Gordan
_______________________________________________
users mailing list
[email protected]
http://lists.redsleeve.org/mailman/listinfo/users
