On 20/09/15 09:41, Jacco Ligthart wrote:
Here my first iteration of a packagelist for core.
I started with core form upstream, but removed:
biosdevname
btrfs-progs
firewalld
iprutils
irqbalance
kexec-tools
policycoreutils
selinux-policy-targeted
tuned
xfsprogs
aic94xx-firmware
bfa-firmware
dracut-config-rescue
ivtv-firmware
iwl100-firmware
iwl1000-firmware
iwl105-firmware
iwl135-firmware
iwl2000-firmware
iwl2030-firmware
iwl3160-firmware
iwl3945-firmware
iwl4965-firmware
iwl5000-firmware
iwl5150-firmware
iwl6000-firmware
iwl6000g2a-firmware
iwl6000g2b-firmware
iwl6050-firmware
iwl7260-firmware
kernel-tools
libertas-sd8686-firmware
libertas-sd8787-firmware
libertas-usb8388-firmware
linux-firmware
microcode_ctl
NetworkManager-team
ql2100-firmware
ql2200-firmware
ql23xx-firmware
rdma
dracut-config-generic
dracut-fips
dracut-fips-aesni
dracut-network
openssh-keycat
selinux-policy-mls
tboot
(note: I wanted all firmware stuff to be board specific, therefore they
are excluded from core)
I'd keep firewalld and selinux related packages.
I excluded firewalld on purpose. If you install it, without extra
configuration, it will block incoming SSH. This will be very
inconvenient for headless installs.
Fair point, but I thought ssh port is open by default.
Is there a reason you ask for the selinux stuff? I have it not installed
on any of my systems, never missed it, none of my kernels support it,
and you can always add it as extra packages in a rbf template if we do
find a kernel that supports it.
I always have it enabled when I am running a kernel that supports it. It
has saved my backside a number of times from 0-day exploits. If we have
kernel source packages that build cleanly, then we should have SELinux
enabled in those. Of course, we often don't have properly working kernel
sources, so the point you make is valid.
Gordan
_______________________________________________
users mailing list
[email protected]
http://lists.redsleeve.org/mailman/listinfo/users
