FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 04-01-2008, 01:03 PM
Steve Grubb
 
Default Parellel boot and audit

Hi,

Using the LSB headers, how do I express that audit needs to start before just
about everything else? The only things I can think of that could be before
audit are irqbalance, cpuspeed, iptables, ip6tables, netlabel, network, bind
(optional), and syslog. The irqbalance and cpuspeed are questionable, though.

-Steve

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-01-2008, 01:18 PM
Harald Hoyer
 
Default Parellel boot and audit

Steve Grubb wrote:

Hi,

Using the LSB headers, how do I express that audit needs to start before just
about everything else? The only things I can think of that could be before
audit are irqbalance, cpuspeed, iptables, ip6tables, netlabel, network, bind
(optional), and syslog. The irqbalance and cpuspeed are questionable, though.


-Steve



The bad thing, you can't specify "run before" in LSB syntax.
Something all other services require and the script provides is needed for that to work.
Yes, it's a known shortcoming and the LSB syntax should be extended.

Someone working with LSB?

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-01-2008, 01:45 PM
Steve Grubb
 
Default Parellel boot and audit

On Tuesday 01 April 2008 09:18:22 am Harald Hoyer wrote:
> > Using the LSB headers, how do I express that audit needs to start before
> > just about everything else? The only things I can think of that could be
> > before audit are irqbalance, cpuspeed, iptables, ip6tables, netlabel,
> > network, bind (optional), and syslog. The irqbalance and cpuspeed are
> > questionable, though.
> >
> > -Steve
>
> The bad thing, you can't specify "run before" in LSB syntax.

If we are switching in F9, we need this fixed before release.


> Something all other services require and the script provides is needed for
> that to work. Yes, it's a known shortcoming and the LSB syntax should be
> extended.
>
> Someone working with LSB?

If so, have them to ask why audit is not a standard facility like syslog.

-Steve

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-01-2008, 02:28 PM
Toshio Kuratomi
 
Default Parellel boot and audit

Steve Grubb wrote:

On Tuesday 01 April 2008 09:18:22 am Harald Hoyer wrote:

Using the LSB headers, how do I express that audit needs to start before
just about everything else? The only things I can think of that could be
before audit are irqbalance, cpuspeed, iptables, ip6tables, netlabel,
network, bind (optional), and syslog. The irqbalance and cpuspeed are
questionable, though.

-Steve

The bad thing, you can't specify "run before" in LSB syntax.


If we are switching in F9, we need this fixed before release.

To my knowledge, we are not switching to LSB headers for F9. You can
add LSB headers to your initscripts but they are optional.


We're moving to upstart with SysVinit compatibility for F9. And at some
point in the future will probably have a push for upstart native start
scripts/configs/whatever.


-Toshio

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-01-2008, 02:54 PM
Steve Grubb
 
Default Parellel boot and audit

On Tuesday 01 April 2008 10:28:23 am Toshio Kuratomi wrote:
> Steve Grubb wrote:
> > On Tuesday 01 April 2008 09:18:22 am Harald Hoyer wrote:
> >>> Using the LSB headers, how do I express that audit needs to start
> >>> before just about everything else? The only things I can think of that
> >>> could be before audit are irqbalance, cpuspeed, iptables, ip6tables,
> >>> netlabel, network, bind (optional), and syslog. The irqbalance and
> >>> cpuspeed are questionable, though.
> >>>
> >>> -Steve
> >>
> >> The bad thing, you can't specify "run before" in LSB syntax.
> >
> > If we are switching in F9, we need this fixed before release.
>
> To my knowledge, we are not switching to LSB headers for F9. You can
> add LSB headers to your initscripts but they are optional.

That's not the way a bugzilla was filed against audit:

https://bugzilla.redhat.com/show_bug.cgi?id=246872

which blocks 246824. If we change our minds about this, it would be nice if
the filer of the bug writes something on the bz saying the need was
overstated or delayed.

Meanwhile, everyone playing with parallel boot will probably be missing AVCs
in the audit logs, or if they are using audit will have a lot of processes
unauditable. If GDM or another login daemon runs before audit, the users
login uid in the kernel's task struct will not be set when they login. This
also means there won't be a login session task attribute set that identifies
which login any process is associated to. IOW, there is a lot of security
tracking that goes wrong.


> We're moving to upstart with SysVinit compatibility for F9. And at some
> point in the future will probably have a push for upstart native start
> scripts/configs/whatever.

Does it allow one to say I need this to start at a specific point in time
without modifying all initscripts?

-Steve

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-01-2008, 03:49 PM
Bill Nottingham
 
Default Parellel boot and audit

Steve Grubb (sgrubb@redhat.com) said:
> > The bad thing, you can't specify "run before" in LSB syntax.
>
> If we are switching in F9, we need this fixed before release.

Huh? What do you mean by 'switching'?

The LSB init script standard is not worth saving.

Bill

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-01-2008, 04:09 PM
"Jonathan Underwood"
 
Default Parellel boot and audit

On 01/04/2008, Bill Nottingham <notting@redhat.com> wrote:
> Steve Grubb (sgrubb@redhat.com) said:
> > > The bad thing, you can't specify "run before" in LSB syntax.
> >
> > If we are switching in F9, we need this fixed before release.
>
>
> Huh? What do you mean by 'switching'?
>
> The LSB init script standard is not worth saving.
>
>

Might be simplext for Harald to just close these bugs:
https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=VERIFIED&bug _status=ASSIGNED&bug_status=MODIFIED&bug_status=NE EDINFO&bug_status=REOPENED&bug_status=ON_DEV&bug_s tatus=ON_QA&bug_status=FAILS_QA&bug_status=POST&bu g_status=RELEASE_PENDING&field0-0-0=product&type0-0-0=substring&value0-0-0=Initscript&field0-0-1=component&type0-0-1=substring&value0-0-1=Initscript&field0-0-2=short_desc&type0-0-2=substring&value0-0-2=Initscript&field0-0-3=status_whiteboard&type0-0-3=substring&value0-0-3=Initscript&field1-0-0=product&type1-0-0=substring&value1-0-0=Review&field1-0-1=component&type1-0-1=substring&value1-0-1=Review&field1-0-2=short_desc&type1-0-2=substring&value1-0-2=Review&field1-0-3=status_whiteboard&type1-0-3=substring&value1-0-3=Review

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-01-2008, 04:43 PM
Bill Nottingham
 
Default Parellel boot and audit

Bill Nottingham (notting@redhat.com) said:
> Steve Grubb (sgrubb@redhat.com) said:
> > > The bad thing, you can't specify "run before" in LSB syntax.
> >
> > If we are switching in F9, we need this fixed before release.
>
> Huh? What do you mean by 'switching'?
>
> The LSB init script standard is not worth saving.

To elaborate:

If you want to start at a specific numerical priority, either
don't include a LSB section, or don't include dependencies. Otherwise,
your priority may be adjusted based on the dependencies you specify.
(Note: doing so does require that you pick your priority carefully.)

As to the issues with the LSB standard:
- defines Should-XXX ... which apps can't rely on working
- doesn't actually define the interactions of missing Default-Start/Stop
- defines Default-Start/Stop in terms of specific runlevel numbers, and
then promptly says 'Applications may not depend on specific run-level
numbers.'
- splits filesystems into $remote_fs and $local_fs, when realistically,
apps care about their particular directories being present, not whether
or not it's remote or local
- defines $named as 'name resolution is available', which can be satisfied
in about six different ways, many of which are configured completely
outside of init scripts (hey, you want your init script parser to
parse and understand nsswitch.conf, and to see if you're using ldap
for hosts? and talk to the ldap server to see if it's available?)
- defines $network as "basic networking support is available. Example: a
server program could listen on a socket." Well, then, I suppose that's
always available, unless you screw up your kernel configuration. Of
course, none of the things that 'depend' on $network treat it in
that manner.
- apps may have dependencies depending on how they are configured. For
example, a system logger may have a network dependency if it's configured
for network logging. But there's no way to specify "I need this dependency
only if I'm configured this way", at least, not without forcing the
administrator to edit the script header.

It's a bad spec, and the way that it's done I don't really see how it's
fixable.

Bill

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-01-2008, 07:05 PM
Harald Hoyer
 
Default Parellel boot and audit

Bill Nottingham wrote:

It's a bad spec, and the way that it's done I don't really see how it's
fixable.

Bill



Work with the Linux Foundation on a new/revised sane LSB spec?

http://www.linux-foundation.org/snapshots/booksets/LSB-Core-generic/LSB-Core-generic.html#INITSCRCOMCONV

We could also define custom keywords, add custom boot_facility names in the meantime, etc…

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-01-2008, 07:08 PM
Harald Hoyer
 
Default Parellel boot and audit

Steve Grubb wrote:

On Tuesday 01 April 2008 09:18:22 am Harald Hoyer wrote:

Using the LSB headers, how do I express that audit needs to start before
just about everything else? The only things I can think of that could be
before audit are irqbalance, cpuspeed, iptables, ip6tables, netlabel,
network, bind (optional), and syslog. The irqbalance and cpuspeed are
questionable, though.

-Steve

The bad thing, you can't specify "run before" in LSB syntax.


If we are switching in F9, we need this fixed before release.



Something all other services require and the script provides is needed for
that to work. Yes, it's a known shortcoming and the LSB syntax should be
extended.

Someone working with LSB?


If so, have them to ask why audit is not a standard facility like syslog.

-Steve



http://www.linux-foundation.org/en/FAQ#How_do_I_get_involved_with_the_Linux_Foundatio n.3F

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 08:13 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org