On Thu, Dec 12, 2013 at 03:18:31PM +0100, Vitaly Kuznetsov wrote:
> ami-3b361952 : us-east-1 image for i386
> ami-1337187a : us-east-1 image for x86_64
Compared to TC5 images:
1) iptables-services package is missing in RC1
This is intentional and by popular demand -- in an IaaS environment, the
cloud provider's security groups or equivalent concept provides the
firewall. If one wants defense-in-depth it's easy to install
iptables-services or firewalld with cloud-init.
2) SELinux contexts. It gets better :-)
In TC5 if you remember we had:
# restorecon -R -v -n -e /proc -e /sys -e /tmp -e /run -e /dev /
restorecon reset /boot/extlinux/ldlinux.sys context
system_u:object_r:file_t:s0->system_u:object_r:boot_t:s0
restorecon reset /var/cache/yum context
system_u:object_r:file_t:s0->system_u:object_r:rpm_var_cache_t:s0
restorecon reset /var/log/boot.log context
system_u:object_r:var_log_t:s0->system_u:object_r:plymouthd_var_log_t:s0
restorecon reset /var/log/cron context
system_u:object_r:var_log_t:s0->system_u:object_r:cron_log_t:s0
I'm pre-creating the two log files, so they end up right.
In RC1 we have only these:
# restorecon -R -v -n -e /proc -e /sys -e /tmp -e /run -e /dev /
restorecon reset /var/cache/yum context
system_u:object_r:file_t:s0->system_u:object_r:rpm_var_cache_t:s0
restorecon reset /boot/extlinux/ldlinux.sys context
system_u:object_r:file_t:s0->system_u:object_r:boot_t:s0
I tried to be clever with changing ldlinux.sys from immutable and back again
but apparently that doesn't do it. (Since this isn't ever actually run on
the system, only _before_ the system, and not on EC2 at all, the
side-effects of a wrong context should be small.)
I'm more concerned about /var/cache/yum, since that is already precreated
and should already be right.
--
Matthew Miller -- Fedora Project Architect -- <mattdm(a)fedoraproject.org>