domg472 g472 wrote:
2009/1/9 Michael DeHaan mdehaan@redhat.com:
Just thinking about things offhand cobbler needs to be able to read and write to Apache and tftp-server content, read and write to /var/lib/cobbler and /var/log/cobbler, and read to /etc/cobbler.
/var/lib/cobbler, /etc/cobbler and /var/log/cobbler is for a large part taken care of. There is also an apache_content_template for the cobbler web app but that needs testing and more work.
Yeah there is some mod_python stuff in there, we can run the test code next week and look for denial info.
tftp-server content may or may not prove to be a bigger issue. Again this also needs testing before we can even start thinking about a solution.
Cobbler recommends setting /tftpboot to public_content_t with an semanage rule right now so we can hardlink content that is also in /var/www and elsewhere. (Without public_content_t this must be copied). With those restrictions that may not be a problem.
AVC denials is the best feedback i can hope for.
Thing that i would like to know are:
- I noticed Cobbler wants to bind tcp and udp sockets to ports, what
are the port numbers and what is the proper (tcpd) name for ports that cobbler owns (what name works with tcp wrappers for example)
ldd /usr/bin/python doesn't show any libwrap linked in, so AFAIK it's not used.
Default ports:
25150 -- udp syslog listener (going away in the next release) 25151 -- tcp (XMLRPC port) 25152 -- tcp (XMLRPC read-write-api port)
- I noticed that Cobbler wants to search /tmp. What is it looking
for? Does Cobbler own any content in /tmp?
The "make test" code should use /tmp. The regular usage of cobblerd should not.
Verification: grep "/tmp" *.py
If it does, that's pretty odd.
- How does Cobbler interact with RPM? I noticed that cobbler wants to
execute and interact with files owned by RPM. Is RPM optional or required?
Required. It's using rpm -q --whatprovides redhat-release for distribution checks in a few places.
This should be the only place it calls RPM.
- I assume DBUS is optional ( Cobbler would also work on system
without DBUS running?)
Yes. I don't explicitly use dbus anywhere. I'm guessing the avahi package (if installed) might use dbus, and cobbler will try to use Avahi if installed.
That is all that i can think of for now.
Dominick
Very cool, thanks for all the help and input -- I'll see if we can get this tested sometime next week. Trying to get a release out today.
Much appreciated!
--Michael
cobbler@lists.fedorahosted.org
-
Michael DeHaan