Red Hat Bugzilla – Bug 523709
do not force install system-config-firewall-tui
Last modified: 2010-03-19 16:41:24 EDT
Description of problem:
In purpose of installing minimal system we want to reduce number of packages and their dependencies. Please give a look at:
Anaconda in F12-Alha force install of system-config-firewall-tui. We are not very happy with that because it's increase disk usage and number of SUID binaries(because of dependencies). This problem is only in F12, I have not seen in in F11!!!
Can you please check, if we really need system-config-firewall-tui!!!
install core group
see that system-config-firewall-tui is installed
do not install system-config-firewall-tui & dependencies
system-config-firewall-tui is required to install lokkit, which is required for anaconda to set up the firewall config on the installed system.
thnx. for explanation, Chris. It's also clear to me that anaconda guidelines say that standard tools should be used whenever it's possible.
But I'm still curios why system-config-firewall-tui is NOT installed on F11 (minimal install). What cause this change? I have looked into the code and I can see same thing in both F11 & F12
# anaconda requires several programs on the installed system to complete
# installation, but we have no guarantees that some of these will be
# installed (they could have been removed in kickstart). So we'll force
for pkg in ['authconfig', 'chkconfig', 'mkinitrd', 'system-config-firewall-tui']:
I think the ideal solution would be if all system-config-* tools provide library interface. Do you know if there is any effort for this?
Do you realize that installing s-c-firewall-tui requires s-c-network-tui which requires dbus-python which requires dbus-libs which requires dbus ... Altogether, this drags in about 23 Mb of packages to the minimal install.
Would it be possible to uninstall all these packages if s-c-firewall-tui has not been asked for?
No, lokkit is required on the installed system so that anaconda can chroot over and run it. We need to do that so there's any iptables configuration at all when the system is initially booted. It's not a matter of the user asking for it to be installed or not. If you really want to have fewer things to audit, you could get lokkit broken out into its own subpackage and then anaconda would only need to require that.
Anyway, dbus is a critical component of a Fedora system these days. More and more system components are requiring it and it's listed as a critical path package. So, you really can't help but have it and any security auditing you're doing needs to take this into consideration. Keep in mind that NetworkManager is the preferred method of configuring the network these days and it requires dbus.
(In reply to comment #4)
> No, lokkit is required on the installed system so that anaconda can chroot over
> and run it. We need to do that so there's any iptables configuration at all
> when the system is initially booted. It's not a matter of the user asking for
> it to be installed or not. If you really want to have fewer things to audit,
> you could get lokkit broken out into its own subpackage and then anaconda would
> only need to require that.
system-config-firewall-base that provides lokkit is available now, can you use it in anaconda, please.
Now if this needs to be in F-12 and RHEL-6 as well, we're going to need the new system-config-firewall-base package put into that tree before the anaconda part can be committed on those branches. Right now, it's only on head.