ntp.... was Re: Fresh rawhide install / AVC messages
Tom Mitchell
mitch48 at yahoo.com
Fri Mar 12 00:03:04 UTC 2004
On Thu, Mar 11, 2004 at 11:50:18AM -0500, Steven Bonneville wrote:
> Tom Mitchell <mitch48 at yahoo.com> wrote:
>
> > I might trust my dhcp server to give me an IP address but do I also
> > want it to set the time of day. Then what else do I trust it to do?
> > How do I manage the list of things that dhcp might update?
> >
> > For example if I have a well crafted /etc/ntp.conf file will that file
> > be lost if I move to a different DHCP served net.
>
> I don't have FC2t1 handy at the moment, but on RHEL 3 I believe that you can
> set the following options in /etc/sysconfig/network-scripts/ifcfg-* files:
>
> PEERDNS=no (/etc/resolv.conf)
> PEERNTP=no (/etc/ntp.conf, /etc/ntp/step-tickers)
> PEERNIS=no (/etc/yp.conf)
>
> If set to no, then those files won't get modified even if appropriate
> DHCP options are sent. See /sbin/dhclient-script for details.
I missed the PEER*=no flags when I first glanced at the script.
This looks like the the correct place to manage the long list of
DHCP-able config items.
This permits a default "policy" configuration for the expected common
situation of a responsible ISP or IT department. Individual DHCP
decisions can be made and set without the complexity of editing
policy. -- Cool --
My concern was the cyber cafe or hotel that a traveling businessman
encounters. There have already been rumors of bad boys snooping bits
and doing naughty things in the cyber cafes. DHCP smelled like a
potential problem where time of day, DNS, SMTP and a list of other
"important" administrative decisions could be silently co-opted.
Since all these issues exist regardless of SELinux the common and correct
place do address this is via /sbin/dhclient-scrip and the associated
config tools. -- Excellent --
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
More information about the fedora-selinux-list
mailing list