We have a policy regarding long running daemon to use PIE and RELRO ( see https://fedorahosted.org/fesco/ticket/563 ). A tool called rpm-chksec ( http://people.redhat.com/sgrubb/files/rpm-chksec ) to check the package for compliance.
Would it be beneficial to plug that tools into fedora-review ? ( another place would be autoqa )
My first impression is yes, adding these tests for services would definitely add value to f-r.
The first obstacle is that this tool seem to be using the /etc/init.d/* files which are obsoleted by systemd. This must be fixed for the script to be usable.
Besides this, running the tool as a plugin should be doable. The basic problem here is the is_applicable() condition - how to know whether the package is a long-running daemon or not. Is it possible to make conclusions from the systemd setup in a consistent way? Personally I doubt it.
The manual way would be to register a new flag called "server", "service" or something similar and make that trigger the use of this test. Perhaps also issue a warning when there is a "suspected" systemd configuration without the flag defined.
Or to just have the plugin separately, with instructions how to use it. Although seems like a worse alternative, it might be a valuable evaluation step.
But first question is if upstream is willing to update the script to use systemd config IMHO
Moving to future...
To be fair, I am not a huge fan of bash. So i started to integrate others security checking tools directly in rpmlint in python, and this one was the next one. I think it would be better to rewrite the tool in python and so do the portage to systemd by ourself.
One advantage of systemd is that unit files are easy to parse ( modulo the .include mechanism ), so we could just : - see there is unit file - check this is not "oneshot" - inspect the daemon ( provided this is not a shell script ) - check for relro/pie
Or we could also decide to just show a line "[ ] check if daemon follow the policy regarding compilation flag for long running daemon" if we detect a systemd file, since that's a easy low risk step, the detection can be done later :p
( and in fact, the detection should/could be done in rpmlint, for existing packages )
Replying to [comment:3 misc]:
+1
There is also already a manual test "Package has systemd files if required" which would be affected if we probe for systed configuration.
Discussed with misc and sochotni over IRC. Conclusions: - For f-r, implement just a manual check. - Automated checks based on script should if possible be integrated into rpmlint.
See also https://lists.fedoraproject.org/pipermail/devel/2013-June/183777.html
fixed in 8b93c15
Login to comment on this ticket.