On Wed, Jul 18, 2012 at 10:00:49AM +0200, Bastian Blank wrote:
> On Tue, Jul 17, 2012 at 09:31:44AM -0700, Ben Pfaff wrote:
> > On Tue, Jul 17, 2012 at 03:20:40PM +0200, Bastian Blank wrote:
> > > openvswitch uses a db called /etc/openvswitch/conf.db. This file is
> > > programmatic modified and not user editable. This violates ยง10.7 of the
> > > policy.
> > Can you be more specific? 10.7.1 defines a configuration file as:
> >
> > A file that affects the operation of a program, or provides site-
> > or host-specific information, or otherwise customizes the behavior
> > of a program. Typically, configuration files are intended to be
> > modified by the system administrator (if needed or desired) to
> > conform to local policy or to provide more useful site-specific
> > behavior.
>
> This lacks the reference to FHS, which is a normative part of the
> policy:
>
> | The /etc hierarchy contains configuration files. A "configuration file"
> | is a local file used to control the operation of a program; it must be
> | static and cannot be an executable binary.
>
> > /etc/openvswitch/conf.db fits that description. The first sentence is
> > obviously true.
>
> No. It is no configuration file if it is not static.
The FHS defines "static" as:
"Static" files include binaries, libraries, documentation files and
other files that do not change without system administrator
intervention. "Variable" files are files that are not static.
The system administrator runs ovs-vsctl to change
/etc/openvswitch/conf.db.
> > The second is also true, since the system
> > administrator does modify the file.
>
> How does modifying this file with an editor work?
It's somewhat challenging, because you have to calculate a sha1sum with
the sha1sum program, and the format isn't really intended for direct
human editing. But, as I said before (you dropped the quote), I do not
see anything in 10.7 that says that the administrator must be able to
edit a configuration file with a text editor.
> How does it survive read-only /etc?
If you have read-only /etc, then you can't modify your configuration, in
the same way you can't modify other parts of your configuration.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
