[CentOS] Network services start before network is up since migrating to 7.2

Tue Dec 22 15:53:19 UTC 2015
m.roth at 5-cent.us <m.roth at 5-cent.us>

James Hogarth wrote:
> On 22 December 2015 at 10:33, Sylvain CANOINE
> <sylvain.canoine at tv5monde.org> wrote:
>> > De: "Marcelo Ricardo Leitner" <marcelo.leitner at gmail.com>
>> In short, "you don't need it, so don't use it".
>> They said NM is more a desktop-oriented tool, already had privilege
>> escalation issues in the past (I didn't search if they're right), has
>> too many dependencies (such as wpa_supplicant and avahi, which are, of
>> course, also forbidden), needs extra mechanisms (PAM ? Polkit ?)
>> to avoid users changing its settings, needs D-bus just to work, so
>> it is too much complex just to set static IP addresses on network
>> interfaces. They said> multiples> administrator actions, and
>> potentially human errors, to set it up, may be a security risk...
> Also known as "we have our policies for EL6 and we haven't paid any
> attention to EL7 to see how things have changed" ... Wonder if they have
> read my NM blog article yet ...
> Honestly any 'security' people banning wpa_supplicant needs their heads
> examined given that is used for 802.1x authentication ... which if they
> care about security they should be paying attention to.

Really? Why?

a) All the servers I've ever dealt with (and I don't mean a large tower
under someone's desk) are racked in locked rooms and hardwired.

b)  NONE I've ever seen has any wifi, so I've never understood why avahi,
and the firewall hole for it, was installed in the "server" version by

c) wpa-supplicant - again, why? If it's hardwired, and behind switches and
firewalls, why PNAC if every server is running firewalls?
        mark "let's *please* NOT talk about NAC via Cisco,
                and people who allegedly know and have planned
                rolling it out...."