Proposal: ReadOnlyDirectories /etc and /usr for network-services

[Lennart Poettering]

On Mon, 22.07.13 00:02, Reindl Harald (h.reindl at thelounge.net) wrote:

> Hi
> 
> has anybody considered to put the following as default in systemd-units of
> network services? cross-posting to  users-list intented because i think it
> is a good idea to bring it to a broader userbase!
> 
> ReadOnlyDirectories=/etc
> ReadOnlyDirectories=/usr

So, I could agree to this part.

> additionally having the RPM database to accessable for network-services
> is fine, set for all listed below and reduces the attack surface
> 
> InaccessibleDirectories=/var/lib/rpm
> InaccessibleDirectories=/var/lib/yum

This part gives me a headache though.

"ReadOnlyDirectories=/etc /usr" simply encodes the semantics that we
generally assume that /etc and /usr have, in a single configuration option:
/etc and /usr are generally read-only during runtime, and only writable
when configured or new packages are installed. A setting like this
should pretty universally work for all services with very few
exceptions. This is why I like this.

However, the rpm/yum lines come awfully close to a MAC solution which
labels all objects and assign access modes to them. It is also much less
universal as these files/dirs may rightfully be accessed by a number of
system services. 

systemd should not be misunderstood as a reimplementation of SELinux or
AppArmor, hence finegrained labelling of specific files and dirs sounds
like nothing we should do. OTOH making /etc and /usr read-only just
means enforcing generally assumed semantics of these top-level
directories, and so I'd be happy to.

So, yeah, if somebody wants to work on getting "ReadOnlyDirectories=/etc
/usr" into the packaging guidelines as proposed default for all system
services, I'd certainly support that, but since I have enough of
discussing and dealing with Fedora committees and discussion forums this
is something somebody else has to champion or won't happen.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.