F21 System Wide Change: PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services
Bill Nottingham
notting at splat.cc
Wed Mar 26 15:28:31 UTC 2014
Jaroslav Reznik (jreznik at redhat.com) said:
> = Proposed System Wide Change: PrivateDevices=yes and PrivateNetwork=yes For
> Long-Running Services =
> https://fedoraproject.org/wiki/Changes/PrivateDevicesAndPrivateNetwork
>
> Change owner(s): Lennart Poettering <lennart at poettering dot net>, Dan
> Walsh, Kay Sievers
>
> Let's make Fedora more secure by default! Recent systemd versions provide two
> per-service switches PrivateDevices=yes/no and PrivateNetwork=yes/no which
> enable services to run without access to any physical devices in /dev, or
> without access to kind of network sockets. So far this has seen little use in
> Fedora, and with this Fedora Change we'd like to change this, and enable these
> for all long-running services that do not require device/network access.
Can you define 'recent' here? While we wouldn't want to change the behavior
of existing F20 or earlier services, it would be worthwhile to know if
packages built for EPEL 7 could/should use this feature as well.
Bill
More information about the devel
mailing list