F21 System Wide Change: PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services
Miloslav Trmač
mitr at volny.cz
Thu Mar 27 17:49:38 UTC 2014
2014-03-26 15:06 GMT+01:00 Jaroslav Reznik <jreznik at redhat.com>:
> == Detailed Description ==
> When PrivateDevices=yes...
> Furthermore, the
> CAP_MKNOD capability is removed. Finally, the "devices" cgroup controller is
> used to ensure that no access to device nodes except the listed ones is
> possible.
> When PrivateNetwork=yes ...
> 4. This also disconnects the AF_UNIX abstract namespace
> 5. This also disconnects the AF_NETLINK and AF_AUDIT socket families
How much does this overlap existing SELinux policy? Would it make
sense to have both configured from a single source? It seems to me
that every inconsistency between the systemd unit file and the SELinux
policy must be a bug; could we eliminate this class of bugs entirely,
or if fully automated extraction of the information between the two
data sets weren't feasible, would it make sense to have and regularly
run tools that compare the two policies?
Mirek
More information about the devel
mailing list