F21 System Wide Change: PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 27 19:57:10 UTC 2014
On 03/27/2014 01:49 PM, Miloslav Trmač wrote:
> 2014-03-26 15:06 GMT+01:00 Jaroslav Reznik <jreznik at redhat.com>:
>> == Detailed Description ==
>> When PrivateDevices=yes...
>> Furthermore, the
>> CAP_MKNOD capability is removed. Finally, the "devices" cgroup controller is
>> used to ensure that no access to device nodes except the listed ones is
>> possible.
>> When PrivateNetwork=yes ...
>> 4. This also disconnects the AF_UNIX abstract namespace
>> 5. This also disconnects the AF_NETLINK and AF_AUDIT socket families
> How much does this overlap existing SELinux policy? Would it make
> sense to have both configured from a single source? It seems to me
> that every inconsistency between the systemd unit file and the SELinux
> policy must be a bug; could we eliminate this class of bugs entirely,
> or if fully automated extraction of the information between the two
> data sets weren't feasible, would it make sense to have and regularly
> run tools that compare the two policies?
> Mirek
It doesn't really overlap with SELinux, just adds another layer of
security. And gives the administrator more flexibility on how he
configures his services. I do not think there are two many confined
domains that need mknod, and most confined domains are not allowed to
look at many device nodes. In a way this can eliminate SELinux avcs,
from apps just doing the equiv of ls -l /dev
More information about the devel
mailing list