On Mon, 22.07.13 00:02, Reindl Harald (h.reindl@xxxxxxxxxxxxx) wrote: > Hi > > has anybody considered to put the following as default in systemd-units of > network services? cross-posting to users-list intented because i think it > is a good idea to bring it to a broader userbase! > > ReadOnlyDirectories=/etc > ReadOnlyDirectories=/usr So, I could agree to this part. > additionally having the RPM database to accessable for network-services > is fine, set for all listed below and reduces the attack surface > > InaccessibleDirectories=/var/lib/rpm > InaccessibleDirectories=/var/lib/yum This part gives me a headache though. "ReadOnlyDirectories=/etc /usr" simply encodes the semantics that we generally assume that /etc and /usr have, in a single configuration option: /etc and /usr are generally read-only during runtime, and only writable when configured or new packages are installed. A setting like this should pretty universally work for all services with very few exceptions. This is why I like this. However, the rpm/yum lines come awfully close to a MAC solution which labels all objects and assign access modes to them. It is also much less universal as these files/dirs may rightfully be accessed by a number of system services. systemd should not be misunderstood as a reimplementation of SELinux or AppArmor, hence finegrained labelling of specific files and dirs sounds like nothing we should do. OTOH making /etc and /usr read-only just means enforcing generally assumed semantics of these top-level directories, and so I'd be happy to. So, yeah, if somebody wants to work on getting "ReadOnlyDirectories=/etc /usr" into the packaging guidelines as proposed default for all system services, I'd certainly support that, but since I have enough of discussing and dealing with Fedora committees and discussion forums this is something somebody else has to champion or won't happen. Lennart -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
