Re: F21 System Wide Change: PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/26/2014 11:30 AM, Reindl Harald wrote:
> 
> Am 26.03.2014 16:28, schrieb Bill Nottingham:
>> Jaroslav Reznik (jreznik@xxxxxxxxxx) said:
>>> = Proposed System Wide Change: PrivateDevices=yes and
>>> PrivateNetwork=yes For Long-Running Services = 
>>> https://fedoraproject.org/wiki/Changes/PrivateDevicesAndPrivateNetwork
>>>
>>>
>>> 
Change owner(s): Lennart Poettering <lennart at poettering dot net>, Dan
>>> Walsh, Kay Sievers
>>> 
>>> Let's make Fedora more secure by default! Recent systemd
>>> versions provide two per-service switches PrivateDevices=yes/no
>>> and PrivateNetwork=yes/no which enable services to run without
>>> access to any physical devices in /dev, or without access to
>>> kind of network sockets. So far this has seen little use in 
>>> Fedora, and with this Fedora Change we'd like to change this,
>>> and enable these for all long-running services that do not
>>> require device/network access.
>> 
>> Can you define 'recent' here? While we wouldn't want to change
>> the behavior of existing F20 or earlier services, it would be
>> worthwhile to know if packages built for EPEL 7 could/should use
>> this feature as well
> 
> i just tried on F20 and "PrivateDevices" is not known sadly because
> i have some services in mind where i would like that
> 
> Mär 26 15:51:55 testserver.rhsoft.net systemd[1]:
> [/usr/lib/systemd/system/httpd.service:15] Unknown lvalue 
> 'PrivateDevices' in section 'Service'
> 
> 
> 

PrivateNetwork seems to have been around since at least 2012. The
commit providing PrivateDevices[1] went upstream on January 20th.

According to
git describe 7f112f50fea585411ea2d493b3582bea77eb4d6e

we get v208-1612-g7f112f5 which means it went in 1,612 patches after
v208 was released, so it's definitely not in F20 or RHEL 7 beta.


[1]
http://cgit.freedesktop.org/systemd/systemd/commit/?id=7f112f50fea585411ea2d493b3582bea77eb4d6e&utm_source=anzwix
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMzE84ACgkQeiVVYja6o6NofQCeMJ1RVsfx2/l4Atnr4P5uh0Oq
IWsAoKczKEPdgQI2KUSnuOy0Nl0V/hfD
=N7q3
-----END PGP SIGNATURE-----
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux