Am 26.03.2014 18:52, schrieb Stephen Gallagher: > On 03/26/2014 11:30 AM, Reindl Harald wrote: >> i just tried on F20 and "PrivateDevices" is not known sadly because >> i have some services in mind where i would like that > >> Mär 26 15:51:55 testserver.rhsoft.net systemd[1]: >> [/usr/lib/systemd/system/httpd.service:15] Unknown lvalue >> 'PrivateDevices' in section 'Service' > > PrivateNetwork seems to have been around since at least 2012. The > commit providing PrivateDevices[1] went upstream on January 20th. correct and in use here for longer time > According to > git describe 7f112f50fea585411ea2d493b3582bea77eb4d6e > > we get v208-1612-g7f112f5 which means it went in 1,612 patches after > v208 was released, so it's definitely not in F20 or RHEL 7 beta which is just bad, after the announcement i planned to configure postfix, dbmail, dovecot, httpd... on my local testmachine using PrivateDevices=yes since /dev/urnadom and friends are statet as available and test out if it is do-able in production that said the announcement with words like "recent systemd" as well as the documentation is just poor because it does nowhere state the required systemd version which reflects the not care about downstream or users attitude maybe some people should look at postfix and it's documentation as reference how sane docs are looking like and improvements over years are done without breaking backwards compatibility ________________________________________________ http://www.freedesktop.org/software/systemd/man/systemd.exec.html PrivateDevices= Takes a boolean argument. If true, sets up a new /dev namespace for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda. This is useful to securely turn off physical device access by the executed process. Defaults to false. Enabling this option will also remove CAP_MKNOD from the capability bounding set for the unit (see above), and set DevicePolicy=closed (see systemd.resource-control(5) for details). Note that using this setting will disconnect propagation of mounts from the service to the host (propagation in the opposite direction continues to work). This means that this setting may not be used for services which shall be able to install mount points in the main mount namespace.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
