2014-03-26 15:06 GMT+01:00 Jaroslav Reznik <jreznik@xxxxxxxxxx>:
> == Detailed Description ==
> When PrivateDevices=yes...
> Furthermore, the
> CAP_MKNOD capability is removed. Finally, the "devices" cgroup controller is
> used to ensure that no access to device nodes except the listed ones is
> possible.
> When PrivateNetwork=yes ...
> 4. This also disconnects the AF_UNIX abstract namespace
> 5. This also disconnects the AF_NETLINK and AF_AUDIT socket families
How much does this overlap existing SELinux policy? Would it make
sense to have both configured from a single source? It seems to me
that every inconsistency between the systemd unit file and the SELinux
policy must be a bug; could we eliminate this class of bugs entirely,
or if fully automated extraction of the information between the two
data sets weren't feasible, would it make sense to have and regularly
run tools that compare the two policies?
Mirek
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
