On Tue, Nov 17, 2020 at 04:08:19PM +0100, Vitaly Zaitsev via devel wrote: > That's why all user-space "OOM killers" must have the following > lines in their .service files: > > DynamicUser=true > AmbientCapabilities=CAP_KILL CAP_IPC_LOCK > ProtectSystem=strict > ProtectHome=true > > I think FESCo should create a special policy for such preinstalled > by default daemons. Running them as root is too dangerous. See https://pagure.io/fesco/issue/1663 and the linked FPC ticket. I'm not sure if that draft ever made it officially into the guidelines? -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
