[Pki-devel] Some recent systemd security features ( tunable in unit-files)
Nathan Kinder
nkinder at redhat.com
Fri Jan 20 06:16:44 UTC 2012
On 01/19/2012 09:33 PM, Kashyap Chamarthy wrote:
> Hi,
>
> Just came across this blog post from Lennart Poettering on security features in systemd,
> which seem to be relatively easy to use by configuring a directive in systemd unit files.
> Wondering, if we can use any of these for dogtag systemd unit files.
>
> http://0pointer.de/blog/projects/security.html
>
> Quick notes from the above long post:
>
> - Isolating services from the network
> + A service and all its processes can be disconnected via n/w (I guess this won't be much
> helpful in our case as dogtag operates mostly over network)
> - Service-private /tmp
> + An isolated private /tmp from host system's /tmp
> - Making directories appear read-only or inaccessible to services
> - Taking away capabilities from services
> + Ability to limit kernel capabilities to services
> - Disallowing forking, limiting file creation for services
> - Controlling device node access of services
> + Ex: Like allowing access to a specific device (like/dev/null, and only to this device)
There seem to be some interesting things here. There is some overlap
with SELinux in a number of these areas, though it may still be worth
additionally locking things down at the systemd level as well.
>
>
>
More information about the Pki-devel
mailing list