[Pki-devel] Some recent systemd security features ( tunable in unit-files)
Kashyap Chamarthy
kchamart at redhat.com
Fri Jan 20 08:48:49 UTC 2012
On 01/20/2012 11:46 AM, Nathan Kinder wrote:
> On 01/19/2012 09:33 PM, Kashyap Chamarthy wrote:
>> Hi,
>>
>> Just came across this blog post from Lennart Poettering on security features in systemd,
>> which seem to be relatively easy to use by configuring a directive in systemd unit files.
>> Wondering, if we can use any of these for dogtag systemd unit files.
>>
>> http://0pointer.de/blog/projects/security.html
>>
>> Quick notes from the above long post:
>>
>> - Isolating services from the network
>> + A service and all its processes can be disconnected via n/w (I guess this won't be
>> much
>> helpful in our case as dogtag operates mostly over network)
>> - Service-private /tmp
>> + An isolated private /tmp from host system's /tmp
>> - Making directories appear read-only or inaccessible to services
>> - Taking away capabilities from services
>> + Ability to limit kernel capabilities to services
>> - Disallowing forking, limiting file creation for services
>> - Controlling device node access of services
>> + Ex: Like allowing access to a specific device (like/dev/null, and only to this
>> device)
> There seem to be some interesting things here. There is some overlap with SELinux in a
> number of these areas, though it may still be worth additionally locking things down at
> the systemd level as well.
Yeah, he mentions, irrespective of selinux or not, MAC style enforcements can be done via
these new systemd security controls.
>>
>>
>>
>
>
--
/kashyap
More information about the Pki-devel
mailing list