Re: [Pki-devel] Some recent systemd security features ( tunable in unit-files)

Hi, Just came across this blog post from Lennart Poettering on security features in systemd, which seem to be relatively easy to use by configuring a directive in systemd unit files. Wondering, if we can use any of these for dogtag systemd unit files. http://0pointer.de/blog/projects/security.html Quick notes from the above long post: - Isolating services from the network + A service and all its processes can be disconnected via n/w (I guess this won't be much helpful in our case as dogtag operates mostly over network) - Service-private /tmp + An isolated private /tmp from host system's /tmp - Making directories appear read-only or inaccessible to services - Taking away capabilities from services + Ability to limit kernel capabilities to services - Disallowing forking, limiting file creation for services - Controlling device node access of services + Ex: Like allowing access to a specific device (like/dev/null, and only to this device)