Re: [Pki-devel] Some recent systemd security features ( tunable in unit-files)

On 01/19/2012 09:33 PM, Kashyap Chamarthy wrote: > Hi, > > Just came across this blog post from Lennart Poettering on security features in systemd, > which seem to be relatively easy to use by configuring a directive in systemd unit files. > Wondering, if we can use any of these for dogtag systemd unit files. > > http://0pointer.de/blog/projects/security.html > > Quick notes from the above long post: > > - Isolating services from the network > + A service and all its processes can be disconnected via n/w (I guess this won't be > much > helpful in our case as dogtag operates mostly over network) > - Service-private /tmp > + An isolated private /tmp from host system's /tmp > - Making directories appear read-only or inaccessible to services > - Taking away capabilities from services > + Ability to limit kernel capabilities to services > - Disallowing forking, limiting file creation for services > - Controlling device node access of services > + Ex: Like allowing access to a specific device (like/dev/null, and only to this > device) There seem to be some interesting things here. There is some overlap with SELinux in a number of these areas, though it may still be worth additionally locking things down at the systemd level as well.

> > >