Hi, More below.
2018-02-06 21:49 GMT+01:00 Petr Menšík :
> Hi, More below
>
> Dne 1.2.2018 v 01:36 Ludovic Gasc napsal(a):
> > 2018-01-31 21:47 GMT+01:00 Petr Menšík > <mailto:pemen...@redhat.com>>:
> >
> > Hi Ludovic,
> >
> >
> >
bt it would work with that. I
> want them to still work if they worked until now. Normal variant might
> use that, chroot already has its own empty /dev.
>
> There is some nice page about this on Fedora wiki:
> https://fedoraproject.org/wiki/Packaging:Systemd#Fields_to_avoid
>
in major distributions without extra
dependencies: 99% of people don't customize the default daemons config
setup, and SELinux/AppArmor/SMACK aren't always used.
>
> Daniel
>
> On 16.01.18 12:21, Ludovic Gasc wrote:
> > Hi,
> >
> > I have merged config fi
ithub.com/ageis/f5595e59b1cddb1513d1b425a323db04
SystemCallArchitectures=native
MemoryDenyWriteExecute=true
RestrictRealtime=true
--
Ludovic Gasc (GMLudo)
2018-01-16 12:21 GMT+01:00 Ludovic Gasc :
> Hi,
>
> I have merged config files from Tony, Robert, and me.
> I have tried to be the most generic, the re
accessiblePaths=/home
InaccessiblePaths=/opt
InaccessiblePaths=/root
ReadWritePaths=/run/named
ReadWritePaths=/var/cache/bind
ReadWritePaths=/var/lib/bind
--
Ludovic Gasc (GMLudo)
2018-01-15 21:14 GMT+01:00 Robert Edmonds :
> Tony Finch wrote:
> > Ludovic Gasc wrote:
> >
2018-01-16 11:58 GMT+01:00 Reindl Harald :
>
>
> Am 16.01.2018 um 11:46 schrieb Tony Finch:
>
>> Robert Edmonds wrote:
>>
>>>
>>> I would guess that retaining CAP_NET_BIND_SERVICE and CAP_SYS_RESOURCE
>>> during the process runtime permits open-ended reloading of the config at
>>> runtime (e.g.,
2018-01-16 10:22 GMT+01:00 Reindl Harald :
>
>
> Am 16.01.2018 um 10:20 schrieb Ludovic Gasc:
>
>> 2018-01-15 19:11 GMT+01:00 Reindl Harald > h.rei...@thelounge.net>>:
>>
>>
>> ReadOnlyDirectories=/etc
>> ReadOnlyDirectories=/usr
>>
2018-01-15 19:11 GMT+01:00 Reindl Harald :
>
> ReadOnlyDirectories=/etc
> ReadOnlyDirectories=/usr
>
FYI, you can use ProtectSystem=strict to have more strict rules for the
root filesystem:
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=
_
First, thank you a lot everybody, I didn't think to have several detailed
e-mails like that.
I need now to merge all of your ideas and a propose a new version of the
config file.
However, I answer first to Tony, because I have a remark below:
2018-01-15 19:15 GMT+01:00 Tony Finch :
>
nelModules=true
ProtectKernelTunables=true
ProtectControlGroups=true
InaccessiblePaths=/home
InaccessiblePaths=/opt
InaccessiblePaths=/root
ReadWritePaths=/run/named
ReadWritePaths=/var/cache/bind
ReadWritePaths=/var/lib/bind
--
Ludovic Gasc (GMLudo)
___
Please visit https:
10 matches
Mail list logo
