#1271 F21 System Wide Change: PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services - https://fedoraproject.org/wiki/Changes/PrivateDevicesAndPrivateNetwork
Closed None Opened 7 years ago by jreznik.

For the 2014-04-02 meeting as the Change Proposal was announced on devel-announce list on 2014-03-26.

Let's make Fedora more secure by default! Recent systemd versions provide two per-service switches PrivateDevices=yes/no and PrivateNetwork=yes/no which enable services to run without access to any physical devices in /dev, or without access to kind of network sockets. So far this has seen little use in Fedora, and with this Fedora Change we'd like to change this, and enable these for all long-running services that do not require device/network access.

Agreed on 2014-04-02 FESCo meeting: PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services Change accepted (8+1 0-1)

notting has question to note: is disconnecting the netlink and audit namespace truly required, or just merely a choice of what they decided to remove?

Login to comment on this ticket.