Based on this discussion https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/TCTVLACBQJO7O5MSP5WU6N52QBYFDMZE/#TCTVLACBQJO7O5MSP5WU6N52QBYFDMZE, I'd like to add a packaging guideline recommending use of these features in all .service unit files we ship (including the standard practice of trying to get these changes upstreamed). (See also https://lwn.net/Articles/709350/).
.service
I suggested this to FPC, and got back the reasonable response that there's a range of possible strengths of recommendation, from simply mentioning them all the way to making it "MUST if it doesn't impair functionality" — and that making that decision is a FESCo call, which sounds right to me too.
Personally, I think we should go for stronger rather than weaker — "if it doesn't impair functionality" is already a pretty big out, and the overall improvement is pretty high for a small amount of work. What do you all think?
Adding the meeting keyword.
Also, James Antill notes that some of these things might make most sense as system defaults — ProtectKernelModules, for example.
Jarod is going to take a stab at coming up with something more concrete in the next month. Help welcome.
@jsmith Did you have a chance to work on this?
@jsmith Any proposals here?
Metadata Update from @sgallagh: - Issue close_status updated to: Insufficient data - Issue status updated to: Closed (was: Open)
Metadata Update from @mattdm: - Issue status updated to: Open (was: Closed)
Zbigniew Jędrzejewski-Szmek has prepared a draft policy and a recommended FESCo decision:
https://fedoraproject.org/wiki/User:Zbyszek/ProtectionsPolicyDraft#Proposed_FESCo_decision
Oh, @zbyszek says it's not quite ready yet. Needs more discussion. Is it okay if I leave this open and then add "meeting" when we're ready?
@mattdm sounds reasonable to me.
Related discussion in Debian: https://lists.debian.org/debian-devel/2017/08/msg00252.html
We had an internal discussion about the proposed text, and only one issue was raised (see below), but it turns out that it is already fixed. The proposal is ready from my side, and I ask FESCo to discuss it.
NoNewPrivileges=yes (which is implied by a bunch of other settings) was interfering with SELinux transitions, but fortunately this has been fixed (https://github.com/systemd/systemd/issues/3845, https://github.com/torvalds/linux/commit/af63f4193f9fbbbac50fc766417d74735afd87ef, https://src.fedoraproject.org/rpms/selinux-policy/c/107eb82b3e182d72c7f2c7f8f03bda6dd790f441?branch=master). Since we're talking about rawhide here, we have kernel 4.14+ and the latest selinux-policy package, so we're good.
Adding meeting keyword.
Metadata Update from @kevin: - Issue tagged with: meeting
I won't be able to make today's meeting. I'm +1 to the proposed policy.
From https://meetbot.fedoraproject.org/fedora-meeting/2017-12-01/fesco.2017-12-01-16.00.html:
#agreed draft policy approved and FPC is asked to review and comment and fold into g uidelines. (8,0,1) (jsmith was +1 in ticket and tyll was +1 before leaving)
Moved to FPC: https://pagure.io/packaging-committee/issue/667#comment-482486.
AGREED: draft policy approved and FPC is asked to review and comment and fold into guidelines. (8,0,1) (jsmith was +1 in ticket and tyll was +1 before leaving) (nirik, 17:10:35)
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.