Enable systemd hardening options for named

Reindl Harald h.reindl at thelounge.net
Wed Jan 31 15:48:47 UTC 2018

Am 31.01.2018 um 16:35 schrieb Daniel Stirnimann:
>> that don't change the fact that from that moment on all protections for
>> *that* service are gone while with layered security and
>> systemd-hardening are still in place
> Where is the layered security if you disable for e.g. systems-hardening
> for a service? I don't understand your argument. If you don't want to
> loose the security provided by the hardening, then you should not
> disable it but fix it

what exactly do you not understand?

they guy i repsonded to said with SELinux the hardening options for 
systemd are not required and i explained that they are anyways a good 
idea and why - not more and not less

"That does not mean they are not useful, but most of them are
irrelevant with SELinux in enforcing mode. We want all Fedora users to
run in enforcing mode, especially on servers" was so far OK because it 
statet them as still useful

"Especially restricting path access does not make sense with SELinux. It 
is much more powerful and is already used" is nonsense because when you 
set SELInux global or for the specific service to permissive there is 
nothing powerful left because SELinux was for that case your only 
security layer you just disabled

More information about the bind-users mailing list