Enable systemd hardening options for named
Reindl Harald
h.reindl at thelounge.net
Wed Jan 31 15:48:47 UTC 2018
Am 31.01.2018 um 16:35 schrieb Daniel Stirnimann:
>> that don't change the fact that from that moment on all protections for
>> *that* service are gone while with layered security and
>> systemd-hardening are still in place
>
> Where is the layered security if you disable for e.g. systems-hardening
> for a service? I don't understand your argument. If you don't want to
> loose the security provided by the hardening, then you should not
> disable it but fix it
what exactly do you not understand?
they guy i repsonded to said with SELinux the hardening options for
systemd are not required and i explained that they are anyways a good
idea and why - not more and not less
"That does not mean they are not useful, but most of them are
irrelevant with SELinux in enforcing mode. We want all Fedora users to
run in enforcing mode, especially on servers" was so far OK because it
statet them as still useful
"Especially restricting path access does not make sense with SELinux. It
is much more powerful and is already used" is nonsense because when you
set SELInux global or for the specific service to permissive there is
nothing powerful left because SELinux was for that case your only
security layer you just disabled
More information about the bind-users
mailing list