Request 908575 (accepted)

Overview

Request 908575 accepted

Automatic systemd hardening effort by the security team. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

Created by jsegitz over 3 years ago
In state accepted
Package maintainers: michals and sourabhjains

Submit ServiceReport

Comments for request 908575 3

Michal Suchanek (michals) - over 3 years ago

target maintainer

What does ProtectSystem=full do?

Would it be OK to run yast2 with these security settings (although it is started manually and not as systemd service)?

If the answer is no then these settings are likely not suitable for this service, either.

Johannes Segitz (jsegitz) - over 3 years ago

author

https://www.freedesktop.org/software/systemd/man/systemd.exec.html

If true, mounts the /usr/ and the boot loader directories (/boot and /efi) read-only for processes invoked by this unit. If set to "full", the /etc/ directory is mounted read-only, too.

No, yast2 wouldn't be able to run. Is this service requiring to modify /etc?

Michal Suchanek (michals) - over 3 years ago

target maintainer

I think that the -v option that is used in the service does not.

Request History

jsegitz created request over 3 years ago

Automatic systemd hardening effort by the security team. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

michals accepted request over 3 years ago

LGTM

Thanks

Places

Overview