Request 925374 (accepted)

Overview

Request 925374 accepted

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

Created by jsegitz about 3 years ago
In state accepted

Submit netlabel

Comments for request 925374 2

Staging Bot (staging-bot) - almost 3 years ago

@Alexander_Naumov, @darix, @eeich, @elvigia, @lrupp, @mseben, @msmeissn, @poeml, @psmt, @rkwasny, @sdrahn, @tiwai: review reminder

Marius Tomaschewski (mtomaschewski) - almost 3 years ago

JFYI, a little test with changes applied: xanthos-07:~ # grep -Ev "^#|^$" /etc/netlabel.rules cipsov4 add doi:9999 local map del default map add default address:0.0.0.0/0 protocol:unlbl map add default address:::0/0 protocol:unlbl map add default address:127.0.0.1 protocol:cipsov4,9999 xanthos-07:~ # grep -E "^Protect|^Restrict" /usr/lib/systemd/system/netlabel.service ProtectSystem=full ProtectHome=true ProtectHostname=true ProtectKernelTunables=true ProtectKernelModules=true ProtectKernelLogs=true ProtectControlGroups=true RestrictRealtime=true xanthos-07:~ # systemctl start netlabel.service xanthos-07:~ # netlabelctl cipsov4 list 9999,LOCAL xanthos-07:~ # systemctl stop netlabel.service xanthos-07:~ # netlabelctl cipsov4 list xanthos-07:~ #

Request History

jsegitz created request about 3 years ago

Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

mtomaschewski accepted request almost 3 years ago

OK, the service seems to be able to load + reset the netlabel rule to/in the kernel even ProtectKernelTunables is set.

Places

Overview