From Fedora Project Wiki
(Created page with "<!DOCTYPE html> <html class="client-nojs" lang="en" dir="ltr"> <head> <meta charset="UTF-8"/> <title>Changes/EmptyTemplate - Fedora Project Wiki</title> <script>document.documentElement.className="client-js";RLCONF={"wgBreakFrames":false,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""],"wgDefaultDateFormat":"dmy","wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestI...")
 
mNo edit summary
 
(74 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<!DOCTYPE html>
= Enable systemd service hardening features for default system services =
<html class="client-nojs" lang="en" dir="ltr">
<head>
<meta charset="UTF-8"/>
<title>Changes/EmptyTemplate - Fedora Project Wiki</title>
<script>document.documentElement.className="client-js";RLCONF={"wgBreakFrames":false,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""],"wgDefaultDateFormat":"dmy","wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestId":"ZVQCuSR5LAoMjyIM3zz07gAAAYE","wgCSPNonce":false,"wgCanonicalNamespace":"","wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"Changes/EmptyTemplate","wgTitle":"Changes/EmptyTemplate","wgCurRevisionId":676986,"wgRevisionId":676986,"wgArticleId":49634,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view","wgUserName":"Sundaram","wgUserGroups":["*","user","autoconfirmed"],"wgCategories":["ChangePageIncomplete","SelfContainedChange"],"wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgRelevantPageName":"Changes/EmptyTemplate","wgRelevantArticleId":49634,"wgUserId":21,"wgUserEditCount":2375,"wgUserRegistration":1211728581000,
"wgIsProbablyEditable":false,"wgRelevantPageIsProbablyEditable":false,"wgRestrictionEdit":["sysop"],"wgRestrictionMove":["sysop"]};RLSTATE={"site.styles":"ready","user.styles":"ready","user":"ready","user.options":"loading","mediawiki.skinning.interface":"ready","skins.fedora":"ready"};RLPAGEMODULES=["site","mediawiki.page.ready","mediawiki.toc","mediawiki.page.watch.ajax","skins.fedora.js"];</script>
<script>(RLQ=window.RLQ||[]).push(function(){mw.loader.implement("user.options@12s5i",function($,jQuery,require,module){mw.user.tokens.set({"patrolToken":"68a4d257771bf1ba8855171278910476655402b9+\\","watchToken":"910c13d7a3b00223b3c89a635816d611655402b9+\\","csrfToken":"2f5b0b7cf488d68192cdeeb6d59b3ff0655402b9+\\"});});});</script>
<link rel="stylesheet" href="/w/load.php?lang=en&amp;modules=mediawiki.skinning.interface%7Cskins.fedora&amp;only=styles&amp;skin=fedora"/>
<script async="" src="/w/load.php?lang=en&amp;modules=startup&amp;only=scripts&amp;raw=1&amp;skin=fedora"></script>
<link rel="stylesheet" href="https://apps.fedoraproject.org/global/fedora-bootstrap-1.0.1/fedora-bootstrap.css"/><link rel="stylesheet" href="https://apps.fedoraproject.org/global/fedora-bootstrap-fonts/open-sans.css"/><link rel="stylesheet" href="https://apps.fedoraproject.org/global/fedora-bootstrap-fonts/font-awesome.css"/><link rel="stylesheet" href="https://apps.fedoraproject.org/global/fedora-bootstrap-fonts/hack.css"/>
<meta name="ResourceLoaderDynamicStyles" content=""/>
<link rel="stylesheet" href="/w/load.php?lang=en&amp;modules=site.styles&amp;only=styles&amp;skin=fedora"/>
<meta name="generator" content="MediaWiki 1.39.4"/>
<meta name="format-detection" content="telephone=no"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<link rel="icon" href="/favicon.ico"/>
<link rel="search" type="application/opensearchdescription+xml" href="/w/opensearch_desc.php" title="Fedora Project Wiki (en)"/>
<link rel="EditURI" type="application/rsd+xml" href="https://fedoraproject.org/w/api.php?action=rsd"/>
<link rel="license" href="/wiki/Legal:Main"/>
<link rel="alternate" type="application/atom+xml" title="Fedora Project Wiki Atom feed" href="/w/index.php?title=Special:RecentChanges&amp;feed=atom"/>
</head>
<body class="mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject page-Changes_EmptyTemplate rootpage-Changes skin-fedora action-view"> <div class="navbar navbar-full navbar-light masthead"><div class="container"><div class="row"><div class="col-md-4"><a href="/wiki/Fedora_Project_Wiki"><img src="/w/skins/Fedora/resources/images/fedorawiki_logo.png" alt="Fedora Project Wiki" height="40px"/></a></div><div class="col-md-3"><form action="/w/index.php" role="search" class="mw-portlet" id="p-search"><input type="hidden" value="Special:Search" name="title"/><h3><label for="searchInput">Search</label></h3><div class="input-group"><input type="search" name="search" placeholder="Search Fedora Project Wiki" aria-label="Search Fedora Project Wiki" autocapitalize="sentences" title="Search Fedora Project Wiki [f]" accesskey="f" id="searchInput" class="form-control"/><span class="input-group-btn"><button id="searchGoButton" class="btn btn-secondary" type="submit"><i class="fa fa-search"></i></button></span></div></form></div><div class="col-md-5"><ul class="nav navbar-nav pull-xs-right"><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" data-toggle="dropdown" href="#" role="button">Links</a><ul class="dropdown-menu dropdown-menu-right"><li id="n-Get-Fedora" class="mw-list-item"><a href="https://getfedora.org/" class="dropdown-item">Get Fedora</a></li><li id="n-Fedora-Docs" class="mw-list-item"><a href="https://docs.fedoraproject.org/" class="dropdown-item">Fedora Docs</a></li><li id="n-Fedora-Magazine" class="mw-list-item"><a href="https://fedoramagazine.org/" class="dropdown-item">Fedora Magazine</a></li><li id="n-What-Can-I-Do?" class="mw-list-item"><a href="https://whatcanidoforfedora.org/" class="dropdown-item">What Can I Do?</a></li></ul></li><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" data-toggle="dropdown" href="#" role="button">CodeOfConduct</a><ul class="dropdown-menu dropdown-menu-right"><li id="n-Code-of-Conduct" class="mw-list-item"><a href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/" class="dropdown-item">Code of Conduct</a></li></ul></li><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" data-toggle="dropdown" href="#" role="button">Subprojects</a><ul class="dropdown-menu dropdown-menu-right"><li id="n-Ambassadors" class="mw-list-item"><a href="/wiki/Ambassadors" class="dropdown-item">Ambassadors</a></li><li id="n-Community-Operations" class="mw-list-item"><a href="/wiki/CommOps" class="dropdown-item">Community Operations</a></li><li id="n-Design" class="mw-list-item"><a href="/wiki/Design" class="dropdown-item">Design</a></li><li id="n-Documentation" class="mw-list-item"><a href="/wiki/DocsProject" class="dropdown-item">Documentation</a></li><li id="n-EPEL" class="mw-list-item"><a href="/wiki/EPEL" class="dropdown-item">EPEL</a></li><li id="n-Infrastructure" class="mw-list-item"><a href="/wiki/Infrastructure" class="dropdown-item">Infrastructure</a></li><li id="n-Internationalization" class="mw-list-item"><a href="/wiki/I18N" class="dropdown-item">Internationalization</a></li><li id="n-Localization" class="mw-list-item"><a href="/wiki/L10N" class="dropdown-item">Localization</a></li><li id="n-Marketing" class="mw-list-item"><a href="/wiki/Marketing" class="dropdown-item">Marketing</a></li><li id="n-Magazine" class="mw-list-item"><a href="/wiki/Magazine" class="dropdown-item">Magazine</a></li><li id="n-Package-Maintainers" class="mw-list-item"><a href="/wiki/PackageMaintainers" class="dropdown-item">Package Maintainers</a></li><li id="n-Quality-Assurance" class="mw-list-item"><a href="/wiki/QA" class="dropdown-item">Quality Assurance</a></li><li id="n-Websites" class="mw-list-item"><a href="/wiki/Websites" class="dropdown-item">Websites</a></li><li id="n-All-projects" class="mw-list-item"><a href="/wiki/Projects" class="dropdown-item">All projects</a></li></ul></li><li class="nav-item dropdown"><a class="nav-link dropdown-toggle" data-toggle="dropdown" href="#" role="button"><img src="https://seccdn.libravatar.org/avatar/5c80ce8cad4354e63113e42b3da0d300?s=24&amp;d=retro"/></a><ul class="dropdown-menu dropdown-menu-right"><li id="pt-userpage" class="mw-list-item"><a class="dropdown-item" href="/wiki/User:Sundaram" title="Your user page [.]" accesskey=".">Sundaram</a></li><li id="pt-mytalk" class="mw-list-item"><a href="/wiki/User_talk:Sundaram" class="new dropdown-item" title="Your talk page (page does not exist) [n]" accesskey="n">Talk</a></li><li id="pt-preferences" class="mw-list-item"><a href="/wiki/Special:Preferences" title="Your preferences" class="dropdown-item">Preferences</a></li><li id="pt-watchlist" class="mw-list-item"><a href="/wiki/Special:Watchlist" title="A list of pages you are monitoring for changes [l]" accesskey="l" class="dropdown-item">Watchlist</a></li><li id="pt-mycontris" class="mw-list-item"><a href="/wiki/Special:Contributions/Sundaram" title="A list of your contributions [y]" accesskey="y" class="dropdown-item">Contributions</a></li><li id="pt-logout" class="mw-list-item"><a href="/w/index.php?title=Special:UserLogout&amp;returnto=Changes%2FEmptyTemplate" data-mw="interface" title="Log out" class="dropdown-item">Log out</a></li></ul></li></ul></div></div></div></div>


<div class="bodycontent">
<div class="sub-header p-t-1">
<div class="container">
<div class="row">
<div class="col-sm-6">
<h1><span class="mw-page-title-main">Changes/EmptyTemplate</span></h1> </div>
<div class="col-sm-6">
<div class="btn-group pull-xs-right">
<a class="mw-watchlink btn btn-sm btn-secondary" href="/w/index.php?title=Changes/EmptyTemplate&amp;action=watch" id="ca-watch" data-mw="interface" title="Add this page to your watchlist [w]" accesskey="w">Watch</a><div class="mw-indicators">
</div>
                        </div>
                    </div>
                </div>
    <div class="row">
<div class="col-sm-12">
<div class="pull-xs-right small text-muted">
This page was last edited on 8 May 2023, at 20:45. </div>
</div>
</div>


<ul class="nav nav-tabs nav-small m-l-0">
== Summary ==
<li class="nav-item" id="ca-nstab-main" class="selected mw-list-item"><a href="/wiki/Changes/EmptyTemplate" title="View the content page [c]" accesskey="c" class="nav-link active">Page</a></li class="nav-item"><li class="nav-item" id="ca-talk" class="mw-list-item"><a href="/wiki/Talk:Changes/EmptyTemplate" rel="discussion" class="mw-redirect nav-link" title="Discussion about the content page [t]" accesskey="t">Discussion</a></li class="nav-item"><li class="nav-item pull-xs-right" id="ca-view" class="selected mw-list-item"><a href="/wiki/Changes/EmptyTemplate" class="nav-link active">Read</a></li class="nav-item pull-xs-right"><li class="nav-item pull-xs-right" id="ca-viewsource" class="mw-list-item"><a href="/w/index.php?title=Changes/EmptyTemplate&amp;action=edit" title="This page is protected.&#10;You can view its source [e]" accesskey="e" class="nav-link">View source</a></li class="nav-item pull-xs-right"><li class="nav-item pull-xs-right" id="ca-history" class="mw-list-item"><a href="/w/index.php?title=Changes/EmptyTemplate&amp;action=history" title="Past revisions of this page [h]" accesskey="h" class="nav-link">View history</a></li class="nav-item pull-xs-right">
Improve security by enabling some of the high level systemd security hardening settings that isolate and sandbox default system services.
</ul>
</div>
</div>


<div class="mw-body container" role="main">
== Owner ==
<div id="siteNotice"><div id="localNotice"><div class="sitenotice" lang="en" dir="ltr"></div></div></div><div id="siteSub">From Fedora Project Wiki</div>
<div class="mw-body-content">
<div id="contentSub"><p><span class="subpages">&lt; <a href="/wiki/Changes" title="Changes">Changes</a></span></p><p></p></div><div id="mw-content-text" class="mw-body-content mw-content-ltr" lang="en" dir="ltr"><div class="mw-parser-output"><div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="/wiki/File:Important.png" class="image"><img alt="Important.png" src="/w/uploads/thumb/f/ff/Important.png/35px-Important.png" decoding="async" width="35" height="35" srcset="/w/uploads/f/ff/Important.png 1.5x" /></a></div>
<div><b> Comments and Explanations </b><br />The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.<br /> <b>Copy the source to a <i>new page</i> before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.</b></div>
</div>
<div class="messagebox" style="background-color: #def3fe; border: 1px solid #c5d7e0; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="/wiki/File:Idea.png" class="image"><img alt="Idea.png" src="/w/uploads/thumb/a/a4/Idea.png/35px-Idea.png" decoding="async" width="35" height="35" srcset="/w/uploads/a/a4/Idea.png 1.5x" /></a></div>
<div><b> Guidance </b><br />For details on how to fill out this form, see the <a class="external text" href="https://docs.fedoraproject.org/en-US/program_management/changes_guide/">documentation</a>.</div>
</div>
<div class="messagebox" style="background-color: #def3fe; border: 1px solid #c5d7e0; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
<div style="float: left; margin-left: -40px;"><a href="/wiki/File:Idea.png" class="image"><img alt="Idea.png" src="/w/uploads/thumb/a/a4/Idea.png/35px-Idea.png" decoding="async" width="35" height="35" srcset="/w/uploads/a/a4/Idea.png 1.5x" /></a></div>
<div><b> Report issues </b><br />To report an issue with this template, file an issue in the <a class="external text" href="https://pagure.io/fedora-pgm/pgm_docs">pgm_docs repo</a>.</div>
</div>
<p><br />
</p>
<div id="toc" class="toc" role="navigation" aria-labelledby="mw-toc-heading"><input type="checkbox" role="button" id="toctogglecheckbox" class="toctogglecheckbox" style="display:none" /><div class="toctitle" lang="en" dir="ltr"><h2 id="mw-toc-heading">Contents</h2><span class="toctogglespan"><label class="toctogglelabel" for="toctogglecheckbox"></label></span></div>
<ul>
<li class="toclevel-1 tocsection-1"><a href="#Change_Proposal_Name"><span class="tocnumber">1</span> <span class="toctext">Change Proposal Name</span></a>
<ul>
<li class="toclevel-2 tocsection-2"><a href="#Summary"><span class="tocnumber">1.1</span> <span class="toctext">Summary</span></a></li>
<li class="toclevel-2 tocsection-3"><a href="#Owner"><span class="tocnumber">1.2</span> <span class="toctext">Owner</span></a></li>
<li class="toclevel-2 tocsection-4"><a href="#Current_status"><span class="tocnumber">1.3</span> <span class="toctext">Current status</span></a></li>
<li class="toclevel-2 tocsection-5"><a href="#Detailed_Description"><span class="tocnumber">1.4</span> <span class="toctext">Detailed Description</span></a></li>
<li class="toclevel-2 tocsection-6"><a href="#Feedback"><span class="tocnumber">1.5</span> <span class="toctext">Feedback</span></a></li>
<li class="toclevel-2 tocsection-7"><a href="#Benefit_to_Fedora"><span class="tocnumber">1.6</span> <span class="toctext">Benefit to Fedora</span></a></li>
<li class="toclevel-2 tocsection-8"><a href="#Scope"><span class="tocnumber">1.7</span> <span class="toctext">Scope</span></a></li>
<li class="toclevel-2 tocsection-9"><a href="#Upgrade/compatibility_impact"><span class="tocnumber">1.8</span> <span class="toctext">Upgrade/compatibility impact</span></a></li>
<li class="toclevel-2 tocsection-10"><a href="#How_To_Test"><span class="tocnumber">1.9</span> <span class="toctext">How To Test</span></a></li>
<li class="toclevel-2 tocsection-11"><a href="#User_Experience"><span class="tocnumber">1.10</span> <span class="toctext">User Experience</span></a></li>
<li class="toclevel-2 tocsection-12"><a href="#Dependencies"><span class="tocnumber">1.11</span> <span class="toctext">Dependencies</span></a></li>
<li class="toclevel-2 tocsection-13"><a href="#Contingency_Plan"><span class="tocnumber">1.12</span> <span class="toctext">Contingency Plan</span></a></li>
<li class="toclevel-2 tocsection-14"><a href="#Documentation"><span class="tocnumber">1.13</span> <span class="toctext">Documentation</span></a></li>
<li class="toclevel-2 tocsection-15"><a href="#Release_Notes"><span class="tocnumber">1.14</span> <span class="toctext">Release Notes</span></a></li>
</ul>
</li>
</ul>
</div>


<h1><span class="mw-headline" id="Change_Proposal_Name">Change Proposal Name</span></h1>
* Name: [[User:Sundaram| Rahul Sundaram]]
<div class="messagebox" style="background-color: #f9f6b7; border: 1px solid #c4c295; color: black; padding: 5px; margin: 1ex 0; min-height: 35px; padding-left: 45px;">
* Email: metherid@gmail.com
<div style="float: left; margin-left: -40px;"><a href="/wiki/File:Important.png" class="image"><img alt="Important.png" src="/w/uploads/thumb/f/ff/Important.png/35px-Important.png" decoding="async" width="35" height="35" srcset="/w/uploads/f/ff/Important.png 1.5x" /></a></div>
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
<div><b>This is a <i>proposed</i> Change for Fedora Linux.</b><br />This document represents a <i>proposed</i> Change. As part of the <a class="external text" href="https://docs.fedoraproject.org/en-US/program_management/changes_policy/">Changes process</a>, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.</div>
* FESCo shepherd: [[User:FASAccountName| Shepherd name]] <email address>
</div>
<h2><span class="mw-headline" id="Summary">Summary</span></h2>
<h2><span class="mw-headline" id="Owner">Owner</span></h2>
<ul><li>Name: <a href="/wiki/User:FASAcountName" title="User:FASAcountName"> Your Name</a></li>
<li>Email: &lt;your email address so we can contact you, invite you to meetings, etc. Please provide your Bugzilla email address if it is different from your email in FAS&gt;</li></ul>
<p><br />
</p>
<h2><span class="mw-headline" id="Current_status">Current status</span></h2>
<ul><li>Targeted release: <a class="external text" href="https://docs.fedoraproject.org/en-US/releases/f">&lt;VERSION&gt;/ Fedora Linux &lt;VERSION&gt;</a></li>
<li>Last updated:  2023-05-08</li>
<li>[&lt;will be assigned by the Wrangler&gt; devel thread]</li>
<li>FESCo issue: &lt;will be assigned by the Wrangler&gt;</li>
<li>Tracker bug: &lt;will be assigned by the Wrangler&gt;</li>
<li>Release notes tracker: &lt;will be assigned by the Wrangler&gt;</li></ul>
<h2><span class="mw-headline" id="Detailed_Description">Detailed Description</span></h2>
<h2><span class="mw-headline" id="Feedback">Feedback</span></h2>
<h2><span class="mw-headline" id="Benefit_to_Fedora">Benefit to Fedora</span></h2>
<h2><span class="mw-headline" id="Scope">Scope</span></h2>
<ul><li>Proposal owners:</li></ul>
<ul><li>Other developers:</li></ul>
<ul><li>Release engineering: <a class="external text" href="https://pagure.io/releng/issues">#Releng issue number</a></li></ul>
<ul><li>Policies and guidelines: N/A (not needed for this Change)</li></ul>
<ul><li>Trademark approval: N/A (not needed for this Change)</li></ul>
<ul><li>Alignment with Community Initiatives:</li></ul>
<h2><span id="Upgrade.2Fcompatibility_impact"></span><span class="mw-headline" id="Upgrade/compatibility_impact">Upgrade/compatibility impact</span></h2>
<h2><span class="mw-headline" id="How_To_Test">How To Test</span></h2>
<h2><span class="mw-headline" id="User_Experience">User Experience</span></h2>
<h2><span class="mw-headline" id="Dependencies">Dependencies</span></h2>
<h2><span class="mw-headline" id="Contingency_Plan">Contingency Plan</span></h2>
<ul><li>Contingency mechanism: (What to do?  Who will do it?) N/A (not a System Wide Change)</li>
<li>Contingency deadline: N/A (not a System Wide Change)</li>
<li>Blocks release? N/A (not a System Wide Change), Yes/No</li></ul>
<p><br />
</p>
<h2><span class="mw-headline" id="Documentation">Documentation</span></h2>
<p>N/A (not a System Wide Change)
</p>
<h2><span class="mw-headline" id="Release_Notes">Release Notes</span></h2>
<!--
NewPP limit report
Cached time: 20231114100818
Cache expiry: 86400
Reduced expiry: false
Complications: [show‐toc]
CPU time usage: 0.019 seconds
Real time usage: 0.022 seconds
Preprocessor visited node count: 278/1000000
Post‐expand include size: 5799/2097152 bytes
Template argument size: 2990/2097152 bytes
Highest expansion depth: 7/100
Expensive parser function count: 0/100
Unstrip recursion depth: 0/20
Unstrip post‐expand size: 0/5000000 bytes
-->
-->
<!--
 
Transclusion expansion time report (%,ms,calls,template)
== Current status ==
100.00%    5.433      1 -total
[[Category:ChangeAcceptedF42]]
51.48%    2.797      2 Template:Admon/important
<!-- When your change proposal page is completed and ready for review and announcement -->
36.40%    1.978      4 Template:Message
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
  27.17%    1.476      2 Template:Admon/tip
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->
23.47%    1.275      1 Template:Change_Proposal_Banner
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
 
<!-- Select proper category, default is Self Contained Change -->
[[Category:SystemWideChange]]
 
* Targeted release: Fedora 42
* Last updated: <!-- this is an automatic macro — you don't need to change this line --> {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page
Bugzilla state meanings:
ASSIGNED -> accepted by FESCo with ongoing development
MODIFIED -> change is substantially done and testable
ON_QA -> change is fully code complete
-->
-->
* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/ICCQ4GTH74UCR4LY3LWLOTTKW3RWKBMX/ Announced]
* [https://discussion.fedoraproject.org/t/f40-change-proposal-systemd-security-hardening-system-wide/96423 Discussion thread]
* FESCo issue: [https://pagure.io/fesco/issue/3117 #3117]
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2260082 #2260082]
* Release notes tracker: <will be assigned by the Wrangler>
== Detailed Description ==
systemd provides a number of settings that can harden security for services. We are selecting a few high level ones to enable by default on a service by service basis as suitable for that particular service.
* `PrivateTmp=yes`
* `ProtectSystem=yes/full/strict`
* `ProtectHome=yes/read-only`
* `ProtectClock=yes`
* `ProtectHostname=yes`
* `ProtectControlGroups=yes`
* `ProtectHostname=yes`
* `ProtectKernelLogs=yes`
* `ProtectKernelModules=yes`
* `ProtectKernelTunables=yes`
* `ProtectProc=invisible`
* `PrivateDevices=yes`
* `PrivateNetwork=yes`
* `NoNewPrivileges=yes`
* `User=`
If we want to go further, we could also consider:
* `CapabilityBoundingSet=`
* `DevicePolicy=closed`
* `KeyringMode=private`
* `LockPersonality=yes`
* `MemoryDenyWriteExecute=yes`
* `PrivateUsers=yes`
* `RemoveIPC=yes`
* `RestrictAddressFamilies=`
* `RestrictNamespaces=yes`
* `RestrictRealtime=yes`
* `RestrictSUIDSGID=yes`
* `SystemCallFilter=`
* `SystemCallArchitectures=native`
We will aim to cover as many of the default system services as we can. We will prioritize critical or long running services. All of these settings need to be configured on a per service basis instead of using a global override to facilitate fine tuning the settings based on service requirements and limit the impact for users on upgrades. Certain services have a very targeted scope. For instance, a service that only needs to read or write from only one directory could leverage more fine grained settings to restrict access even further. We will enable as many of these as feasible for the services but not every knob is going to be applicable to every service. For example, `PrivateNetwork=yes` can only be used for services that does not need network connectivity by default.  We have to choose between `DynamicUser=yes` or `User` if either is feasible for the service to use. As a base starting point, from Fedora 39 workstation, we have the following system services installed by default which should considered within the scope of the change (excluding systemd associated ones which already have a number of these security settings enabled).
* `abrtd.service`
* `abrt-journal-core.service`
* `abrt-oops.service`
* `abrt-pstoreoops.service`
* `abrt-vmcore.service`
* `abrt-xorg.service`
* `accounts-daemon.service`
* `alsa-restore.service`
* `alsa-state.service`
* `anaconda-direct.service`
* `anaconda-fips.service`
* `anaconda-nm-config.service`
* `anaconda-nm-disable-autocons.service`
* `anaconda-noshell.service`
* `anaconda-pre.service`
* `anaconda.service`
* `anaconda-sshd.service`
* `arp-ethers.service`
* `auditd.service`
* `auth-rpcgss-module.service`
* `avahi-daemon.service`
* `blivet.service`
* `blk-availability.service`
* `bluetooth.service`
* `bolt.service`
* `brltty.service`
* `canberra-system-bootup.service`
* `canberra-system-shutdown-reboot.service`
* `canberra-system-shutdown.service`
* `chronyd-restricted.service`
* `chronyd.service`
* `chrony-wait.service`
* `colord.service`
* `console-getty.service`
* `cups-browsed.service`
* `cups.service`
* `dbus-broker.service`
* `dbus-daemon.service`
* `dbus-org.freedesktop.hostname1.service`
* `dbus-org.freedesktop.import1.service`
* `dbus-org.freedesktop.locale1.service`
* `dbus-org.freedesktop.login1.service`
* `dbus-org.freedesktop.machine1.service`
* `dbus-org.freedesktop.portable1.service`
* `dbus-org.freedesktop.timedate1.service`
* <strike>`debug-shell.service`</strike> (opens a user shell that must be able to do arbitrary stuff)
* `dm-event.service`
* `dnf-makecache.service`
* `dnf-system-upgrade-cleanup.service`
* `dnf-system-upgrade.service`
* `dnsmasq.service`
* `dracut-cmdline.service`
* `dracut-initqueue.service`
* `dracut-mount.service`
* `dracut-pre-mount.service`
* `dracut-pre-pivot.service`
* `dracut-pre-trigger.service`
* `dracut-pre-udev.service`
* `dracut-shutdown-onfailure.service`
* `dracut-shutdown.service`
* <strike>`emergency.service`</strike> (opens a user shell that must be able to do arbitrary stuff)
* `fedora-third-party-refresh.service`
* `firewalld.service`
* `flatpak-add-fedora-repos.service`
* `flatpak-system-helper.service`
* `fprintd.service`
* `fsidd.service`
* `fstrim.service`
* `fwupd-offline-update.service`
* `fwupd-refresh.service`
* `fwupd.service`
* `gdm.service`
* `geoclue.service`
* `grub-boot-indeterminate.service`
* `gssproxy.service`
* `htcacheclean.service`
* `httpd.service`
* `hypervfcopyd.service`
* `hypervkvpd.service`
* `hypervvssd.service`
* `iio-sensor-proxy.service`
* `import-state.service`
* `initrd-cleanup.service`
* `initrd-parse-etc.service`
* `initrd-switch-root.service`
* `initrd-udevadm-cleanup-db.service`
* `instperf.service`
* `ipp-usb.service`
* `iscsid.service`
* `iscsi-init.service`
* `iscsi-onboot.service`
* `iscsi.service`
* `iscsi-shutdown.service`
* `iscsi-starter.service`
* `iscsiuio.service`
* `kdump.service`
* `kmod-static-nodes.service`
* `ldconfig.service`
* `libvirtd.service`
* `libvirt-guests.service`
* <strike> `livesys-late.service`</strike> (adhoc live env config)
* <strike> `livesys.service`</strike> (adhoc live env config)
* `loadmodules.service`
* `logrotate.service`
* `low-memory-monitor.service`
* `lvm2-lvmdbusd.service`
* `lvm2-lvmpolld.service`
* `lvm2-monitor.service`
* `man-db-cache-update.service`
* `man-db-restart-cache-update.service`
* `mcelog.service`
* `mdcheck_continue.service`
* `mdcheck_start.service`
* `mdmonitor-oneshot.service`
* `mdmonitor.service`
* `ModemManager.service`
* `ndctl-monitor.service`
* `netavark-dhcp-proxy.service`
* `NetworkManager-dispatcher.service`
* `NetworkManager.service`
* `NetworkManager-wait-online.service`
* `nfs-blkmap.service`
* `nfsdcld.service`
* `nfs-idmapd.service`
* `nfs-mountd.service`
* `nfs-server.service`
* `nfs-utils.service`
* `nftables.service`
* `nis-domainname.service`
* `nm-priv-helper.service`
* `numad.service`
* `nvmefc-boot-connections.service`
* `nvmf-autoconnect.service`
* `ostree-boot-complete.service`
* `ostree-finalize-staged-hold.service`
* `ostree-finalize-staged.service`
* `ostree-prepare-root.service`
* `ostree-remount.service`
* `packagekit-offline-update.service`
* `packagekit.service`
* `pam_namespace.service`
* `pcscd.service`
* `plocate-updatedb.service`
* `plymouth-halt.service`
* `plymouth-kexec.service`
* `plymouth-poweroff.service`
* `plymouth-quit.service`
* `plymouth-quit-wait.service`
* `plymouth-read-write.service`
* `plymouth-reboot.service`
* `plymouth-start.service`
* `plymouth-switch-root-initramfs.service`
* `plymouth-switch-root.service`
* `podman-auto-update.service`
* `podman-clean-transient.service`
* `podman-restart.service`
* `podman.service`
* `polkit.service`
* `power-profiles-daemon.service`
* `psacct.service`
* `qemu-guest-agent.service`
* `qemu-pr-helper.service`
* `quotaon.service`
* `raid-check.service`
* <strike>`rc-local.service`</strike> (this can do arbitrary stuff)
* `realmd.service`
* `rescue.service`
* `rpcbind.service`
* `rpc-gssd.service`
* `rpc-statd-notify.service`
* `rpc-statd.service`
* `rpmdb-migrate.service`
* `rpmdb-rebuild.service`
* `rtkit-daemon.service`
* `saslauthd.service`
* `selinux-autorelabel-mark.service`
* `selinux-autorelabel.service`
* `selinux-check-proper-disable.service`
* `speech-dispatcherd.service`
* `spice-vdagentd.service`
* `spice-webdavd.service`
* `sshd.service`
* `ssh-host-keys-migration.service`
* `sssd-autofs.service`
* `sssd-kcm.service`
* `sssd-nss.service`
* `sssd-pac.service`
* `sssd-pam.service`
* `sssd.service`
* `sssd-ssh.service`
* `sssd-sudo.service`
* `switcheroo-control.service`
* `system-update-cleanup.service`
* `tcsd.service`
* `thermald.service`
* `udisks2.service`
* `unbound-anchor.service`
* `upower.service`
* `uresourced.service`
* `usbmuxd.service`
* `vboxclient.service`
* `vboxservice.service`
* `vgauthd.service`
* `virtinterfaced.service`
* `virtlockd.service`
* `virtlogd.service`
* `virtnetworkd.service`
* `virtnodedevd.service`
* `virtnwfilterd.service`
* `virtproxyd.service`
* `virtqemud.service`
* `virtsecretd.service`
* `virtstoraged.service`
* `vmtoolsd.service`
* `wpa_supplicant.service`
* `zfs-fuse-scrub.service`
* `zfs-fuse.service`
* `zvbid.service`
For a concrete example,  Httpd in Fedora uses only `PrivateTmp` because of https://fedoraproject.org/wiki/Features/ServicesPrivateTmp implemented in early 2012.
https://src.fedoraproject.org/rpms/httpd/blob/rawhide/f/httpd.service
Over the decade since then, systemd has introduced a large number of additional directives.  There has been discussions about enabling more of these features in the project before (covered in https://lwn.net/Articles/709755/). It's time to move forward with this.
== Feedback ==
* Updated the upstreaming guidance to take into account minimum supported version of systemd based on feedback in https://discussion.fedoraproject.org/t/96423/2.  Daniel still feels that these changes are better done upstream exclusively.  Others noted that Fedora does enable a number of compiler flags and additional security features including SELinux by default and systemd sandboxing features can follow that pattern.  Package maintainers should be encouraged to contribute these changes upstream.  IMO, however Fedora should be "First" and adopt these "Features" to be true to it's mission.  Fedora shouldn't limit itself to passively following whatever upstream happens to include as many may not even include a systemd service file and do not enable the vast majority of these features even when they do.  Fedora is better positioned to provide more comprehensive coverage of these features by default given that Fedora always included the very latest systemd releases by default and act as an integration point for newer systemd sandboxing features.
* Added a concrete example in the form of Httpd as part of the feedback in https://discussion.fedoraproject.org/t/96423/11 and followup at https://discussion.fedoraproject.org/t/96423/18 reiterated that all the settings will not be applicable to all the services.
* There was a suggestion to user drop-in config snippets instead of changing the service files directly to make the hardening settings readily visible at https://discussion.fedoraproject.org/t/96423/6 and another suggestion to do it in /usr/lib since Fedora already follows that pattern in https://discussion.fedoraproject.org/t/96423/8.  The current understanding is that it will impact potentially non distro services if we do this and that will be too risky. We are not going to follow this pattern.
* There was some discussions about scope and I have added my rationale at https://discussion.fedoraproject.org/t/96423/15
* There was some discussions on updating the packaging guidelines and making the changes advertised well. I have proposed some initial draft for both the packaging guidelines and release notes, both of which will evolve as we firm up our approach (drop-in vs direct service changes etc).
* Systemd does not support a general mechanism of resetting a directive back to default by setting it to an empty value. You must instead explicitly set the value depending on the setting and this was noted in https://discussion.fedoraproject.org/t/96423/17
== Benefit to Fedora ==
Fedora services will get a significant security boost by default by avoiding or mitigating any unknown security vulnerabilities in default system services.  Since Fedora will include the very latest version of systemd and other components and has the visibility and control of the default configuration of the services, it can go well beyond what upstream can support directly based on their minimum version of systemd.  Since Fedora already has the reputation of being security focused (SELinux enabled by default, system wide compiler flags that enable a number of security features etc), it is in a good position to act as a coordination and integration point. 
It can be the first mainstream distribution that enables more of these systemd hardening features by default and push that upstream wherever feasible.  This serves the first, features and friends part of the Fedora mission respectively.
== Scope ==
* Proposal owners: Individual per service pull requests to enable various security features as applicable.
* Other developers: Review PRs as needed
* Release engineering: https://pagure.io/releng/issue/11785
* Policies and guidelines:
Packaging guidelines will have to be modified to add recommendations to use more of the systemd security features by default. In particular, we should add a security settings section in https://fedoraproject.org/wiki/Packaging:Systemd.  Current the guidance only recommends a couple of settings for long running services.  Sample text:
Systemd services included in Fedora are recommended to use as many of the following security settings as applicable while maintaining the default functionality of the service.
<List of enabled hardening settings>
The full list of sandboxing features are available in https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Sandboxing.  Note that if you are submitting changes to upstream as recommended in https://docs.fedoraproject.org/en-US/packaging-guidelines/PatchUpstreamStatus/, systemd will warn and ignore any of these features it doesn't support. So while the service itself won't break, these warnings can add to the support burden. Please take into account the minimum required version of systemd that upstream supports and only include those settings or provide build system logic to conditionally build the default unit file when submitting these patches upstream.  The specific version of systemd required for any of these settings is documented in the systemd exec man page.
* Trademark approval: N/A
== Upgrade/compatibility impact ==
Packages will automatically get additional security features enabled by default transparently.  In limited circumstances, they may need to override the defaults.  Refer to user experience section for details.
== How To Test ==
You can use tools like `systemd-analyze security` and `systemctl cat` to verify that specific security features are enabled by default. Default services with the default features should have no adverse impact and users shouldn't have to do anything beyond using the software as intended and report any regressions.  High profile services not installed by default that gain these security features would benefit from more targeting testing to spot any unintended consequences especially for niche or advanced functionality.  If advanced non-default functionality requires overrides default settings, we can document those in the release notes to provide guidance.
== User Experience ==
This should be largely transparent change for users. The goal is to have the services work as expected with the default functionality but to potentially require tweaking the settings if the configuration is changed by users after installation.  For instance, if we add `ProtectHome=yes`to a web service and the user wishes to serve files out of their home directory, they will need to override the systemd setting to `ProtectHome=read-only` to allow for the service to read from the user home directory in addition to changing the service specific configuration files to enable this feature.
== Dependencies ==
None.  We are merely enabling some of systemd security features by default for default system services.
== Contingency Plan ==
* Contingency mechanism:  These settings can be enabled/disabled at a per service level.  No wholesale reverts is necessary. If we don't finish the work for all the services, we can follow up in future releases.
* Contingency deadline: N/A
* Blocks release? No
== Documentation ==
* https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Sandboxing
* https://docs.arbitrary.ch/security/systemd.html
* https://www.redhat.com/sysadmin/systemd-secure-services
* https://www.redhat.com/sysadmin/mastering-systemd
== Release Notes ==
systemd security hardening features are enabled for default system services. If you wish to turn off any particular settings, you can follow the standard systemd method of overriding the config.  For example,
`$ cat /etc/systemd/system/httpd.service.d/override.conf
[Service]
ProtectHome=no`
`
$ sudo systemctl daemon-reload
$ sudo systemctl restart httpd.service`


<!-- Saved in parser cache with key fpo?hmediawiki-en_:pcache:idhash:49634-0!canonical and timestamp 20231114100818 and revision id 676986.
-->
</div></div><div class="visualClear"></div><div class="printfooter">Retrieved from "<a dir="ltr" href="https://fedoraproject.org/w/index.php?title=Changes/EmptyTemplate&amp;oldid=676986">https://fedoraproject.org/w/index.php?title=Changes/EmptyTemplate&amp;oldid=676986</a>"</div><div id="catlinks" class="catlinks" data-mw="interface"><div id="mw-normal-catlinks" class="mw-normal-catlinks"><a href="/wiki/Special:Categories" title="Special:Categories">Categories</a>: <ul><li><a href="/wiki/Category:ChangePageIncomplete" title="Category:ChangePageIncomplete">ChangePageIncomplete</a></li><li><a href="/wiki/Category:SelfContainedChange" title="Category:SelfContainedChange">SelfContainedChange</a></li></ul></div></div> </div>
</div>


<div id="mw-footer" class="footer text-muted text-xs-center m-t-3 p-y-3">
`$ systemctl status httpd.service
<p class="copy">
Copyright &copy; 2023 Red Hat, Inc. and others.  All Rights Reserved.  For comments or queries, please <a href="/wiki/Communicating_and_getting_help">contact us</a>.
</p>
<p class="disclaimer">
The Fedora Project is maintained and driven by the community and sponsored by Red Hat.  This is a community maintained site.  Red Hat is not responsible for content.
</p>
<ul id="footer-info" role="contentinfo"><li id="footer-info-lastmod"> This page was last edited on 8 May 2023, at 20:45.</li><li id="footer-info-copyright">Content is available under <a href="/wiki/Legal:Main" title="Legal:Main">Attribution-Share Alike 4.0 International</a> unless otherwise noted.</li></ul><ul id="footer-places" role="contentinfo"><li id="footer-places-privacy"><a href="/wiki/Fedora_Project_Wiki:Privacy_policy">Privacy policy</a></li><li id="footer-places-about"><a href="/wiki/Fedora_Project_Wiki:About">About Fedora Project Wiki</a></li><li id="footer-places-disclaimer"><a href="/wiki/Fedora_Project_Wiki:General_disclaimer">Disclaimers</a></li><li><a href='https://docs.fedoraproject.org/en-US/project/code-of-conduct/'>Code of Conduct</a></li><li><a href='http://fedoraproject.org/en/sponsors'>Sponsors</a></li><li><a href='http://fedoraproject.org/wiki/Legal:Main'>Legal</a></li><li><a href='http://fedoraproject.org/wiki/Legal:Trademark_guidelines'>Trademark Guidelines</a></li></ul><div class="visualClear"></div>
</div>
</div>


<script>(RLQ=window.RLQ||[]).push(function(){mw.log.warn("This page is using the deprecated ResourceLoader module \"mediawiki.skinning.interface\".\n[1.37] The use of the `content` feature with ResourceLoaderSkinModule is deprecated. Use `content-media` instead. [1.37] The use of the `legacy` feature with ResourceLoaderSkinModule is deprecated(T89981) and is a NOOP since 1.39 (T304325). This should be urgently omited to retain compatibility with future MediaWiki versionsMore information can be found at [[mw:Manual:ResourceLoaderSkinModule]]. ");mw.config.set({"wgPageParseReport":{"limitreport":{"cputime":"0.019","walltime":"0.022","ppvisitednodes":{"value":278,"limit":1000000},"postexpandincludesize":{"value":5799,"limit":2097152},"templateargumentsize":{"value":2990,"limit":2097152},"expansiondepth":{"value":7,"limit":100},"expensivefunctioncount":{"value":0,"limit":100},"unstrip-depth":{"value":0,"limit":20},"unstrip-size":{"value":0,"limit":5000000},"timingprofile":["100.00%    5.433      1 -total"," 51.48%    2.797      2 Template:Admon/important"," 36.40%    1.978      4 Template:Message"," 27.17%    1.476     2 Template:Admon/tip"," 23.47%    1.275      1 Template:Change_Proposal_Banner"]},"cachereport":{"timestamp":"20231114100818","ttl":86400,"transientcontent":false}}});mw.config.set({"wgBackendResponseTime":226});});</script> </body>
● httpd.service - The Apache HTTP Server
</html>
    Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
    Drop-In: /etc/systemd/system/httpd.service.d
            └─override.conf
     Active: active (running) since Mon 2023-11-15 18:29:25 EST; 3min 30s ago`

Latest revision as of 16:59, 2 October 2024

Enable systemd service hardening features for default system services

Summary

Improve security by enabling some of the high level systemd security hardening settings that isolate and sandbox default system services.

Owner

Current status

Detailed Description

systemd provides a number of settings that can harden security for services. We are selecting a few high level ones to enable by default on a service by service basis as suitable for that particular service.

  • PrivateTmp=yes
  • ProtectSystem=yes/full/strict
  • ProtectHome=yes/read-only
  • ProtectClock=yes
  • ProtectHostname=yes
  • ProtectControlGroups=yes
  • ProtectHostname=yes
  • ProtectKernelLogs=yes
  • ProtectKernelModules=yes
  • ProtectKernelTunables=yes
  • ProtectProc=invisible
  • PrivateDevices=yes
  • PrivateNetwork=yes
  • NoNewPrivileges=yes
  • User=

If we want to go further, we could also consider:

  • CapabilityBoundingSet=
  • DevicePolicy=closed
  • KeyringMode=private
  • LockPersonality=yes
  • MemoryDenyWriteExecute=yes
  • PrivateUsers=yes
  • RemoveIPC=yes
  • RestrictAddressFamilies=
  • RestrictNamespaces=yes
  • RestrictRealtime=yes
  • RestrictSUIDSGID=yes
  • SystemCallFilter=
  • SystemCallArchitectures=native


We will aim to cover as many of the default system services as we can. We will prioritize critical or long running services. All of these settings need to be configured on a per service basis instead of using a global override to facilitate fine tuning the settings based on service requirements and limit the impact for users on upgrades. Certain services have a very targeted scope. For instance, a service that only needs to read or write from only one directory could leverage more fine grained settings to restrict access even further. We will enable as many of these as feasible for the services but not every knob is going to be applicable to every service. For example, PrivateNetwork=yes can only be used for services that does not need network connectivity by default. We have to choose between DynamicUser=yes or User if either is feasible for the service to use. As a base starting point, from Fedora 39 workstation, we have the following system services installed by default which should considered within the scope of the change (excluding systemd associated ones which already have a number of these security settings enabled).

  • abrtd.service
  • abrt-journal-core.service
  • abrt-oops.service
  • abrt-pstoreoops.service
  • abrt-vmcore.service
  • abrt-xorg.service
  • accounts-daemon.service
  • alsa-restore.service
  • alsa-state.service
  • anaconda-direct.service
  • anaconda-fips.service
  • anaconda-nm-config.service
  • anaconda-nm-disable-autocons.service
  • anaconda-noshell.service
  • anaconda-pre.service
  • anaconda.service
  • anaconda-sshd.service
  • arp-ethers.service
  • auditd.service
  • auth-rpcgss-module.service
  • avahi-daemon.service
  • blivet.service
  • blk-availability.service
  • bluetooth.service
  • bolt.service
  • brltty.service
  • canberra-system-bootup.service
  • canberra-system-shutdown-reboot.service
  • canberra-system-shutdown.service
  • chronyd-restricted.service
  • chronyd.service
  • chrony-wait.service
  • colord.service
  • console-getty.service
  • cups-browsed.service
  • cups.service
  • dbus-broker.service
  • dbus-daemon.service
  • dbus-org.freedesktop.hostname1.service
  • dbus-org.freedesktop.import1.service
  • dbus-org.freedesktop.locale1.service
  • dbus-org.freedesktop.login1.service
  • dbus-org.freedesktop.machine1.service
  • dbus-org.freedesktop.portable1.service
  • dbus-org.freedesktop.timedate1.service
  • debug-shell.service (opens a user shell that must be able to do arbitrary stuff)
  • dm-event.service
  • dnf-makecache.service
  • dnf-system-upgrade-cleanup.service
  • dnf-system-upgrade.service
  • dnsmasq.service
  • dracut-cmdline.service
  • dracut-initqueue.service
  • dracut-mount.service
  • dracut-pre-mount.service
  • dracut-pre-pivot.service
  • dracut-pre-trigger.service
  • dracut-pre-udev.service
  • dracut-shutdown-onfailure.service
  • dracut-shutdown.service
  • emergency.service (opens a user shell that must be able to do arbitrary stuff)
  • fedora-third-party-refresh.service
  • firewalld.service
  • flatpak-add-fedora-repos.service
  • flatpak-system-helper.service
  • fprintd.service
  • fsidd.service
  • fstrim.service
  • fwupd-offline-update.service
  • fwupd-refresh.service
  • fwupd.service
  • gdm.service
  • geoclue.service
  • grub-boot-indeterminate.service
  • gssproxy.service
  • htcacheclean.service
  • httpd.service
  • hypervfcopyd.service
  • hypervkvpd.service
  • hypervvssd.service
  • iio-sensor-proxy.service
  • import-state.service
  • initrd-cleanup.service
  • initrd-parse-etc.service
  • initrd-switch-root.service
  • initrd-udevadm-cleanup-db.service
  • instperf.service
  • ipp-usb.service
  • iscsid.service
  • iscsi-init.service
  • iscsi-onboot.service
  • iscsi.service
  • iscsi-shutdown.service
  • iscsi-starter.service
  • iscsiuio.service
  • kdump.service
  • kmod-static-nodes.service
  • ldconfig.service
  • libvirtd.service
  • libvirt-guests.service
  • livesys-late.service (adhoc live env config)
  • livesys.service (adhoc live env config)
  • loadmodules.service
  • logrotate.service
  • low-memory-monitor.service
  • lvm2-lvmdbusd.service
  • lvm2-lvmpolld.service
  • lvm2-monitor.service
  • man-db-cache-update.service
  • man-db-restart-cache-update.service
  • mcelog.service
  • mdcheck_continue.service
  • mdcheck_start.service
  • mdmonitor-oneshot.service
  • mdmonitor.service
  • ModemManager.service
  • ndctl-monitor.service
  • netavark-dhcp-proxy.service
  • NetworkManager-dispatcher.service
  • NetworkManager.service
  • NetworkManager-wait-online.service
  • nfs-blkmap.service
  • nfsdcld.service
  • nfs-idmapd.service
  • nfs-mountd.service
  • nfs-server.service
  • nfs-utils.service
  • nftables.service
  • nis-domainname.service
  • nm-priv-helper.service
  • numad.service
  • nvmefc-boot-connections.service
  • nvmf-autoconnect.service
  • ostree-boot-complete.service
  • ostree-finalize-staged-hold.service
  • ostree-finalize-staged.service
  • ostree-prepare-root.service
  • ostree-remount.service
  • packagekit-offline-update.service
  • packagekit.service
  • pam_namespace.service
  • pcscd.service
  • plocate-updatedb.service
  • plymouth-halt.service
  • plymouth-kexec.service
  • plymouth-poweroff.service
  • plymouth-quit.service
  • plymouth-quit-wait.service
  • plymouth-read-write.service
  • plymouth-reboot.service
  • plymouth-start.service
  • plymouth-switch-root-initramfs.service
  • plymouth-switch-root.service
  • podman-auto-update.service
  • podman-clean-transient.service
  • podman-restart.service
  • podman.service
  • polkit.service
  • power-profiles-daemon.service
  • psacct.service
  • qemu-guest-agent.service
  • qemu-pr-helper.service
  • quotaon.service
  • raid-check.service
  • rc-local.service (this can do arbitrary stuff)
  • realmd.service
  • rescue.service
  • rpcbind.service
  • rpc-gssd.service
  • rpc-statd-notify.service
  • rpc-statd.service
  • rpmdb-migrate.service
  • rpmdb-rebuild.service
  • rtkit-daemon.service
  • saslauthd.service
  • selinux-autorelabel-mark.service
  • selinux-autorelabel.service
  • selinux-check-proper-disable.service
  • speech-dispatcherd.service
  • spice-vdagentd.service
  • spice-webdavd.service
  • sshd.service
  • ssh-host-keys-migration.service
  • sssd-autofs.service
  • sssd-kcm.service
  • sssd-nss.service
  • sssd-pac.service
  • sssd-pam.service
  • sssd.service
  • sssd-ssh.service
  • sssd-sudo.service
  • switcheroo-control.service
  • system-update-cleanup.service
  • tcsd.service
  • thermald.service
  • udisks2.service
  • unbound-anchor.service
  • upower.service
  • uresourced.service
  • usbmuxd.service
  • vboxclient.service
  • vboxservice.service
  • vgauthd.service
  • virtinterfaced.service
  • virtlockd.service
  • virtlogd.service
  • virtnetworkd.service
  • virtnodedevd.service
  • virtnwfilterd.service
  • virtproxyd.service
  • virtqemud.service
  • virtsecretd.service
  • virtstoraged.service
  • vmtoolsd.service
  • wpa_supplicant.service
  • zfs-fuse-scrub.service
  • zfs-fuse.service
  • zvbid.service

For a concrete example, Httpd in Fedora uses only PrivateTmp because of https://fedoraproject.org/wiki/Features/ServicesPrivateTmp implemented in early 2012.

https://src.fedoraproject.org/rpms/httpd/blob/rawhide/f/httpd.service

Over the decade since then, systemd has introduced a large number of additional directives. There has been discussions about enabling more of these features in the project before (covered in https://lwn.net/Articles/709755/). It's time to move forward with this.

Feedback

  • Updated the upstreaming guidance to take into account minimum supported version of systemd based on feedback in https://discussion.fedoraproject.org/t/96423/2. Daniel still feels that these changes are better done upstream exclusively. Others noted that Fedora does enable a number of compiler flags and additional security features including SELinux by default and systemd sandboxing features can follow that pattern. Package maintainers should be encouraged to contribute these changes upstream. IMO, however Fedora should be "First" and adopt these "Features" to be true to it's mission. Fedora shouldn't limit itself to passively following whatever upstream happens to include as many may not even include a systemd service file and do not enable the vast majority of these features even when they do. Fedora is better positioned to provide more comprehensive coverage of these features by default given that Fedora always included the very latest systemd releases by default and act as an integration point for newer systemd sandboxing features.
  • Added a concrete example in the form of Httpd as part of the feedback in https://discussion.fedoraproject.org/t/96423/11 and followup at https://discussion.fedoraproject.org/t/96423/18 reiterated that all the settings will not be applicable to all the services.
  • There was a suggestion to user drop-in config snippets instead of changing the service files directly to make the hardening settings readily visible at https://discussion.fedoraproject.org/t/96423/6 and another suggestion to do it in /usr/lib since Fedora already follows that pattern in https://discussion.fedoraproject.org/t/96423/8. The current understanding is that it will impact potentially non distro services if we do this and that will be too risky. We are not going to follow this pattern.
  • There was some discussions about scope and I have added my rationale at https://discussion.fedoraproject.org/t/96423/15
  • There was some discussions on updating the packaging guidelines and making the changes advertised well. I have proposed some initial draft for both the packaging guidelines and release notes, both of which will evolve as we firm up our approach (drop-in vs direct service changes etc).
  • Systemd does not support a general mechanism of resetting a directive back to default by setting it to an empty value. You must instead explicitly set the value depending on the setting and this was noted in https://discussion.fedoraproject.org/t/96423/17


Benefit to Fedora

Fedora services will get a significant security boost by default by avoiding or mitigating any unknown security vulnerabilities in default system services. Since Fedora will include the very latest version of systemd and other components and has the visibility and control of the default configuration of the services, it can go well beyond what upstream can support directly based on their minimum version of systemd. Since Fedora already has the reputation of being security focused (SELinux enabled by default, system wide compiler flags that enable a number of security features etc), it is in a good position to act as a coordination and integration point.

It can be the first mainstream distribution that enables more of these systemd hardening features by default and push that upstream wherever feasible. This serves the first, features and friends part of the Fedora mission respectively.

Scope

  • Proposal owners: Individual per service pull requests to enable various security features as applicable.
  • Other developers: Review PRs as needed
  • Release engineering: https://pagure.io/releng/issue/11785
  • Policies and guidelines:

Packaging guidelines will have to be modified to add recommendations to use more of the systemd security features by default. In particular, we should add a security settings section in https://fedoraproject.org/wiki/Packaging:Systemd. Current the guidance only recommends a couple of settings for long running services. Sample text:

Systemd services included in Fedora are recommended to use as many of the following security settings as applicable while maintaining the default functionality of the service.

<List of enabled hardening settings>

The full list of sandboxing features are available in https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Sandboxing. Note that if you are submitting changes to upstream as recommended in https://docs.fedoraproject.org/en-US/packaging-guidelines/PatchUpstreamStatus/, systemd will warn and ignore any of these features it doesn't support. So while the service itself won't break, these warnings can add to the support burden. Please take into account the minimum required version of systemd that upstream supports and only include those settings or provide build system logic to conditionally build the default unit file when submitting these patches upstream. The specific version of systemd required for any of these settings is documented in the systemd exec man page.

  • Trademark approval: N/A

Upgrade/compatibility impact

Packages will automatically get additional security features enabled by default transparently. In limited circumstances, they may need to override the defaults. Refer to user experience section for details.

How To Test

You can use tools like systemd-analyze security and systemctl cat to verify that specific security features are enabled by default. Default services with the default features should have no adverse impact and users shouldn't have to do anything beyond using the software as intended and report any regressions. High profile services not installed by default that gain these security features would benefit from more targeting testing to spot any unintended consequences especially for niche or advanced functionality. If advanced non-default functionality requires overrides default settings, we can document those in the release notes to provide guidance.

User Experience

This should be largely transparent change for users. The goal is to have the services work as expected with the default functionality but to potentially require tweaking the settings if the configuration is changed by users after installation. For instance, if we add ProtectHome=yesto a web service and the user wishes to serve files out of their home directory, they will need to override the systemd setting to ProtectHome=read-only to allow for the service to read from the user home directory in addition to changing the service specific configuration files to enable this feature.

Dependencies

None. We are merely enabling some of systemd security features by default for default system services.

Contingency Plan

  • Contingency mechanism: These settings can be enabled/disabled at a per service level. No wholesale reverts is necessary. If we don't finish the work for all the services, we can follow up in future releases.
  • Contingency deadline: N/A
  • Blocks release? No


Documentation

Release Notes

systemd security hardening features are enabled for default system services. If you wish to turn off any particular settings, you can follow the standard systemd method of overriding the config. For example,

$ cat /etc/systemd/system/httpd.service.d/override.conf

[Service]

ProtectHome=no

$ sudo systemctl daemon-reload

$ sudo systemctl restart httpd.service


$ systemctl status httpd.service

● httpd.service - The Apache HTTP Server

    Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Drop-In: /etc/systemd/system/httpd.service.d
            └─override.conf
    Active: active (running) since Mon 2023-11-15 18:29:25 EST; 3min 30s ago