Bug 1084102 - PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services [NEEDINFO]
Summary: PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services
Alias: None
Product: Fedora
Classification: Fedora
Component: Changes Tracking
Version: 22
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Jaroslav Reznik
QA Contact:
Petr Bokoc
Whiteboard: ChangeAcceptedF21 SystemWideChange
Depends On:
TreeView+ depends on / blocked
Reported: 2014-04-03 15:23 UTC by Jaroslav Reznik
Modified: 2019-08-19 07:37 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-08-06 09:58:07 UTC
Type: ---
pbokoc: fedora_requires_release_note+
jreznik: needinfo? (lpoetter)

Attachments (Terms of Use)

Description Jaroslav Reznik 2014-04-03 15:23:54 UTC
This is a tracking bug for Change: PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services
For more details, see: http://fedoraproject.org//wiki/Changes/PrivateDevicesAndPrivateNetwork

Let's make Fedora more secure by default! Recent systemd versions provide two per-service switches PrivateDevices=yes/no and PrivateNetwork=yes/no which enable services to run without access to any physical devices in /dev, or without access to kind of network sockets. So far this has seen little use in Fedora, and with this Fedora Change we'd like to change this, and enable these for all long-running services that do not require device/network access.

Comment 1 Jaroslav Reznik 2014-07-04 10:43:47 UTC
This message is a reminder that Fedora 21 Accepted Changes Freeze Deadline is on 2014-07-08 [1].

At this point, all accepted Changes should be substantially complete, and testable. Additionally, if a change is to be enabled by default, it must be so enabled at Change Freeze.

This bug should be set to the MODIFIED state to indicate that it achieved completeness. Status will be provided to FESCo right after the deadline. If, for any reasons, your Change is not in required state, let me know and we will try to find solution. For Changes you decide to cancel/move to the next release, please use the NEW status and set needinfo on me and it will be acted upon. 

In case of any questions, don't hesitate to ask Wrangler (jreznik). Thank you.

[1] https://fedoraproject.org/wiki/Releases/21/Schedule

Comment 2 Jaroslav Reznik 2014-10-07 12:23:57 UTC
This message is a reminder that Fedora 21 Change Checkpoint: 100% Code Complete Deadline (Former Accepted Changes 100% Complete) is on 2014-10-14 [1].

All Accepted Changes has to be code complete and ready to be validated in the Beta release (optionally by Fedora QA). Required bug state at this point is ON_QA.

As for several System Wide Changes, Beta Change Deadline is a point of contingency plan. All incompleted Changes will be reported to FESCo on 2014-10-15 meeting. In case of any questions, don't hesitate to ask Wrangler (jreznik).

[1] https://fedoraproject.org/wiki/Releases/21/Schedule

Comment 3 Petr Bokoc 2014-10-14 13:54:34 UTC
The release note is available at https://fedoraproject.org/wiki/Documentation_System_Daemons_Beat?rd=Docs/Beats/SystemDaemons

If you want to make any changes, please contact relnotes@fedoraproject.org or the #fedora-docs channel on FreeNode. Making changes to the wiki page at this point does not guarantee that the changes will appear in the final version of the document.

Comment 4 Jaroslav Reznik 2014-10-21 10:14:47 UTC
Hi Lennart, did this change happen in Fedora 21? Thanks.

Comment 5 Jaroslav Reznik 2014-10-21 11:35:01 UTC
For now, based on FESCo request, moving to F22. Let me know in case it was done and I can revert it.

Comment 6 Pete Travis 2014-10-23 00:07:47 UTC
Jaroslav, the PrivateNetwork= and PrivateDevices= options came with systemd-209.  A number of services are already implementing them.  IMO this could be considered complete, as f21-stable provides systemd-215.

Comment 7 Jaroslav Reznik 2015-03-03 15:39:47 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:

Note You need to log in before you can comment on or make changes to this bug.