Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2260082 - Enable systemd service hardening features for default system services
Summary: Enable systemd service hardening features for default system services
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: Changes Tracking
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Rahul Sundaram
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: F41Changes
TreeView+ depends on / blocked
 
Reported: 2024-01-24 10:47 UTC by Aoife Moloney
Modified: 2024-03-25 14:42 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Aoife Moloney 2024-01-24 10:47:44 UTC
This is a tracking bug for Change: Enable systemd service hardening features for default system services
For more details, see: https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening

Improve security by enabling some of the high level systemd security hardening settings that isolate and sandbox default system services.

If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.

Comment 1 Aoife Moloney 2024-02-19 16:47:22 UTC
Hi Rahul,

As we are passed the Testable deadline for F40 Changes and approaching the 100% complete deadline, I am doing a routine check in on all change tracker bugs to make sure changes are on track or not to land successfully in F40. Have you any updates to share on the progress of this change?


Thanks!
Aoife

Comment 2 Rahul Sundaram 2024-02-27 21:04:01 UTC
Only a single PR has been merged so far

https://src.fedoraproject.org/rpms/abrt/pull-request/32

Unfortunately, even the PRs filed a long time back have stalled out with no feedback or response in a long time after the initial responses.  Couple of examples:

https://src.fedoraproject.org/rpms/dbus-broker/pull-request/11
https://src.fedoraproject.org/rpms/httpd/pull-request/40

I am working my way through the rest but unless we can expedite some of these, we will have to postpone the feature

Comment 3 Timothée Ravier 2024-02-28 18:06:08 UTC
As I wrote in https://discussion.fedoraproject.org/t/f40-change-proposal-systemd-security-hardening-system-wide/96423/4, and as it has been requested for abrt & dbus-broker already, I would recommend that you start upstream with those changes to get better traction.

This will make maintaining those hardening settings much easier for everyone. The test suites for applications / the CI are also usually run upstream, not in Fedora so that's where issues will be caught.

Comment 4 Rahul Sundaram 2024-02-28 19:27:27 UTC
I am happy to work wherever it makes sense but there are wide variations in maintainer, upstream preferences as well as even test suite availability.  httpd for example, the service file is shipped within the package and not upstream and there is apparently a Red Hat internal test suite so I will have to wait for that.  In other cases, I have started opening PRs upstream as well.  Thanks for the feedback.

Comment 5 Fedora Update System 2024-03-01 12:18:03 UTC
FEDORA-2024-b9d5622cc4 (realmd-0.17.1-11.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-b9d5622cc4

Comment 6 Rahul Sundaram 2024-03-04 15:04:32 UTC
I am maintaining a sheet to keep track of this now fyi

https://docs.google.com/spreadsheets/d/1BLKqBSsF0B9gYz6b4TIPnJ93SpiUVDiD8z_80pTyXJc/edit#gid=0

Comment 7 Zbigniew Jędrzejewski-Szmek 2024-03-25 13:48:40 UTC
The current status, according to the spreadsheet, is 3 merged PRs, and a bunch PRs open.
Should we mark this as postponed to F41?

Comment 8 Rahul Sundaram 2024-03-25 14:40:21 UTC
Yep.  That would be my recommendation.  There are some merged upstream but they aren't going to land in Fedora at this stage.


Note You need to log in before you can comment on or make changes to this bug.