[MDEV-10298] Improve systemd service hardening - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.1.14
Fix Version/s: 10.1.16
Component/s: Scripts & Clients
Labels:
- contribution
- foundation
- patch
- systemd
Environment:
systemd, Gentoo

Sprint:
1.0.2

Description

It would be nice to use more of systemd's hardening features:

ProtectSystem=full

NoNewPrivileges=true

PrivateDevices=true

ProtectHome=true

I tested these settings and didn't experience any problems in my (admitted limited) setup. I think they should be fine for anyone except for exceptional and odd situations. For the (very rare) impacted user, they can always override the systemd service - but a secure configuration should be the default.

Attachments

Issue Links

causes

MDEV-10405 mysql.sock gets created with different SELinux context

Closed

MDEV-10399 custom tmpdir permission denied only in 10.1.16

Closed

MDEV-10404 Improved systemd service hardening causes SELinux problems

Closed

MDEV-10519 MariaDB fails to start after upgrade from 10.1.14 - 10.1.16 (InnoDB Encryption)

Closed

MDEV-13207 PrivateDevices breaks systemd service on Debian 8.8

Closed

links to

another issue caused by this one

GitHub Pull Request #195

(2 links to)

Activity

People

Assignee:

Sergey Vojtovich

Reporter:

Craig Andrews

Votes:

1 Vote for this issue

Watchers:

6 Start watching this issue

Dates

Created:

2016-06-28 15:22

Updated:

2017-06-29 07:46

Resolved:

2016-07-12 15:46