Fedora 41

Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-12-27 19:51:12 -06:00 · 2024-12-27 19:51:12 -06:00 · 9d78bd48b5
commit 9d78bd48b5
parent 5bcb268847
2 changed files with 36 additions and 2 deletions
--- a/templates/Fedora/41/usr/lib/systemd/system/httpd.service
+++ b/templates/Fedora/41/usr/lib/systemd/system/httpd.service
@ -26,8 +26,25 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
 # Send SIGWINCH for graceful stop
 KillSignal=SIGWINCH
 KillMode=mixed
-PrivateTmp=true
+DevicePolicy=closed
+KeyringMode=private
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
 OOMPolicy=continue
+PrivateDevices=yes
+PrivateTmp=true
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native

 [Install]
 WantedBy=multi-user.target
--- a/templates/Fedora/41/usr/lib/systemd/system/httpd@.service
+++ b/templates/Fedora/41/usr/lib/systemd/system/httpd@.service
@ -19,8 +19,25 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful -f conf/%i.conf
 # Send SIGWINCH for graceful stop
 KillSignal=SIGWINCH
 KillMode=mixed
-PrivateTmp=true
+DevicePolicy=closed
+KeyringMode=private
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
 OOMPolicy=continue
+PrivateDevices=yes
+PrivateTmp=true
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native

 [Install]
 WantedBy=multi-user.target