Fedora 41

Signed-off-by: Jason Rothstein <fdragon@fdragon.org>
2024-12-27 19:51:12 -06:00 · 2024-12-27 19:51:12 -06:00 · 9d78bd48b5
commit 9d78bd48b5
parent 5bcb268847
2 changed files with 36 additions and 2 deletions
--- a/templates/Fedora/41/usr/lib/systemd/system/httpd.service
+++ b/templates/Fedora/41/usr/lib/systemd/system/httpd.service
@ -26,8 +26,25 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
 # Send SIGWINCH for graceful stop
 KillSignal=SIGWINCH
 KillMode=mixed
-PrivateTmp=true
+DevicePolicy=closed
 KeyringMode=private
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 OOMPolicy=continue
 PrivateDevices=yes
 PrivateTmp=true
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=read-only
 ProtectHostname=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=yes
 RestrictNamespaces=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 [Install]
 WantedBy=multi-user.target
--- a/templates/Fedora/41/usr/lib/systemd/system/httpd@.service
+++ b/templates/Fedora/41/usr/lib/systemd/system/httpd@.service
@ -19,8 +19,25 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful -f conf/%i.conf
 # Send SIGWINCH for graceful stop
 KillSignal=SIGWINCH
 KillMode=mixed
-PrivateTmp=true
+DevicePolicy=closed
 KeyringMode=private
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 OOMPolicy=continue
 PrivateDevices=yes
 PrivateTmp=true
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=read-only
 ProtectHostname=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=yes
 RestrictNamespaces=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 [Install]
 WantedBy=multi-user.target