Fedora 40 to Enable Insulation of System Services

In the release of Fedora 40, there is a proposed enable insulation settings for the default systems. This includes Systemd services and important applications such as postgresql, apache httpd, nginx, and mariadb. The purpose of this change is to increase the protection of the distribution in the default configuration and block unknown vulnerabilities in system services. The proposal has not yet been considered by FESCO (Fedora Engineering Steering Committee) and may be rejected during community review.

The recommended settings for inclusion are as follows:

  • Privatetmp = Yes: Provides individual directories for temporary files.
  • protectSystem = Yes/Full/Strict: Mounts the file system in read-only mode, with various levels of restriction.
  • Protecthome = Yes: Prohibits access to user home directories.
  • privateDevices = Yes: Limits access to specific devices such as /dev/null, /dev/zero, and /dev/random.
  • Protectkerneltunables = Yes: Restricts access to kernel tunables in read-only mode.
  • Protectkernelmodules = Yes: Prohibits loading of kernel modules.
  • Protectkernellogs = Yes: Prevents access to the kernel log buffer.
  • ProtectControlgroups = Yes: Limits access to control groups in read-only mode.
  • nonewprivileges = Yes: Prohibits raising privileges through setuid, setgid, and capabilities flags.
  • Privatenetwork = Yes: Ensures a separate space for network stack.
  • ProtectClock = Yes: Prohibits changes to the system clock.
  • ProtectHostname = Yes: Prevents changing the host name.
  • ProtectProc = Invisible: Hides other processes in /proc.
  • user = [username]: Changes the user.

In addition, the following settings are also being considered for inclusion:

  • capabilityboundingset = [value]
  • devicePolicy = closed
  • Keyringmode = Private
  • locpersonality = Yes
  • MemoryDenywriteexecute = Yes
  • privateusers = Yes
  • removipc = Yes
  • Restrictaddressfamilies = [value]
  • Restrictnamespaces = Yes
  • restrictrealtime = Yes
  • restrictsuidsgid = Yes
  • systemcallfilter = [value]
  • SystemCall
/Reports, release notes, official announcements.