NEWS: add note about NNP=yes

author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2018-12-18 14:14:44 +0100
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2018-12-18 15:01:57 +0100
commit: e68a35a78d736ac0bb6609a130f87546e6d48ab1 (patch)
tree: 1231c85de4cfb804a0c8e486444604851734389e
parent: units: set NoNewPrivileges= for all long-running services (diff)
download: systemd-e68a35a78d736ac0bb6609a130f87546e6d48ab1.tar.gz
systemd-e68a35a78d736ac0bb6609a130f87546e6d48ab1.tar.bz2
systemd-e68a35a78d736ac0bb6609a130f87546e6d48ab1.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index a9ba9e13f..1bb8a1386 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,13 @@ systemd System and Service Manager
 
 CHANGES WITH 240 in spe:
 
+        * NoNewPrivileges=yes has been set for all long-running services
+          implemented by systemd. Previously, this was problematic due to
+          SELinux (as this would also prohibit the transition from PID1's label
+          to the service's label). This restriction has since been lifted, but
+          an SELinux policy update is required.
+          (See e.g. https://github.com/fedora-selinux/selinux-policy/pull/234.)
+
         * A new service type has been added: Type=exec. It's very similar to
           Type=simple but ensures the service manager will wait for both fork()
           and execve() of the main service binary to complete before proceeding
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2018-12-18 14:14:44 +0100
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2018-12-18 15:01:57 +0100
commit	e68a35a78d736ac0bb6609a130f87546e6d48ab1 (patch)
tree	1231c85de4cfb804a0c8e486444604851734389e
parent	units: set NoNewPrivileges= for all long-running services (diff)
download	systemd-e68a35a78d736ac0bb6609a130f87546e6d48ab1.tar.gz systemd-e68a35a78d736ac0bb6609a130f87546e6d48ab1.tar.bz2 systemd-e68a35a78d736ac0bb6609a130f87546e6d48ab1.zip