diff --git a/httpd.service b/httpd.service
index b75e28c..c5b5e08 100644
--- a/httpd.service
+++ b/httpd.service
@@ -26,25 +26,8 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
# Send SIGWINCH for graceful stop
KillSignal=SIGWINCH
KillMode=mixed
-DevicePolicy=closed
-KeyringMode=private
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-OOMPolicy=continue
-PrivateDevices=yes
PrivateTmp=true
-ProtectClock=yes
-ProtectControlGroups=yes
-ProtectHome=read-only
-ProtectHostname=yes
-ProtectKernelLogs=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-ProtectSystem=yes
-RestrictNamespaces=yes
-RestrictRealtime=yes
-RestrictSUIDSGID=yes
-SystemCallArchitectures=native
+OOMPolicy=continue
[Install]
WantedBy=multi-user.target
diff --git a/httpd.service.xml b/httpd.service.xml
index 3ddbc9e..7dfdb97 100644
--- a/httpd.service.xml
+++ b/httpd.service.xml
@@ -231,16 +231,7 @@ Wants=network-online.target
Process policies and restrictions
- The httpd.service unit enables a
- variety of sandboxing options. Many of these prevent the service
- from changing the system configuration - such as
- ProtectClock and
- ProtectKernelModules. See
- systemd.exec5
- and
- systemd.service5
- for more information on these options. Particular notice should
- be taken of the following:
+ The httpd service uses the following options:
PrivateTmp is enabled by
@@ -256,14 +247,13 @@ Wants=network-online.target
the policy to continue, httpd will
continue to run (and recover) if a single child is terminated
because of excess memory consumption.
+
- ProtectHome is set to
- read-only by default. CGI scripts run via
- UserDir will not be able modify any
- content in /home by
- default.
-
-
+ See
+ systemd.exec5
+ and
+ systemd.service5
+ for more information.
diff --git a/httpd.spec b/httpd.spec
index 864c8b7..9498533 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -834,10 +834,6 @@ exit $rv
* Thu Mar 28 2024 Joe Orton - 2.4.58-8
- rebuild to fix changelog ordering
-* Thu Mar 7 2024 Rahul Sundaram - 2.4.58-7
-- Update Systemd security settings as part of https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening
-- updated httpd.service(5) (Joe Orton)
-
* Wed Jan 24 2024 Fedora Release Engineering - 2.4.58-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
diff --git a/httpd@.service b/httpd@.service
index 8b20b90..84424fb 100644
--- a/httpd@.service
+++ b/httpd@.service
@@ -19,25 +19,8 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful -f conf/%i.conf
# Send SIGWINCH for graceful stop
KillSignal=SIGWINCH
KillMode=mixed
-DevicePolicy=closed
-KeyringMode=private
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-OOMPolicy=continue
-PrivateDevices=yes
PrivateTmp=true
-ProtectClock=yes
-ProtectControlGroups=yes
-ProtectHome=read-only
-ProtectHostname=yes
-ProtectKernelLogs=yes
-ProtectKernelModules=yes
-ProtectKernelTunables=yes
-ProtectSystem=yes
-RestrictNamespaces=yes
-RestrictRealtime=yes
-RestrictSUIDSGID=yes
-SystemCallArchitectures=native
+OOMPolicy=continue
[Install]
WantedBy=multi-user.target