Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gnuhealth for openSUSE:Factory checked in at 2021-10-05 22:34:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnuhealth (Old) and /work/SRC/openSUSE:Factory/.gnuhealth.new.2443 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnuhealth" Tue Oct 5 22:34:03 2021 rev:51 rq:923315 version:3.8.0 Changes: -------- --- /work/SRC/openSUSE:Factory/gnuhealth/gnuhealth.changes 2021-04-22 18:04:42.254574518 +0200 +++ /work/SRC/openSUSE:Factory/.gnuhealth.new.2443/gnuhealth.changes 2021-10-05 22:34:34.786945265 +0200 @@ -1,0 +2,9 @@ +Mon Sep 20 14:02:25 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_gnuhealth.service.patch + Modified: + * gnuhealth-webdav@.service + * gnuhealth.service + +------------------------------------------------------------------- New: ---- harden_gnuhealth.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnuhealth.spec ++++++ --- /var/tmp/diff_new_pack.UcZwzB/_old 2021-10-05 22:34:35.382946302 +0200 +++ /var/tmp/diff_new_pack.UcZwzB/_new 2021-10-05 22:34:35.386946309 +0200 @@ -40,6 +40,7 @@ Source8: https://ftp.gnu.org/gnu/health/%{name}-%{version}.tar.gz.sig Source9: https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=health&download=1#/%{name}.keyring Patch0: shebang.diff +Patch1: harden_gnuhealth.service.patch BuildRequires: fdupes BuildRequires: python-rpm-generators @@ -112,6 +113,7 @@ %patch0 -p1 cp %{S:1} . cp %{S:2} . +%patch1 -p1 %build for i in h*; do ++++++ gnuhealth-webdav@.service ++++++ --- /var/tmp/diff_new_pack.UcZwzB/_old 2021-10-05 22:34:35.470946455 +0200 +++ /var/tmp/diff_new_pack.UcZwzB/_new 2021-10-05 22:34:35.470946455 +0200 @@ -4,6 +4,19 @@ Requires=gnuhealth.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=simple User=tryton Group=tryton ++++++ gnuhealth.service ++++++ --- /var/tmp/diff_new_pack.UcZwzB/_old 2021-10-05 22:34:35.498946504 +0200 +++ /var/tmp/diff_new_pack.UcZwzB/_new 2021-10-05 22:34:35.502946511 +0200 @@ -15,6 +15,13 @@ MountFlags=private NoNewPrivileges=true PrivateDevices=true +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHostname=true +ProtectClock=true +ProtectKernelLogs=true +RestrictRealtime=true +# end of automatic additions MemoryDenyWriteExecute=true Type=simple ++++++ harden_gnuhealth.service.patch ++++++ Index: gnuhealth-3.8.0/scripts/startup/gnuhealth.service =================================================================== --- gnuhealth-3.8.0.orig/scripts/startup/gnuhealth.service +++ gnuhealth-3.8.0/scripts/startup/gnuhealth.service @@ -3,6 +3,19 @@ Description=GNU Health Server After=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=simple User=gnuhealth WorkingDirectory=/home/gnuhealth
