Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package postfix for openSUSE:Factory checked
in at 2021-10-23 23:13:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/postfix (Old)
and /work/SRC/openSUSE:Factory/.postfix.new.1890 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "postfix"
Sat Oct 23 23:13:48 2021 rev:211 rq:926927 version:3.6.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/postfix/postfix-bdb.changes 2021-10-12
21:49:29.187883155 +0200
+++ /work/SRC/openSUSE:Factory/.postfix.new.1890/postfix-bdb.changes
2021-10-23 23:13:56.624980141 +0200
@@ -1,0 +2,17 @@
+Fri Oct 22 09:45:40 UTC 2021 - Dirk Stoecker <opens...@dstoecker.de>
+
+- Ensure postfix can write to home directory or server side
+ filtering wont work (sieve)
+
+-------------------------------------------------------------------
+Fri Oct 22 08:46:19 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Ensure service can write to /etc/postfix
+
+-------------------------------------------------------------------
+Thu Oct 21 15:39:55 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service (bsc#1181400). Added
+ harden_postfix.service.patch
+
+-------------------------------------------------------------------
postfix.changes: same change
New:
----
harden_postfix.service.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ postfix-bdb.spec ++++++
--- /var/tmp/diff_new_pack.JEPzAa/_old 2021-10-23 23:13:57.356980499 +0200
+++ /var/tmp/diff_new_pack.JEPzAa/_new 2021-10-23 23:13:57.360980501 +0200
@@ -83,6 +83,7 @@
Patch9: fix-postfix-script.patch
Patch10: postfix-avoid-infinit-loop-if-no-permission.patch
Patch11: postfix-3.6.2-glibc-234-build-fix.patch
+Patch12: harden_postfix.service.patch
BuildRequires: ca-certificates
BuildRequires: cyrus-sasl-devel
BuildRequires: db-devel
@@ -157,6 +158,7 @@
%patch9
%patch10
%patch11 -p1
+%patch12 -p1
# ---------------------------------------------------------------------------
++++++ postfix.spec ++++++
--- /var/tmp/diff_new_pack.JEPzAa/_old 2021-10-23 23:13:57.388980514 +0200
+++ /var/tmp/diff_new_pack.JEPzAa/_new 2021-10-23 23:13:57.392980516 +0200
@@ -70,6 +70,7 @@
Patch10: %{name}-avoid-infinit-loop-if-no-permission.patch
Patch11: set-default-db-type.patch
Patch12: postfix-3.6.2-glibc-234-build-fix.patch
+Patch13: harden_postfix.service.patch
BuildRequires: ca-certificates
BuildRequires: cyrus-sasl-devel
#BuildRequires: db-devel
@@ -177,6 +178,7 @@
%patch10
%patch11
%patch12 -p1
+%patch13 -p1
# ---------------------------------------------------------------------------
++++++ harden_postfix.service.patch ++++++
Index: postfix-3.6.2/postfix-SUSE/postfix.service
===================================================================
--- postfix-3.6.2.orig/postfix-SUSE/postfix.service
+++ postfix-3.6.2/postfix-SUSE/postfix.service
@@ -19,6 +19,20 @@ After=amavis.service mysql.service cyrus
Conflicts=sendmail.service exim.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ReadWritePaths=/etc/postfix
+ProtectHome=false
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Type=forking
PIDFile=/var/spool/postfix/pid/master.pid
ExecStartPre=-/bin/echo 'Starting mail service (Postfix)'
