commit restorecond for openSUSE:Factory

Thu, 02 Dec 2021 13:32:24 -0800 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package restorecond for openSUSE:Factory 
checked in at 2021-12-02 22:30:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/restorecond (Old)
 and      /work/SRC/openSUSE:Factory/.restorecond.new.31177 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "restorecond"

Thu Dec  2 22:30:19 2021 rev:10 rq:935169 version:3.3

Changes:
--------
--- /work/SRC/openSUSE:Factory/restorecond/restorecond.changes  2021-11-17 
01:13:45.990161118 +0100
+++ /work/SRC/openSUSE:Factory/.restorecond.new.31177/restorecond.changes       
2021-12-02 22:31:15.930440339 +0100
@@ -1,0 +2,11 @@
+Thu Dec  2 12:10:11 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Claim ownership for %{_sysconfdir}/selinux
+
+-------------------------------------------------------------------
+Mon Nov 15 15:48:12 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_restorecond.service.patch
+
+-------------------------------------------------------------------

New:
----
  harden_restorecond.service.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ restorecond.spec ++++++
--- /var/tmp/diff_new_pack.YzFfb9/_old  2021-12-02 22:31:16.514438189 +0100
+++ /var/tmp/diff_new_pack.YzFfb9/_new  2021-12-02 22:31:16.514438189 +0100
@@ -25,6 +25,7 @@
 Group:          Productivity/Security
 URL:            https://github.com/SELinuxProject/selinux.git
 Source0:        
https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
+Patch0:         harden_restorecond.service.patch
 BuildRequires:  dbus-1-glib-devel
 BuildRequires:  libselinux-devel >= %{libselinux_ver}
 Requires:       libselinux1 >= %{libselinux_ver}
@@ -35,6 +36,7 @@
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 export CFLAGS="%optflags"
@@ -58,6 +60,7 @@
 %service_del_postun restorecond.service
 
 %files
+%dir %{_sysconfdir}/selinux
 %config %{_sysconfdir}/selinux/restorecond.conf
 %config(noreplace) %{_sysconfdir}/selinux/restorecond_user.conf
 %{_sysconfdir}/xdg/autostart/restorecond.desktop

++++++ harden_restorecond.service.patch ++++++
Index: restorecond-3.2/restorecond.service
===================================================================
--- restorecond-3.2.orig/restorecond.service
+++ restorecond-3.2/restorecond.service
@@ -5,6 +5,15 @@ ConditionPathExists=/etc/selinux/restore
 ConditionSecurity=selinux
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 ExecStart=/usr/sbin/restorecond
 PIDFile=/run/restorecond.pid

Reply via email to