From 4800de73e5ca08bebec56fdf5b0bd954e3b421740ba44e23c57bd04ce01110cc Mon Sep 17 00:00:00 2001
From: Peter Simons <peter.simons@suse.com>
Date: Mon, 22 Nov 2021 08:56:09 +0000
Subject: [PATCH] Accepting request 932917 from home:jsegitz:branches:security

- Remove ProtectKernelTunables hardening, causes the service to fail
  (boo#1192921)

OBS-URL: https://build.opensuse.org/request/show/932917
OBS-URL: https://build.opensuse.org/package/show/security/haveged?expand=0&rev=143
---
 harden_haveged.service.patch | 3 +--
 haveged-switch-root.service  | 1 -
 haveged.changes              | 6 ++++++
 haveged.service              | 1 -
 haveged.spec                 | 2 +-
 5 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/harden_haveged.service.patch b/harden_haveged.service.patch
index cd1b5a4..c074c50 100644
--- a/harden_haveged.service.patch
+++ b/harden_haveged.service.patch
@@ -2,14 +2,13 @@ Index: haveged-1.9.14/contrib/Fedora/haveged.service
 ===================================================================
 --- haveged-1.9.14.orig/contrib/Fedora/haveged.service
 +++ haveged-1.9.14/contrib/Fedora/haveged.service
-@@ -24,6 +24,12 @@ ProtectKernelLogs=true
+@@ -24,6 +24,11 @@ ProtectKernelLogs=true
  ProtectKernelModules=true
  RestrictNamespaces=true
  RestrictRealtime=true
 +# added automatically, for details please see
 +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
 +ProtectClock=true
-+ProtectKernelTunables=true
 +ProtectControlGroups=true
 +# end of automatic additions 
  
diff --git a/haveged-switch-root.service b/haveged-switch-root.service
index ee15893..c86c9a3 100644
--- a/haveged-switch-root.service
+++ b/haveged-switch-root.service
@@ -15,7 +15,6 @@ ProtectHome=true
 PrivateDevices=true
 ProtectHostname=true
 ProtectClock=true
-ProtectKernelTunables=true
 ProtectKernelModules=true
 ProtectKernelLogs=true
 ProtectControlGroups=true
diff --git a/haveged.changes b/haveged.changes
index e4c6663..03ca514 100644
--- a/haveged.changes
+++ b/haveged.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Nov 22 08:14:39 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Remove ProtectKernelTunables hardening, causes the service to fail
+  (boo#1192921)
+
 -------------------------------------------------------------------
 Tue Nov  2 08:18:49 UTC 2021 - Marcus Meissner <meissner@suse.com>
 
diff --git a/haveged.service b/haveged.service
index 8250f16..f37cd5b 100644
--- a/haveged.service
+++ b/haveged.service
@@ -19,7 +19,6 @@ ProtectHome=true
 PrivateDevices=true
 ProtectHostname=true
 ProtectClock=true
-ProtectKernelTunables=true
 ProtectKernelModules=true
 ProtectKernelLogs=true
 ProtectControlGroups=true
diff --git a/haveged.spec b/haveged.spec
index 99b0e01..ac1878c 100644
--- a/haveged.spec
+++ b/haveged.spec
@@ -32,7 +32,7 @@ Source5:        %{name}-switch-root.service
 Patch0:         ppc64le.patch
 # PATCH-FIX-UPSTREAM: don't write to syslog at startup to avoid deadlocks psimons@suse.com bnc#959237
 Patch2:         haveged-no-syslog.patch
-Patch3:	harden_haveged.service.patch
+Patch3:         harden_haveged.service.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool