diff --git a/dhcp.changes b/dhcp.changes index 2c294bb..859b46e 100644 --- a/dhcp.changes +++ b/dhcp.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Mon Jan 17 08:52:07 UTC 2022 - Johannes Segitz + +- Drop PrivateDevices and ProtectClock hardenings. They clash with + the chroot logic (bsc#1194722) + +------------------------------------------------------------------- +Fri Jan 14 13:19:38 UTC 2022 - Callum Farmer + +- Add now working CONFIG parameter to sysusers generator + ------------------------------------------------------------------- Tue Oct 26 11:58:59 UTC 2021 - Reinhard Max @@ -6,6 +17,15 @@ Tue Oct 26 11:58:59 UTC 2021 - Reinhard Max removal once we don't have to support SLE-12 anymore. - bsc#1192020: Drop the obsolete dependency on "group(nogroup)". +------------------------------------------------------------------- +Mon Sep 13 13:50:50 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * dhcpd.service + * dhcpd6.service + * dhcrelay.service + * dhcrelay6.service + ------------------------------------------------------------------- Thu Aug 5 11:33:54 UTC 2021 - Reinhard Max diff --git a/dhcp.spec b/dhcp.spec index fe58d6f..92d84df 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -1,7 +1,7 @@ # # spec file for package dhcp # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -274,7 +274,7 @@ cat bind/install.log : building dhcp sources %make_build %if %{with sysusers} -%sysusers_generate_pre %{SOURCE47} dhcp-server +%sysusers_generate_pre %{SOURCE47} dhcp-server dhcp-user.conf %endif %check diff --git a/dhcpd.service b/dhcpd.service index 51d2524..9663af2 100644 --- a/dhcpd.service +++ b/dhcpd.service @@ -4,6 +4,16 @@ Before=multi-user.target After=remote-fs.target network.target nss-lookup.target time-sync.target slapd.service sssd.service ndsd.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking Restart=on-abort ExecStart=@LIBEXECDIR@/dhcp/dhcpd -4 start diff --git a/dhcpd6.service b/dhcpd6.service index 0b62b29..2370a2b 100644 --- a/dhcpd6.service +++ b/dhcpd6.service @@ -4,6 +4,16 @@ Before=multi-user.target After=remote-fs.target network.target nss-lookup.target time-sync.target slapd.service sssd.service ndsd.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking Restart=on-abort ExecStart=@LIBEXECDIR@/dhcp/dhcpd -6 start diff --git a/dhcrelay.service b/dhcrelay.service index 10fc178..6b0af82 100644 --- a/dhcrelay.service +++ b/dhcrelay.service @@ -4,6 +4,16 @@ Before=multi-user.target After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking Restart=on-abort ExecStart=@LIBEXECDIR@/dhcp/dhcrelay -4 start diff --git a/dhcrelay6.service b/dhcrelay6.service index 751a21d..cb77590 100644 --- a/dhcrelay6.service +++ b/dhcrelay6.service @@ -4,6 +4,16 @@ Before=multi-user.target After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking Restart=on-abort ExecStart=@LIBEXECDIR@/dhcp/dhcrelay -6 start