postfix/harden_postfix.service.patch

Index: postfix-3.6.2/postfix-SUSE/postfix.service
===================================================================
--- postfix-3.6.2.orig/postfix-SUSE/postfix.service
+++ postfix-3.6.2/postfix-SUSE/postfix.service
@@ -19,6 +19,24 @@ After=amavis.service mysql.service cyrus
 Conflicts=sendmail.service exim.service
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+
+# Needed write permissions for /etc/aliases.* or /etc/aliases.lmdb
+# https://bugzilla.opensuse.org/show_bug.cgi?id=1191988
+#ProtectSystem=full
+#ReadWritePaths=/etc/postfix
+
+ProtectHome=false
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 PIDFile=/var/spool/postfix/pid/master.pid
 ExecStartPre=-/bin/echo 'Starting mail service (Postfix)'
Accepting request 926873 from home:jsegitz:branches:systemdhardening:server:mail - Added hardening to systemd service (bsc#1181400). Added harden_postfix.service.patch - Added hardening to systemd service (bsc#1181400). Added harden_postfix.service.patch OBS-URL: https://build.opensuse.org/request/show/926873 OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=427 2021-10-22 09:56:31 +02:00			`Index: postfix-3.6.2/postfix-SUSE/postfix.service`
			`===================================================================`
			`--- postfix-3.6.2.orig/postfix-SUSE/postfix.service`
			`+++ postfix-3.6.2/postfix-SUSE/postfix.service`
Accepting request 965609 from home:13ilya - Refreshed spec-file via spec-cleaner and manual optimizated. * Added -p flag to all install commands. * Removed -f flag from all ln commands. - Changed file harden_postfix.service.patch (boo#1191988). OBS-URL: https://build.opensuse.org/request/show/965609 OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=438 2022-04-10 11:27:44 +02:00			`@@ -19,6 +19,24 @@ After=amavis.service mysql.service cyrus`
Accepting request 926873 from home:jsegitz:branches:systemdhardening:server:mail - Added hardening to systemd service (bsc#1181400). Added harden_postfix.service.patch - Added hardening to systemd service (bsc#1181400). Added harden_postfix.service.patch OBS-URL: https://build.opensuse.org/request/show/926873 OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=427 2021-10-22 09:56:31 +02:00			`Conflicts=sendmail.service exim.service`

			`[Service]`
			`+# added automatically, for details please see`
			`+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort`
Accepting request 965609 from home:13ilya - Refreshed spec-file via spec-cleaner and manual optimizated. * Added -p flag to all install commands. * Removed -f flag from all ln commands. - Changed file harden_postfix.service.patch (boo#1191988). OBS-URL: https://build.opensuse.org/request/show/965609 OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=438 2022-04-10 11:27:44 +02:00			`+`
			`+# Needed write permissions for /etc/aliases.* or /etc/aliases.lmdb`
			`+# https://bugzilla.opensuse.org/show_bug.cgi?id=1191988`
			`+#ProtectSystem=full`
			`+#ReadWritePaths=/etc/postfix`
			`+`
Accepting request 926909 from home:dstoecker:branches:server:mail - Ensure postfix can write to home directory or server side filtering wont work (sieve) OBS-URL: https://build.opensuse.org/request/show/926909 OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=429 2021-10-22 12:12:06 +02:00			`+ProtectHome=false`
Accepting request 926873 from home:jsegitz:branches:systemdhardening:server:mail - Added hardening to systemd service (bsc#1181400). Added harden_postfix.service.patch - Added hardening to systemd service (bsc#1181400). Added harden_postfix.service.patch OBS-URL: https://build.opensuse.org/request/show/926873 OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=427 2021-10-22 09:56:31 +02:00			`+PrivateDevices=true`
			`+ProtectHostname=true`
			`+ProtectClock=true`
			`+ProtectKernelTunables=true`
			`+ProtectKernelModules=true`
			`+ProtectKernelLogs=true`
			`+ProtectControlGroups=true`
			`+RestrictRealtime=true`
			`+# end of automatic additions`
			`Type=forking`
			`PIDFile=/var/spool/postfix/pid/master.pid`
			`ExecStartPre=-/bin/echo 'Starting mail service (Postfix)'`