diff --git a/harden_postfix.service.patch b/harden_postfix.service.patch deleted file mode 100644 index 23839a5..0000000 --- a/harden_postfix.service.patch +++ /dev/null @@ -1,29 +0,0 @@ -Index: postfix-SUSE/postfix.service -=================================================================== ---- postfix-SUSE/postfix.service.orig -+++ postfix-SUSE/postfix.service -@@ -19,6 +19,24 @@ After=amavis.service mysql.service cyrus - Conflicts=sendmail.service exim.service - - [Service] -+# added automatically, for details please see -+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -+ -+# Needed write permissions for /etc/aliases.* or /etc/aliases.lmdb -+# https://bugzilla.opensuse.org/show_bug.cgi?id=1191988 -+#ProtectSystem=full -+#ReadWritePaths=/etc/postfix -+ -+ProtectHome=false -+PrivateDevices=true -+ProtectHostname=true -+ProtectClock=true -+ProtectKernelTunables=true -+ProtectKernelModules=true -+ProtectKernelLogs=true -+ProtectControlGroups=true -+RestrictRealtime=true -+# end of automatic additions - Type=forking - PIDFile=/var/spool/postfix/pid/master.pid - ExecStartPre=-/bin/echo 'Starting mail service (Postfix)' diff --git a/postfix-SUSE.tar.gz b/postfix-SUSE.tar.gz index c6f8322..730ceb9 100644 --- a/postfix-SUSE.tar.gz +++ b/postfix-SUSE.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:a2537b8e7ac5d0616fbb359c1882be88ea46a40827aaa97ff1e8b8857e7a146b -size 25388 +oid sha256:1c939cd2d52c316857767f12b75076cc50c00ab56f5778a0e05f3b8cdf10a699 +size 25823 diff --git a/postfix-bdb.changes b/postfix-bdb.changes index a4868ee..dfb21bb 100644 --- a/postfix-bdb.changes +++ b/postfix-bdb.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Feb 9 20:13:42 UTC 2023 - Peter Varkoly + +- SELinux: postfix denied to access /var/spool/postfix/pid/master.pid + (bsc#1207177) Apply proposed changes in postfix.service +- remove patch included into the source: + harden_postfix.service.patch + ------------------------------------------------------------------- Wed Jan 25 13:30:52 UTC 2023 - Thorsten Kukuk diff --git a/postfix-bdb.spec b/postfix-bdb.spec index d0f82af..34e6d4d 100644 --- a/postfix-bdb.spec +++ b/postfix-bdb.spec @@ -85,7 +85,6 @@ Patch7: postfix-ssl-release-buffers.patch Patch8: postfix-vda-v14-3.0.3.patch Patch9: fix-postfix-script.patch Patch10: postfix-avoid-infinit-loop-if-no-permission.patch -Patch12: harden_postfix.service.patch BuildRequires: ca-certificates BuildRequires: cyrus-sasl-devel BuildRequires: db-devel @@ -169,7 +168,6 @@ lmdb. %patch8 %patch9 %patch10 -%patch12 # --------------------------------------------------------------------------- @@ -544,6 +542,7 @@ fi %exclude %{_mandir}/man5/pgsql_table.5* %{_mandir}/man?/*%{?ext_man} %dir %attr(0755,root,root) /%{pf_queue_directory} +%dir %attr(0755,root,root) /%{pf_queue_directory}/pid %dir %attr(0700,postfix,root) /%{pf_queue_directory}/active %dir %attr(0700,postfix,root) /%{pf_queue_directory}/bounce %dir %attr(0700,postfix,root) /%{pf_queue_directory}/corrupt diff --git a/postfix.changes b/postfix.changes index b2bd872..c3ac694 100644 --- a/postfix.changes +++ b/postfix.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Feb 9 20:13:42 UTC 2023 - Peter Varkoly + +- SELinux: postfix denied to access /var/spool/postfix/pid/master.pid + (bsc#1207177) Apply proposed changes in postfix.service +- remove patch included into the source: + harden_postfix.service.patch + ------------------------------------------------------------------- Wed Jan 25 13:30:52 UTC 2023 - Thorsten Kukuk diff --git a/postfix.spec b/postfix.spec index d8d6b49..d71db96 100644 --- a/postfix.spec +++ b/postfix.spec @@ -72,7 +72,6 @@ Patch8: %{name}-vda-v14-3.0.3.patch Patch9: fix-postfix-script.patch Patch10: %{name}-avoid-infinit-loop-if-no-permission.patch Patch11: set-default-db-type.patch -Patch12: harden_postfix.service.patch BuildRequires: ca-certificates BuildRequires: cyrus-sasl-devel BuildRequires: diffutils @@ -188,7 +187,6 @@ maps with Postfix, you need this. %patch9 %patch10 %patch11 -%patch12 # --------------------------------------------------------------------------- @@ -582,6 +580,7 @@ fi %exclude %{_mandir}/man5/pgsql_table.5* %{_mandir}/man?/*%{?ext_man} %dir %attr(0755,root,root) /%{pf_queue_directory} +%dir %attr(0755,root,root) /%{pf_queue_directory}/pid %dir %attr(0700,%{name},root) /%{pf_queue_directory}/active %dir %attr(0700,%{name},root) /%{pf_queue_directory}/bounce %dir %attr(0700,%{name},root) /%{pf_queue_directory}/corrupt