Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package postfix for openSUSE:Factory checked in at 2023-02-17 16:43:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/postfix (Old) and /work/SRC/openSUSE:Factory/.postfix.new.22824 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "postfix" Fri Feb 17 16:43:34 2023 rev:223 rq:1065999 version:3.7.3 Changes: -------- --- /work/SRC/openSUSE:Factory/postfix/postfix-bdb.changes 2023-02-04 14:26:51.953470777 +0100 +++ /work/SRC/openSUSE:Factory/.postfix.new.22824/postfix-bdb.changes 2023-02-17 16:43:35.906387354 +0100 @@ -1,0 +2,8 @@ +Thu Feb 9 20:13:42 UTC 2023 - Peter Varkoly <[email protected]> + +- SELinux: postfix denied to access /var/spool/postfix/pid/master.pid + (bsc#1207177) Apply proposed changes in postfix.service +- remove patch included into the source: + harden_postfix.service.patch + +------------------------------------------------------------------- postfix.changes: same change Old: ---- harden_postfix.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ postfix-bdb.spec ++++++ --- /var/tmp/diff_new_pack.qOY0c2/_old 2023-02-17 16:43:36.878392827 +0100 +++ /var/tmp/diff_new_pack.qOY0c2/_new 2023-02-17 16:43:36.882392850 +0100 @@ -85,7 +85,6 @@ Patch8: postfix-vda-v14-3.0.3.patch Patch9: fix-postfix-script.patch Patch10: postfix-avoid-infinit-loop-if-no-permission.patch -Patch12: harden_postfix.service.patch BuildRequires: ca-certificates BuildRequires: cyrus-sasl-devel BuildRequires: db-devel @@ -169,7 +168,6 @@ %patch8 %patch9 %patch10 -%patch12 # --------------------------------------------------------------------------- @@ -544,6 +542,7 @@ %exclude %{_mandir}/man5/pgsql_table.5* %{_mandir}/man?/*%{?ext_man} %dir %attr(0755,root,root) /%{pf_queue_directory} +%dir %attr(0755,root,root) /%{pf_queue_directory}/pid %dir %attr(0700,postfix,root) /%{pf_queue_directory}/active %dir %attr(0700,postfix,root) /%{pf_queue_directory}/bounce %dir %attr(0700,postfix,root) /%{pf_queue_directory}/corrupt ++++++ postfix.spec ++++++ --- /var/tmp/diff_new_pack.qOY0c2/_old 2023-02-17 16:43:36.926393098 +0100 +++ /var/tmp/diff_new_pack.qOY0c2/_new 2023-02-17 16:43:36.934393143 +0100 @@ -72,7 +72,6 @@ Patch9: fix-postfix-script.patch Patch10: %{name}-avoid-infinit-loop-if-no-permission.patch Patch11: set-default-db-type.patch -Patch12: harden_postfix.service.patch BuildRequires: ca-certificates BuildRequires: cyrus-sasl-devel BuildRequires: diffutils @@ -188,7 +187,6 @@ %patch9 %patch10 %patch11 -%patch12 # --------------------------------------------------------------------------- @@ -582,6 +580,7 @@ %exclude %{_mandir}/man5/pgsql_table.5* %{_mandir}/man?/*%{?ext_man} %dir %attr(0755,root,root) /%{pf_queue_directory} +%dir %attr(0755,root,root) /%{pf_queue_directory}/pid %dir %attr(0700,%{name},root) /%{pf_queue_directory}/active %dir %attr(0700,%{name},root) /%{pf_queue_directory}/bounce %dir %attr(0700,%{name},root) /%{pf_queue_directory}/corrupt ++++++ postfix-SUSE.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-SUSE/postfix.service new/postfix-SUSE/postfix.service --- old/postfix-SUSE/postfix.service 2021-06-01 12:46:11.964278086 +0200 +++ new/postfix-SUSE/postfix.service 2023-02-09 21:34:41.717525798 +0100 @@ -19,10 +19,30 @@ Conflicts=sendmail.service exim.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort + +# Needed write permissions for /etc/aliases.* or /etc/aliases.lmdb +# https://bugzilla.opensuse.org/show_bug.cgi?id=1191988 +#ProtectSystem=full +#ReadWritePaths=/etc/postfix + +ProtectHome=false +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking PIDFile=/var/spool/postfix/pid/master.pid ExecStartPre=-/bin/echo 'Starting mail service (Postfix)' EnvironmentFile=-/etc/sysconfig/postfix +ExecStartPre=-/usr/bin/touch /var/spool/postfix/pid/master.pid +ExecStartPre=-/sbin/restorecon -Rv /var/spool/postfix/pid/master.pid ExecStartPre=/usr/lib/postfix/systemd/config_postfix ExecStartPre=/usr/lib/postfix/systemd/update_chroot ExecStartPre=/usr/lib/postfix/systemd/update_postmaps
