commit cfengine for openSUSE:Factory

Source-Sync Tue, 31 Aug 2021 10:56:47 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package cfengine for openSUSE:Factory 
checked in at 2021-08-31 19:55:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cfengine (Old)
 and      /work/SRC/openSUSE:Factory/.cfengine.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "cfengine"

Tue Aug 31 19:55:17 2021 rev:78 rq:915094 version:3.17.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/cfengine/cfengine.changes        2021-04-19 
21:07:02.168122632 +0200
+++ /work/SRC/openSUSE:Factory/.cfengine.new.1899/cfengine.changes      
2021-08-31 19:56:14.910003779 +0200
@@ -1,0 +2,17 @@
+Wed Aug 25 15:25:36 UTC 2021 - Johannes Segitz <[email protected]>
+
+- Added hardening to systemd service(s). Added patch(es):
+  * harden_cf-apache.service.patch
+  * harden_cf-execd.service.patch
+  * harden_cf-hub.service.patch
+  * harden_cf-monitord.service.patch
+  * harden_cf-postgres.service.patch
+  * harden_cf-runalerts.service.patch
+  * harden_cf-serverd.service.patch
+  * harden_cfengine3.service.patch
+  Modified:
+  * cf-execd.service
+  * cf-monitord.service
+  * cf-serverd.service
+
+-------------------------------------------------------------------

New:
----
  harden_cf-apache.service.patch
  harden_cf-execd.service.patch
  harden_cf-hub.service.patch
  harden_cf-monitord.service.patch
  harden_cf-postgres.service.patch
  harden_cf-runalerts.service.patch
  harden_cf-serverd.service.patch
  harden_cfengine3.service.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ cfengine.spec ++++++
--- /var/tmp/diff_new_pack.9vYDOc/_old  2021-08-31 19:56:15.806004901 +0200
+++ /var/tmp/diff_new_pack.9vYDOc/_new  2021-08-31 19:56:15.810004905 +0200
@@ -57,6 +57,14 @@
 Source17:       cf-serverd
 Source20:       %{name}.cron
 Source21:       %{name}-rpmlintrc
+Patch0:         harden_cf-apache.service.patch
+Patch1:         harden_cf-execd.service.patch
+Patch2:         harden_cf-hub.service.patch
+Patch3:         harden_cf-monitord.service.patch
+Patch4:         harden_cf-postgres.service.patch
+Patch5:         harden_cf-runalerts.service.patch
+Patch6:         harden_cf-serverd.service.patch
+Patch7:         harden_cfengine3.service.patch
 BuildRequires:  bison
 BuildRequires:  db-devel
 BuildRequires:  fdupes
@@ -137,6 +145,14 @@
 ##### rpmlint
 #### wrong-file-end-of-line-encoding
 find ./examples -type f -name "*.cf" -exec perl -p -i -e 's|\r\n|\n|' {} \;
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
 
 %build
 EXPLICIT_VERSION=%{version} autoreconf -fvi -I m4

++++++ cf-execd.service ++++++
--- /var/tmp/diff_new_pack.9vYDOc/_old  2021-08-31 19:56:15.886005001 +0200
+++ /var/tmp/diff_new_pack.9vYDOc/_new  2021-08-31 19:56:15.886005001 +0200
@@ -3,6 +3,19 @@
 After=syslog.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 ExecStart=/usr/bin/cf-execd
 

++++++ cf-monitord.service ++++++
--- /var/tmp/diff_new_pack.9vYDOc/_old  2021-08-31 19:56:15.918005041 +0200
+++ /var/tmp/diff_new_pack.9vYDOc/_new  2021-08-31 19:56:15.918005041 +0200
@@ -3,6 +3,19 @@
 After=syslog.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 ExecStart=/usr/bin/cf-monitord
 

++++++ cf-serverd.service ++++++
--- /var/tmp/diff_new_pack.9vYDOc/_old  2021-08-31 19:56:15.950005081 +0200
+++ /var/tmp/diff_new_pack.9vYDOc/_new  2021-08-31 19:56:15.950005081 +0200
@@ -3,6 +3,19 @@
 After=syslog.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 ExecStart=/usr/bin/cf-serverd
 

++++++ harden_cf-apache.service.patch ++++++
Index: core-3.17.0/misc/systemd/cf-apache.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cf-apache.service.in
+++ core-3.17.0/misc/systemd/cf-apache.service.in
@@ -7,6 +7,19 @@ ConditionPathExists=@workdir@/httpd/bin/
 PartOf=cfengine3.service
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 ExecStart=@workdir@/httpd/bin/apachectl start
 ExecStop=@workdir@/httpd/bin/apachectl stop
++++++ harden_cf-execd.service.patch ++++++
Index: core-3.17.0/misc/systemd/cf-execd.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cf-execd.service.in
+++ core-3.17.0/misc/systemd/cf-execd.service.in
@@ -6,6 +6,19 @@ ConditionPathExists=@workdir@/inputs/pro
 PartOf=cfengine3.service
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=simple
 ExecStart=@bindir@/cf-execd --no-fork
 Restart=always
++++++ harden_cf-hub.service.patch ++++++
Index: core-3.17.0/misc/systemd/cf-hub.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cf-hub.service.in
+++ core-3.17.0/misc/systemd/cf-hub.service.in
@@ -10,6 +10,19 @@ After=cf-postgres.service
 Requires=cf-postgres.service
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=simple
 ExecStart=@bindir@/cf-hub  --no-fork
 Restart=always
++++++ harden_cf-monitord.service.patch ++++++
Index: core-3.17.0/misc/systemd/cf-monitord.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cf-monitord.service.in
+++ core-3.17.0/misc/systemd/cf-monitord.service.in
@@ -6,6 +6,19 @@ ConditionPathExists=@workdir@/inputs/pro
 PartOf=cfengine3.service
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=simple
 ExecStart=@bindir@/cf-monitord --no-fork
 Restart=always
++++++ harden_cf-postgres.service.patch ++++++
Index: core-3.17.0/misc/systemd/cf-postgres.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cf-postgres.service.in
+++ core-3.17.0/misc/systemd/cf-postgres.service.in
@@ -5,6 +5,19 @@ ConditionPathExists=@bindir@/pg_ctl
 PartOf=cfengine3.service
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=forking
 WorkingDirectory=/tmp
 User=cfpostgres
++++++ harden_cf-runalerts.service.patch ++++++
Index: core-3.17.0/misc/systemd/cf-runalerts.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cf-runalerts.service.in
+++ core-3.17.0/misc/systemd/cf-runalerts.service.in
@@ -9,6 +9,19 @@ After=cf-postgres.service
 Requires=cf-postgres.service
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 # We simply launch this script every 60 seconds to perform alert related checks
 Type=simple
 # The cfapache user must have the rights to write to 
@workdir@/httpd/php/runalerts_*
++++++ harden_cf-serverd.service.patch ++++++
Index: core-3.17.0/misc/systemd/cf-serverd.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cf-serverd.service.in
+++ core-3.17.0/misc/systemd/cf-serverd.service.in
@@ -8,6 +8,19 @@ ConditionPathExists=@workdir@/inputs/pro
 PartOf=cfengine3.service
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=simple
 ExecStart=@bindir@/cf-serverd --no-fork
 Restart=always
++++++ harden_cfengine3.service.patch ++++++
Index: core-3.17.0/misc/systemd/cfengine3.service.in
===================================================================
--- core-3.17.0.orig/misc/systemd/cfengine3.service.in
+++ core-3.17.0/misc/systemd/cfengine3.service.in
@@ -26,6 +26,19 @@ Before=cf-hub.service
 WantedBy=multi-user.target
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Type=oneshot
 RemainAfterExit=yes

commit cfengine for openSUSE:Factory

Reply via email to