From 6d3d0c2d8bb7d82f8e01e945180e45f0f68fef75 Mon Sep 17 00:00:00 2001
From: Juan Orti Alcaine <j.orti.alca...@gmail.com>
Date: Thu, 30 Jun 2016 09:03:24 +0200
Subject: Additional systemd hardening (RHBZ#1351354)
---
amavis-mc.service | 4 +++-
amavisd-clean-quarantine.service | 4 +++-
amavisd-clean-tmp.service | 4 +++-
amavisd-new.spec | 5 ++++-
amavisd-snmp-zmq.service | 4 +++-
amavisd-snmp.service | 4 +++-
amavisd.service | 3 +++
7 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/amavis-mc.service b/amavis-mc.service
index 4dcdc1d..04241b9 100644
--- a/amavis-mc.service
+++ b/amavis-mc.service
@@ -13,7 +13,9 @@ ExecStart=/usr/sbin/amavis-mc -P
/var/run/amavisd/amavis-mc.pid
Restart=on-failure
PrivateTmp=true
PrivateDevices=true
-NoNewPrivileges=true
+CapabilityBoundingSet=
+ProtectSystem=full
+ProtectHome=true
[Install]
WantedBy=multi-user.target
diff --git a/amavisd-clean-quarantine.service b/amavisd-clean-quarantine.service
index 2bb8b3f..10bb01e 100644
--- a/amavisd-clean-quarantine.service
+++ b/amavisd-clean-quarantine.service
@@ -8,5 +8,7 @@ Group=amavis
PrivateTmp=true
PrivateDevices=true
PrivateNetwork=true
-NoNewPrivileges=true
+CapabilityBoundingSet=
+ProtectSystem=full
+ProtectHome=true
ExecStart=/usr/sbin/tmpwatch -d 720 /var/spool/amavisd/quarantine
diff --git a/amavisd-clean-tmp.service b/amavisd-clean-tmp.service
index 70fcffc..9a64b0d 100644
--- a/amavisd-clean-tmp.service
+++ b/amavisd-clean-tmp.service
@@ -8,5 +8,7 @@ Group=amavis
PrivateTmp=true
PrivateDevices=true
PrivateNetwork=true
-NoNewPrivileges=true
+CapabilityBoundingSet=
+ProtectSystem=full
+ProtectHome=true
ExecStart=/usr/sbin/tmpwatch 24 /var/spool/amavisd/tmp
diff --git a/amavisd-new.spec b/amavisd-new.spec
index 773db38..0207fe9 100644
--- a/amavisd-new.spec
+++ b/amavisd-new.spec
@@ -3,7 +3,7 @@
Summary: Email filter with virus scanner and spamassassin support
Name: amavisd-new
Version: 2.11.0
-Release: 2%{?prerelease:.%{prerelease}}%{?dist}
+Release: 3%{?prerelease:.%{prerelease}}%{?dist}
# LDAP schema is GFDL, some helpers are BSD, core is GPLv2+
License: GPLv2+ and BSD and GFDL
Group: Applications/System
@@ -313,6 +313,9 @@ systemctl start amavisd-clean-quarantine.timer >/dev/null
2>&1 || :
%{_sbindir}/amavisd-snmp-subagent-zmq
%changelog
+* Thu Jun 30 2016 Juan Orti Alcaine <jo...@fedoraproject.org> 2.11.0-3
+- Additional systemd hardening (RHBZ#1351354)
+
* Mon Jun 20 2016 Juan Orti Alcaine <jo...@fedoraproject.org> 2.11.0-2
- Remove NoNewPrivileges from service unit (RHBZ#1346766)
diff --git a/amavisd-snmp-zmq.service b/amavisd-snmp-zmq.service
index d3faae3..5093087 100644
--- a/amavisd-snmp-zmq.service
+++ b/amavisd-snmp-zmq.service
@@ -13,7 +13,9 @@ ExecStart=/usr/sbin/amavisd-snmp-subagent-zmq -P
/var/run/amavisd/amavisd-snmp-s
Restart=on-failure
PrivateTmp=true
PrivateDevices=true
-NoNewPrivileges=true
+CapabilityBoundingSet=
+ProtectSystem=full
+ProtectHome=true
[Install]
WantedBy=multi-user.target
diff --git a/amavisd-snmp.service b/amavisd-snmp.service
index 94b3537..b311ba6 100644
--- a/amavisd-snmp.service
+++ b/amavisd-snmp.service
@@ -11,7 +11,9 @@ ExecStart=/usr/sbin/amavisd-snmp-subagent -D
/var/spool/amavisd/db -P /var/run/a
Restart=on-failure
PrivateTmp=true
PrivateDevices=true
-NoNewPrivileges=true
+CapabilityBoundingSet=
+ProtectSystem=full
+ProtectHome=true
[Install]
WantedBy=multi-user.target
diff --git a/amavisd.service b/amavisd.service
index a8735f9..f39d860 100644
--- a/amavisd.service
+++ b/amavisd.service
@@ -15,6 +15,9 @@ ExecReload=/usr/sbin/amavisd -c /etc/amavisd/amavisd.conf
reload
Restart=on-failure
PrivateTmp=true
PrivateDevices=true
+CapabilityBoundingSet=
+ProtectSystem=full
+ProtectHome=true
[Install]
WantedBy=multi-user.target
--
cgit v0.12
http://pkgs.fedoraproject.org/cgit/amavisd-new.git/commit/?h=f24&id=6d3d0c2d8bb7d82f8e01e945180e45f0f68fef75
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/perl-devel@lists.fedoraproject.org
