From 6a57ea01fd48992883d6dac1b7746e79202215e4 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 8 Dec 2018 01:06:06 +0100 Subject: =?UTF-8?q?systemd:=20Replace=20=E2=80=98ProtectSystem=3Dfull?= =?UTF-8?q?=E2=80=99=20with=20=E2=80=98ProtectSystem=3Dstrict=E2=80=99.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’. --- roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service | 3 +-- roles/MSA/files/etc/systemd/system/postfix-sender-login.service | 3 +-- roles/bacula-dir/files/etc/systemd/system/bacula-director.service | 3 +-- roles/bacula-sd/files/etc/systemd/system/bacula-sd.service | 3 +-- roles/common/files/etc/systemd/system/bacula-fd.service | 3 +-- roles/common/files/etc/systemd/system/stunnel4@.service | 3 +-- roles/lists/files/etc/systemd/system/wwsympa.service | 2 +- roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service | 3 +-- roles/munin-master/files/etc/systemd/system/munin-cgi-html.service | 3 +-- 9 files changed, 9 insertions(+), 17 deletions(-) diff --git a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service index ea5895c..7e790e3 100644 --- a/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service +++ b/roles/IMAP/files/etc/systemd/system/dovecot-auth-proxy.service @@ -13,9 +13,8 @@ ExecStart=/usr/local/bin/dovecot-auth-proxy.pl # Hardening NoNewPrivileges=yes PrivateDevices=yes -ProtectSystem=full +ProtectSystem=strict ProtectHome=read-only -ReadOnlyDirectories=/ RestrictAddressFamilies= [Install] diff --git a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service index 3ceb310..09204fa 100644 --- a/roles/MSA/files/etc/systemd/system/postfix-sender-login.service +++ b/roles/MSA/files/etc/systemd/system/postfix-sender-login.service @@ -14,8 +14,7 @@ ExecStart=/usr/local/bin/postfix-sender-login.pl NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict RestrictAddressFamilies=AF_UNIX [Install] diff --git a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service index 8f952c6..2c09f61 100644 --- a/roles/bacula-dir/files/etc/systemd/system/bacula-director.service +++ b/roles/bacula-dir/files/etc/systemd/system/bacula-director.service @@ -14,8 +14,7 @@ ExecStart=/usr/sbin/bacula-dir -c /etc/bacula/bacula-dir.conf NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict ReadWriteDirectories=-/var/lib/bacula ReadWriteDirectories=-/var/log/bacula ReadWriteDirectories=-/var/run/bacula diff --git a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service index 698ad17..0e27af3 100644 --- a/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service +++ b/roles/bacula-sd/files/etc/systemd/system/bacula-sd.service @@ -14,8 +14,7 @@ ExecStart=/usr/sbin/bacula-sd -c /etc/bacula/bacula-sd.conf NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict ReadWriteDirectories=-/var/lib/bacula ReadWriteDirectories=-/var/run/bacula ReadWriteDirectories=/mnt/backup/bacula diff --git a/roles/common/files/etc/systemd/system/bacula-fd.service b/roles/common/files/etc/systemd/system/bacula-fd.service index ee5afe3..68934f1 100644 --- a/roles/common/files/etc/systemd/system/bacula-fd.service +++ b/roles/common/files/etc/systemd/system/bacula-fd.service @@ -12,9 +12,8 @@ ExecStart=/usr/sbin/bacula-fd -c /etc/bacula/bacula-fd.conf NoNewPrivileges=yes PrivateDevices=yes ProtectHome=read-only -ProtectSystem=full +ProtectSystem=strict PrivateTmp=yes -ReadOnlyDirectories=/ ReadWriteDirectories=-/var/lib ReadWriteDirectories=-/var/run/bacula diff --git a/roles/common/files/etc/systemd/system/stunnel4@.service b/roles/common/files/etc/systemd/system/stunnel4@.service index e53d29e..d634e50 100644 --- a/roles/common/files/etc/systemd/system/stunnel4@.service +++ b/roles/common/files/etc/systemd/system/stunnel4@.service @@ -16,8 +16,7 @@ Restart=on-failure NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict [Install] WantedBy=multi-user.target diff --git a/roles/lists/files/etc/systemd/system/wwsympa.service b/roles/lists/files/etc/systemd/system/wwsympa.service index 4e3d94b..cccf508 100644 --- a/roles/lists/files/etc/systemd/system/wwsympa.service +++ b/roles/lists/files/etc/systemd/system/wwsympa.service @@ -14,7 +14,7 @@ ExecStart=/usr/lib/cgi-bin/sympa/wwsympa.fcgi NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full +ProtectSystem=strict PrivateTmp=yes ReadOnlyDirectories=/ ReadWriteDirectories=-/var/lib/sympa diff --git a/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service index 60ab444..c8a3609 100644 --- a/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service +++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-graph.service @@ -14,8 +14,7 @@ ExecStart=/usr/lib/munin/cgi/munin-cgi-graph NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict ReadWriteDirectories=-/var/log/munin ReadWriteDirectories=-/var/lib/munin/cgi-tmp/munin-cgi-graph diff --git a/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service index 119d3a2..3c0c0e5 100644 --- a/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service +++ b/roles/munin-master/files/etc/systemd/system/munin-cgi-html.service @@ -14,8 +14,7 @@ ExecStart=/usr/lib/munin/cgi/munin-cgi-html NoNewPrivileges=yes PrivateDevices=yes ProtectHome=yes -ProtectSystem=full -ReadOnlyDirectories=/ +ProtectSystem=strict ReadWriteDirectories=-/var/log/munin [Install] -- cgit v1.2.3