repo-sle-update
https://download.opensuse.org/update/leap/15.5/sle/
Update repository with updates from SUSE Linux Enterprise 15
99
/
splash=verbose loglevel=3
auto
false
false
true
console
5
false
true
grub2-efi
false
root:root
/etc/sysconfig/prometheus-node_exporter
644
root:root
/etc/sudoers
440
root:root
/etc/security/autologout.conf
640
root:root
/var/adm/postfix.configured
644
root:root
/etc/postfix/main.cf
644
root:root
/etc/postfix/master.cf
644
root:root
/etc/ssh/sshd_config
640
root:root
/etc/aliases
640
root:root
/etc/fish/conf.d/greeting.fish
644
/opt/irccat/linux_amd64_irccat {
#include
#include
/etc/irccat.json r,
/opt/irccat/irccat mr,
/proc/sys/net/core/somaxconn r,
}
}]]>
root:root
/etc/apparmor.d//etc/apparmor.d/opt.irccat.irccat
600
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2012 Canonical Ltd.
# Copyright (C) 2015-2016 Simon Deziel
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#
# vim:syntax=apparmor
/usr/sbin/sshd {
#include
#include
#include
#include
#include
#include
deny capability net_admin,
capability audit_control,
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_ptrace,
capability sys_resource,
capability sys_tty_config,
ptrace (read trace) peer=unconfined,
/ r,
/** r,
/dev/ptmx rw,
/dev/pts/[0-9]* rw,
/dev/urandom r,
/etc.legal r,
/etc/default/locale r,
/etc/environment r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/modules.conf r,
/etc/motd r,
/etc/security/** r,
/etc/ssh/** r,
/etc/ssl/openssl.cnf r,
/sys/fs/cgroup/*/user/*/[0-9]*/ rw,
/sys/fs/cgroup/systemd/user.slice/user-[0-9]*.slice/session-c[0-9]*.scope/ rw,
/tmp/ssh-[a-zA-Z0-9]*/ w,
/tmp/ssh-[a-zA-Z0-9]*/agent.[0-9]* wl,
/usr/bin/passwd Cx -> passwd,
/usr/lib/openssh/sftp-server PUx,
/usr/sbin/sshd mrix,
/usr/share/ssh/blacklist.* r,
/var/log/btmp rw,
/{,var/}run/motd{,.dynamic}{,.new} rw,
/{usr/,}bin/ash rUx,
/{usr/,}bin/bash rUx,
/{usr/,}bin/bash2 rUx,
/{usr/,}bin/fish rUx,
/{usr/,}lib/amanda/amandad rUx,
/{usr/,}bin/bsh rUx,
/{usr/,}bin/csh rUx,
/{usr/,}bin/dash rUx,
/{usr/,}bin/false rUx,
/{usr/,}bin/ksh rUx,
/{usr/,}bin/sh rUx,
/{usr/,}bin/tcsh rUx,
/{usr/,}bin/zsh rUx,
/{usr/,}bin/zsh4 rUx,
/{usr/,}bin/zsh5 rUx,
/{usr/,}sbin/nologin rUx,
@{HOME}/.ssh/authorized_keys{,2} r,
@{PROC}/1/environ r,
@{PROC}/@{pids}/fd/ r, # pid of the just-logged in user's shell
@{PROC}/@{pid}/task/@{pid}/attr/exec w,
@{PROC}/cmdline r,
owner /** rwl,
owner /{,var/}run/sshd{,.init}.pid wl,
owner @{PROC}/@{pid}/limits r,
owner @{PROC}/@{pid}/loginuid rw,
owner @{PROC}/@{pid}/mounts r,
owner @{PROC}/@{pid}/oom_adj rw,
owner @{PROC}/@{pid}/oom_score_adj rw,
owner @{PROC}/@{pid}/uid_map r,
profile passwd {
#include
#include
#include
capability audit_write,
capability chown,
capability fsetid,
capability ipc_lock,
capability setgid,
capability setuid,
/dev/pts/[0-9]* rw,
/usr/bin/gnome-keyring-daemon ix,
/usr/bin/passwd r,
/{,var/}run/utmp rwk,
owner /etc/.pwd.lock rwk,
owner /etc/nshadow rw,
owner /etc/shadow rw,
owner @{HOME}/.cache/keyring-*/ rw,
owner @{HOME}/.cache/keyring-*/control rw,
owner @{PROC}/@{pid}/loginuid r,
owner @{PROC}/@{pid}/status r,
}
}]]>
root:root
/etc/apparmor.d/usr.sbin.sshd
600
/usr/sbin/chronyd {
#include
#include
capability chown,
capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_time,
/run/chronyd.pid w,
/usr/sbin/chronyd mr,
owner /etc/chrony.conf r,
owner /etc/chrony.d/ r,
owner /etc/chrony.d/cmdport.conf r,
owner /etc/chrony.d/pool.conf r,
owner /run/chrony/ w,
owner /run/chrony/chronyd.pid w,
owner /run/chrony/chronyd.sock rw,
owner /var/lib/chrony/drift rw,
owner /var/lib/chrony/drift.tmp rw,
}]]>
root:root
/etc/apparmor.d/usr.sbin.chronyd
600
# Lysergic
# AppArmor confinement for local Postfix MTA
/usr/sbin/postfix {
#include
#include
#include
#include
#include
#include
#include
#include
capability dac_read_search,
capability kill,
signal send set=term peer=unconfined,
/bin/bash ix,
/etc/aliases.db k,
/etc/aliases.lmdb k,
/etc/postfix/canonical.lmdb k,
/etc/postfix/relay.lmdb k,
/etc/postfix/relocated.lmdb k,
/etc/postfix/sender_canonical.lmdb k,
/etc/postfix/transport.lmdb k,
/etc/postfix/virtual.lmdb k,
/usr/bin/bash mrix,
/usr/bin/chmod mrix,
/usr/bin/chown mrix,
/usr/bin/cmp mrix,
/usr/bin/egrep mrix,
/usr/bin/find mrix,
/usr/bin/gawk mrix,
/usr/bin/grep mrix,
/usr/bin/mkdir mrix,
/usr/bin/sed mrix,
/usr/bin/sleep mrix,
/usr/bin/sort mrix,
/usr/bin/tr mrix,
/usr/bin/uname mrix,
/usr/lib/postfix/bin/anvil mrix,
/usr/lib/postfix/bin/bounce mrix,
/usr/lib/postfix/bin/cleanup mrix,
/usr/lib/postfix/bin/error mrix,
/usr/lib/postfix/bin/flush mrix,
/usr/lib/postfix/bin/local mrix,
/usr/lib/postfix/bin/master mrix,
/usr/lib/postfix/bin/pickup mrix,
/usr/lib/postfix/bin/post-install mrix,
/usr/lib/postfix/bin/post-install r,
/usr/lib/postfix/bin/postfix-script mrix,
/usr/lib/postfix/bin/proxymap mrix,
/usr/lib/postfix/bin/qmgr mrix,
/usr/lib/postfix/bin/scache mrix,
/usr/lib/postfix/bin/showq mrix,
/usr/lib/postfix/bin/smtp mrix,
/usr/lib/postfix/bin/smtpd mrix,
/usr/lib/postfix/bin/tlsmgr mrix,
/usr/lib/postfix/bin/trivial-rewrite mrix,
/usr/sbin/postconf mrix,
/usr/sbin/postfix mr,
/usr/sbin/postlog mrix,
/usr/sbin/postqueue mrix,
/usr/sbin/postsuper mrix,
/usr/share/icu/** r,
/var/lib/postfix/ r,
/var/spool/postfix/ r,
/var/spool/postfix/** wk,
/var/spool/postfix/*/ rwk,
/var/spool/postfix/defer/*/ rwk,
/var/spool/postfix/deferred/*/ rwk,
/var/spool/postfix/maildrop/* rwk,
/var/spool/postfix/public/* rwk,
owner /bin/bash mr,
owner /etc/aliases.db rk,
owner /etc/aliases.lmdb rk,
owner /etc/postfix/ r,
owner /etc/postfix/canonical.lmdb rk,
owner /etc/postfix/relay.lmdb rk,
owner /etc/postfix/relocated.lmdb rk,
owner /etc/postfix/sender_canonical.lmdb rk,
owner /etc/postfix/ssl/ r,
owner /etc/postfix/ssl/certs/ r,
owner /etc/postfix/system/ r,
owner /etc/postfix/transport.lmdb rk,
owner /etc/postfix/virtual.lmdb rk,
owner /etc/postfix/virtual_domains r,
owner /proc/*/maps r,
owner /usr/sbin/sendmail r,
owner /var/lib/postfix/master.lock rwk,
owner /var/lib/postfix/prng_exch rwk,
owner /var/lib/postfix/smtp_scache.db rwk,
owner /var/spool/postfix/** r,
owner /var/spool/postfix/active/* rwk,
owner /var/spool/postfix/incoming/* r,
owner /var/spool/postfix/incoming/* w,
owner /var/spool/postfix/pid/inet.smtp rw,
owner /var/spool/postfix/pid/master.pid rwk,
owner /var/spool/postfix/pid/unix.cleanup rw,
owner /var/spool/postfix/pid/unix.defer rw,
owner /var/spool/postfix/pid/unix.local rw,
owner /var/spool/postfix/pid/unix.smtp rw,
owner /var/spool/postfix/public/* rw,
owner /var/{,spool/}mail/* rwk,
}]]>
root:root
/etc/apparmor.d/usr.sbin.postfix
600
/opt/irccat/irccat {
#include
#include
/opt/irccat/irccat mr,
/proc/sys/net/core/somaxconn r,
/etc/irccat.json r,
}]]>
root:root
/etc/apparmor.d/opt.irccat.irccat
600
root:root
/etc/chrony.d/cmdport.conf
640
public
true
off
true
Unsolicited incoming network packets are rejected. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.
false
block
Block
%%REJECT%%
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
false
dmz
DMZ
default
Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.
false
drop
Drop
DROP
For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
true
external
External
default
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
false
home
Home
default
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
%%INTERFACETWO%%
false
internal
9200/tcp
Internal
default
ssh
For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
%%INTERFACEONE%%
false
public
Public
default
All network connections are accepted.
false
trusted
Trusted
ACCEPT
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
false
work
Work
default
false
networking
partitioning
10
Interface name 1
eth0
initial
Interfaces
20
Interface name 2
eth1
initial
Interfaces
08
true
Password
initial
LYSERGIC Deployment
10
false
networking,dns,hostname
Hostname
initial
LYSERGIC Deployment
true
false
false
false
false
false
false
false
false
false
true
true
100
x
users
true
0
x
root
true
1
x
bin
daemon
true
499
x
messagebus
true
486
x
tape
true
497
x
wheel
georg,pratyush
true
492
x
cdrom
true
65534
x
nobody
true
5
x
tty
true
491
x
dialout
true
487
x
lp
true
488
x
kvm
true
485
x
video
true
483
x
systemd-timesync
true
15
x
shadow
true
496
x
kmem
true
479
x
sshd
true
490
x
disk
true
59
x
maildrop
postfix
true
42
x
trusted
true
493
x
audio
true
498
!
mail
postfix
true
495
x
lock
true
2
x
daemon
true
494
x
utmp
true
489
x
input
true
482
x
systemd-network
true
51
x
postfix
true
481
x
systemd-coredump
true
480
x
chrony
true
65533
x
nogroup
nobody
true
484
x
systemd-journal
::1
localhost ipv6-localhost ipv6-loopback
192.168.0.120
selene.psyched.dev zz0.email
fe00::0
ipv6-localnet
ff00::0
ipv6-mcastprefix
ff02::1
ipv6-allnodes
ff02::2
ipv6-allrouters
ff02::3
ipv6-allhosts
%%IPADDRESSONE_STRIPPED%%
%%HOSTNAME%%.%%DOMAIN%% %%HOSTNAME%%
german
en_US
en_US
%%INTERFACEONE%%
static
auto
%%IPADDRESSONE%%
%%INTERFACETWO%%
static
auto
%%IPADDRESSTWO%%
false
false
false
default
-
%%GATEWAY%%
false
%%HOSTNAME%%
%%DOMAIN%%
%%NS1%%
%%NS2%%
%%DOMAIN%%
true
true
false
0.opensuse.pool.ntp.org
true
false
1.opensuse.pool.ntp.org
true
false
2.opensuse.pool.ntp.org
true
false
3.opensuse.pool.ntp.org
true
false
systemd
false
localhost,127.0.0.1
true
true
0
true
true
0
true
true
0
true
true
0
multi-user
wickedd-dhcp4
wickedd-dhcp6
wickedd-auto4
wickedd-nanny
YaST2-Firstboot
YaST2-Second-Stage
apparmor
auditd
chronyd
cron
firewalld
getty@tty1
haveged
irqbalance
kbdsettings
wicked
acct
sshd
postfix
false
false
zypper
yast2
yast2-users
yast2-services-manager
yast2-ntp-client
yast2-network
yast2-installation
yast2-firewall
yast2-bootloader
yast2-add-on
yast2-snapper
wicked
vim-small
system-group-wheel
sudo
snapper
seccheck
openssh
openSUSE-release
numactl
irqbalance
grub2
grub2-snapper-plugin
glibc
fish
firewalld
cryptsetup
cron
chrony
btrfsprogs
autoyast2-installation
autoyast2
haveged
postfix
apparmor-utils
ca-certificates
ca-certificates-mozilla
netcat-openbsd
qemu-guest-agent
acct
yast2-online-update-configuration
iputils
htop
which
golang-github-prometheus-node_exporter
yast2-theme
apparmor
minimal_base
Leap
false
false
UTC
Europe/Berlin
100
/home
0
true
/usr/bin/fish
/etc/skel
027
true
georg
100
/home/georg
false
0
90
0
14
/usr/bin/fish
1000
$6$0VgTPee915jk$WNcjWfjdgaZgN0Wy66ZRBs/5wUGsDegmCV4g7NkzO4vf4SHWS1Pn8SR8xyKOe5SUYza/p/9w7K99lzFGANr2i1
georg
false
100
/home/pratyush
false
0
90
0
14
/usr/bin/fish
1001
!
pratyush
!
install
true
nobody
65534
/var/lib/nobody
false
99999
0
7
/bin/bash
65534
!
nobody
true
systemd Time Synchronization
483
/
false
99999
0
7
/sbin/nologin
483
!!
systemd-timesync
true
systemd Network Management
482
/
false
99999
0
7
/sbin/nologin
482
!!
systemd-network
true
Chrony Daemon
480
/var/lib/chrony
false
99999
0
7
/bin/false
480
!
chrony
true
systemd Core Dumper
481
/
false
99999
0
7
/sbin/nologin
481
!!
systemd-coredump
true
Postfix Daemon
51
/var/spool/postfix
false
0
99999
0
7
/bin/false
51
!
postfix
true
SSH daemon
479
/var/lib/sshd
false
99999
0
7
/bin/false
479
!
sshd
true
root
0
/root
false
99999
0
7
/bin/bash
0
$6$IbjLr5JKU0eC$Cu6k/0FwnRbAf9/y0X22p/n5by2WJG86KEZ6w3ktDrpEdjPcSG1CLgCJ3ZSdrqQHJNMeShxnwgOm8JlJT1QWD1
root
true
User for D-Bus
499
/run/dbus
false
99999
0
7
/usr/bin/false
499
!
messagebus
true
Mailer daemon
498
/var/spool/clientmqueue
false
0
99999
0
7
/sbin/nologin
498
!
mail
true
bin
1
/bin
false
99999
0
7
/sbin/nologin
1
!
bin
true
NFS statd daemon
65533
/var/lib/nfs
false
0
99999
0
7
/sbin/nologin
477
!
statd
true
Daemon
2
/sbin
false
99999
0
7
/sbin/nologin
2
!
daemon
true
user for rpcbind
65534
/var/lib/empty
false
0
99999
0
7
/sbin/nologin
478
!
rpc
true
true
false
false
true
weekly
true
lysergic.dev
/mnt/storage-warsaw
defaults
vault.sun.lysergic.dev:/mnt/storage
nfs4
yes
secure local
nobody