42 lines
1.8 KiB
Diff
42 lines
1.8 KiB
Diff
|
From f2a474aea8f82fa9b695515d4590f4f3398358a7 Mon Sep 17 00:00:00 2001
|
||
|
From: Juho Son <juho80.son@samsung.com>
|
||
|
Date: Thu, 11 Sep 2014 16:06:38 +0900
|
||
|
Subject: [PATCH] journald: add CAP_MAC_OVERRIDE in journald for SMACK issue
|
||
|
|
||
|
systemd-journald check the cgroup id to support rate limit option for
|
||
|
every messages. so journald should be available to access cgroup node in
|
||
|
each process send messages to journald.
|
||
|
In system using SMACK, cgroup node in proc is assigned execute label
|
||
|
as each process's execute label.
|
||
|
so if journald don't want to denied for every process, journald
|
||
|
should have all of access rule for all process's label.
|
||
|
It's too heavy. so we could give special smack label for journald te get
|
||
|
all accesses's permission.
|
||
|
'^' label.
|
||
|
When assign '^' execute smack label to systemd-journald,
|
||
|
systemd-journald need to add CAP_MAC_OVERRIDE capability to get that smack privilege.
|
||
|
|
||
|
so I want to notice this information and set default capability to
|
||
|
journald whether system use SMACK or not.
|
||
|
because that capability affect to only smack enabled kernel
|
||
|
---
|
||
|
units/systemd-journald.service.in | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git units/systemd-journald.service.in units/systemd-journald.service.in
|
||
|
index 7013979..4de38fa 100644
|
||
|
--- units/systemd-journald.service.in
|
||
|
+++ units/systemd-journald.service.in
|
||
|
@@ -20,7 +20,7 @@ Restart=always
|
||
|
RestartSec=0
|
||
|
NotifyAccess=all
|
||
|
StandardOutput=null
|
||
|
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID
|
||
|
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
|
||
|
WatchdogSec=1min
|
||
|
|
||
|
# Increase the default a bit in order to allow many simultaneous
|
||
|
--
|
||
|
1.7.9.2
|
||
|
|