forked from pool/systemd
ba9b55aa79
1 OBS-URL: https://build.opensuse.org/request/show/262952 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/systemd?expand=0&rev=209
42 lines
1.8 KiB
Diff
42 lines
1.8 KiB
Diff
From f2a474aea8f82fa9b695515d4590f4f3398358a7 Mon Sep 17 00:00:00 2001
|
|
From: Juho Son <juho80.son@samsung.com>
|
|
Date: Thu, 11 Sep 2014 16:06:38 +0900
|
|
Subject: [PATCH] journald: add CAP_MAC_OVERRIDE in journald for SMACK issue
|
|
|
|
systemd-journald check the cgroup id to support rate limit option for
|
|
every messages. so journald should be available to access cgroup node in
|
|
each process send messages to journald.
|
|
In system using SMACK, cgroup node in proc is assigned execute label
|
|
as each process's execute label.
|
|
so if journald don't want to denied for every process, journald
|
|
should have all of access rule for all process's label.
|
|
It's too heavy. so we could give special smack label for journald te get
|
|
all accesses's permission.
|
|
'^' label.
|
|
When assign '^' execute smack label to systemd-journald,
|
|
systemd-journald need to add CAP_MAC_OVERRIDE capability to get that smack privilege.
|
|
|
|
so I want to notice this information and set default capability to
|
|
journald whether system use SMACK or not.
|
|
because that capability affect to only smack enabled kernel
|
|
---
|
|
units/systemd-journald.service.in | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git units/systemd-journald.service.in units/systemd-journald.service.in
|
|
index 7013979..4de38fa 100644
|
|
--- units/systemd-journald.service.in
|
|
+++ units/systemd-journald.service.in
|
|
@@ -20,7 +20,7 @@ Restart=always
|
|
RestartSec=0
|
|
NotifyAccess=all
|
|
StandardOutput=null
|
|
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID
|
|
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
|
|
WatchdogSec=1min
|
|
|
|
# Increase the default a bit in order to allow many simultaneous
|
|
--
|
|
1.7.9.2
|
|
|