On Thu, 11.09.14 16:06, Juho Son ([email protected]) wrote: > systemd-journald check the cgroup id to support rate limit option for > every messages. so journald should be available to access cgroup node in > each process send messages to journald. > In system using SMACK, cgroup node in proc is assigned execute label > as each process's execute label. > so if journald don't want to denied for every process, journald > should have all of access rule for all process's label. > It's too heavy. so we could give special smack label for journald te get > all accesses's permission. > '^' label. > When assign '^' execute smack label to systemd-journald, > systemd-journald need to add CAP_MAC_OVERRIDE capability to get that smack > privilege. > > so I want to notice this information and set default capability to > journald whether system use SMACK or not. > because that capability affect to only smack enabled kernel
Applied! Thanks! > --- > units/systemd-journald.service.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/units/systemd-journald.service.in > b/units/systemd-journald.service.in > index 7013979..4de38fa 100644 > --- a/units/systemd-journald.service.in > +++ b/units/systemd-journald.service.in > @@ -20,7 +20,7 @@ Restart=always > RestartSec=0 > NotifyAccess=all > StandardOutput=null > -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE > CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER > CAP_SETUID CAP_SETGID > +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE > CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER > CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE > WatchdogSec=1min > > # Increase the default a bit in order to allow many simultaneous > -- > 1.9.1 > > Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
