On Thu, Nov 30, 2017 at 10:31 AM, Michael Biebl <[email protected]> wrote:
> 2017-11-30 6:52 GMT+01:00 Mantas Mikulėnas <[email protected]>: > > On Thu, Nov 30, 2017 at 5:27 AM, Michael Biebl <[email protected]> wrote: > >> > >> Hi, > >> > >> today I tried to lock down the rsyslog.service that I have on my system. > >> > >> For that I first created an override.conf that contained > >> > >> [Service] > >> ProtectHome=yes > >> PrivateTmp=yes > >> PrivateDevices=yes > >> > >> ProtectSystem=strict > >> ReadWritePaths=/var/log > >> ReadWritePaths=/var/spool/rsyslog > >> ReadWritePaths=/proc/kmsg > > > > > > Are you using imklog or imkmsg? The latter would require the new > /dev/kmsg > > interface (which probably conflicts with PrivateDevices= above). > > I suspect it's related to ProtectSystem=strict, as with > ProtectSystem=full rsyslog seems to start successfully. But this is > just trial and error. […] > Already tried > ExecStart= > ExecStart=/usr/bin/strace -f -o /var/log/strace /usr/sbin/rsyslogd -n > > but this didn't produce any /var/log/strace log file. > > Then I'm guessing ProtectSystem=strict overrides ReadWritePaths and makes /var/log read-only... I think I've seen other people have that problem recently. Take a look with `ExecStartPre=/usr/bin/findmnt`. -- Mantas Mikulėnas <[email protected]>
_______________________________________________ systemd-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/systemd-devel
