On Tue, Jul 19, 2022, at 12:24 PM, Lennart Poettering wrote:
>
> by something like this:
>
> <snip>
> ExecStart=/usr/bin/systemd-tmpfiles --create -
> StandardInputText=f /run/sysctl.d/01-coreos-printk.conf - - - - kernel.printk
> 4
> </snip>
>
> Benefits: no shell, single process forked, no explicit selinux stuff,
> or explicit mkdir, and other MACs will be honoured too if they exist.
Unfortunately doesn't work today since:
[ 243.300955] audit: type=1400 audit(1658251774.506:317): avc: denied {
getattr } for pid=1801 comm="systemd-sysctl"
path="/run/sysctl.d/01-coreos-printk.conf" dev="tmpfs" ino=934
scontext=system_u:system_r:systemd_sysctl_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
But yes, I will look at getting that added to policy.
(FTR there was also a missing `=` in the sysctl text)
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
