Control: reassign -1 rsyslog Control: found -1 8.2310.0-2
Am 16.11.23 um 19:53 schrieb Sven Joachim:
On 2023-11-16 18:12 +0100, Michael Biebl wrote:Am 16.11.23 um 17:17 schrieb Sven Joachim: It appears, that PrivateTmp=yes was locked down further and is now remounted read-only (thanks bluca for the reference): https://github.com/systemd/systemd/commit/4a9e03aa6bb2cbd23dac00f2b2a7642cc79eaadeThanks, I had suspected something along these lines.
It's unlikely that systemd upstream is going to revert this behaviour change, so I'm going to reassign this issue to rsyslog to handle it there.
We basically have two options as I see it: a/ Drop PrivateDevices=yes from rsyslog.service b/ Move /dev/xconsole to run and turn /dev/xconsole into a symlink The latter b/ will require updates to the local copies in /etc/tmpfiles.d/ and /etc/rsyslog.d/ They would look like this now: $ cat /etc/rsyslog.d/xconsole.conf daemon.*;mail.*;\ news.err;\ *.=debug;*.=info;\ *.=notice;*.=warn |/run/xconsole $ cat /etc/tmpfiles.d/xconsole.conf # Type Path Mode UID GID Age Argument p /run/xconsole 0640 root adm L /dev/xconsole - - - - /run/xconsole Conceptually, moving the named pipe out of /dev and into /run is the cleaner solution I think. The /dev/xconsole symlink should make it reasonably backwards compatible. Thoughts?I think b/ and an appropriate debian/NEWS entry in rsyslog are preferable to softening security, even if it means some disruption for the minority of users who still monitor logs via xconsole. But there may be more complaints once the changes arrive in testing.
Since b/ is my favorite as well, let's go with this.
Personally I have made your proposed changes, and after restarting rsyslog and xconsole everything works fine again.
Thanks for testing.Will poke you, once I have a MR ready. Maybe you want to proof read the NEWS entry.
Regards, Michael
OpenPGP_signature.asc
Description: OpenPGP digital signature
