On Wed, 03.09.14 22:16, Juho Son (juho80....@samsung.com) wrote: > systemd-journald check the cgroup id to support rate limit option for > every messages. so journald should be available to access cgroup node in > each process send messages to journald. > In system using SMACK, cgroup node in proc is assigned execute label > as each process's execute label. > so if journald don't want to denied for every process, journald > should have all of access rule for all process's label. > It's too heavy. so we could give special smack label for journald te get > all accesses's permission. > '^' label. > When assign '^' execute smack label to systemd-journald, > systemd-journald need to add CAP_MAC_OVERRIDE capability to get that smack > privilege. > > so I want to notice this information and set default capability to > journald whether system use SMACK or not.
I have no idea about SMACK, hence I cannot really review the patch. But if I get this right, then only SMACK makes use of CAP_MAC_OVERRIDE, hence by adding the bit to journald we don't affect anything but smack behaviour, right? If that's the case then I am happy to apply the patch... > > Change-Id: I52e47d6f9b631f365799bb51a66404cf3f1da12b > Signed-off-by: Juho Son <juho80....@samsung.com> We don't use S-O-b on systemd... > --- > units/systemd-journald.service.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/units/systemd-journald.service.in > b/units/systemd-journald.service.in > index 7013979..4de38fa 100644 > --- a/units/systemd-journald.service.in > +++ b/units/systemd-journald.service.in > @@ -20,7 +20,7 @@ Restart=always > RestartSec=0 > NotifyAccess=all > StandardOutput=null > -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE > CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER > CAP_SETUID CAP_SETGID > +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE > CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER > CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE > WatchdogSec=1min > > # Increase the default a bit in order to allow many simultaneous > -- > 1.9.1 > > _______________________________________________ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-devel Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
