On Thu, Nov 30, 2017 at 10:31 AM, Michael Biebl <mbi...@gmail.com> wrote:
> 2017-11-30 6:52 GMT+01:00 Mantas Mikulėnas <graw...@gmail.com>: > > On Thu, Nov 30, 2017 at 5:27 AM, Michael Biebl <mbi...@gmail.com> wrote: > >> > >> Hi, > >> > >> today I tried to lock down the rsyslog.service that I have on my system. > >> > >> For that I first created an override.conf that contained > >> > >> [Service] > >> ProtectHome=yes > >> PrivateTmp=yes > >> PrivateDevices=yes > >> > >> ProtectSystem=strict > >> ReadWritePaths=/var/log > >> ReadWritePaths=/var/spool/rsyslog > >> ReadWritePaths=/proc/kmsg > > > > > > Are you using imklog or imkmsg? The latter would require the new > /dev/kmsg > > interface (which probably conflicts with PrivateDevices= above). > > I suspect it's related to ProtectSystem=strict, as with > ProtectSystem=full rsyslog seems to start successfully. But this is > just trial and error. […] > Already tried > ExecStart= > ExecStart=/usr/bin/strace -f -o /var/log/strace /usr/sbin/rsyslogd -n > > but this didn't produce any /var/log/strace log file. > > Then I'm guessing ProtectSystem=strict overrides ReadWritePaths and makes /var/log read-only... I think I've seen other people have that problem recently. Take a look with `ExecStartPre=/usr/bin/findmnt`. -- Mantas Mikulėnas <graw...@gmail.com>
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
