[systemd-devel] [PATCH v2] journald: add CAP_MAC_OVERRIDE in journald for SMACK issue

[Lennart Poettering]

On Thu, 11.09.14 16:06, Juho Son (juho80.son at samsung.com) wrote:

> systemd-journald check the cgroup id to support rate limit option for
> every messages. so journald should be available to access cgroup node in
> each process send messages to journald.
> In system using SMACK, cgroup node in proc is assigned execute label
> as each process's execute label.
> so if journald don't want to denied for every process, journald
> should have all of access rule for all process's label.
> It's too heavy. so we could give special smack label for journald te get
> all accesses's permission.
> '^' label.
> When assign '^' execute smack label to systemd-journald,
> systemd-journald need to add  CAP_MAC_OVERRIDE capability to get that smack privilege.
> 
> so I want to notice this information and set default capability to
> journald whether system use SMACK or not.
> because that capability affect to only smack enabled kernel

Applied! Thanks!

> ---
>  units/systemd-journald.service.in | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
> index 7013979..4de38fa 100644
> --- a/units/systemd-journald.service.in
> +++ b/units/systemd-journald.service.in
> @@ -20,7 +20,7 @@ Restart=always
>  RestartSec=0
>  NotifyAccess=all
>  StandardOutput=null
> -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID
> +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
>  WatchdogSec=1min
>  
>  # Increase the default a bit in order to allow many simultaneous
> -- 
> 1.9.1
> 
> 


Lennart

-- 
Lennart Poettering, Red Hat