[systemd-devel] how to debug failures when trying to lock down services
Mantas Mikulėnas
grawity at gmail.com
Thu Nov 30 08:35:26 UTC 2017
On Thu, Nov 30, 2017 at 10:31 AM, Michael Biebl <mbiebl at gmail.com> wrote:
> 2017-11-30 6:52 GMT+01:00 Mantas Mikulėnas <grawity at gmail.com>:
> > On Thu, Nov 30, 2017 at 5:27 AM, Michael Biebl <mbiebl at gmail.com> wrote:
> >>
> >> Hi,
> >>
> >> today I tried to lock down the rsyslog.service that I have on my system.
> >>
> >> For that I first created an override.conf that contained
> >>
> >> [Service]
> >> ProtectHome=yes
> >> PrivateTmp=yes
> >> PrivateDevices=yes
> >>
> >> ProtectSystem=strict
> >> ReadWritePaths=/var/log
> >> ReadWritePaths=/var/spool/rsyslog
> >> ReadWritePaths=/proc/kmsg
> >
> >
> > Are you using imklog or imkmsg? The latter would require the new
> /dev/kmsg
> > interface (which probably conflicts with PrivateDevices= above).
>
> I suspect it's related to ProtectSystem=strict, as with
> ProtectSystem=full rsyslog seems to start successfully. But this is
> just trial and error.
[…]
> Already tried
> ExecStart=
> ExecStart=/usr/bin/strace -f -o /var/log/strace /usr/sbin/rsyslogd -n
>
> but this didn't produce any /var/log/strace log file.
>
>
Then I'm guessing ProtectSystem=strict overrides ReadWritePaths and makes
/var/log read-only... I think I've seen other people have that problem
recently.
Take a look with `ExecStartPre=/usr/bin/findmnt`.
--
Mantas Mikulėnas <grawity at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20171130/6abc6d24/attachment.html>
More information about the systemd-devel
mailing list