Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:Update
systemd.1059
0003-journald-add-CAP_MAC_OVERRIDE-in-journald-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0003-journald-add-CAP_MAC_OVERRIDE-in-journald-for-SMACK-.patch of Package systemd.1059
From f2a474aea8f82fa9b695515d4590f4f3398358a7 Mon Sep 17 00:00:00 2001 From: Juho Son <juho80.son@samsung.com> Date: Thu, 11 Sep 2014 16:06:38 +0900 Subject: [PATCH] journald: add CAP_MAC_OVERRIDE in journald for SMACK issue systemd-journald check the cgroup id to support rate limit option for every messages. so journald should be available to access cgroup node in each process send messages to journald. In system using SMACK, cgroup node in proc is assigned execute label as each process's execute label. so if journald don't want to denied for every process, journald should have all of access rule for all process's label. It's too heavy. so we could give special smack label for journald te get all accesses's permission. '^' label. When assign '^' execute smack label to systemd-journald, systemd-journald need to add CAP_MAC_OVERRIDE capability to get that smack privilege. so I want to notice this information and set default capability to journald whether system use SMACK or not. because that capability affect to only smack enabled kernel --- units/systemd-journald.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git units/systemd-journald.service.in units/systemd-journald.service.in index 7013979..4de38fa 100644 --- units/systemd-journald.service.in +++ units/systemd-journald.service.in @@ -20,7 +20,7 @@ Restart=always RestartSec=0 NotifyAccess=all StandardOutput=null -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE WatchdogSec=1min # Increase the default a bit in order to allow many simultaneous -- 1.7.9.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor