projects / platform / upstream / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8f57132)
tizen-smack: Runs systemd-journald with ^
authorCasey Schaufler <casey@schaufler-ca.com>
Fri, 20 Dec 2013 00:49:28 +0000 (16:49 -0800)
committerŁukasz Stelmach <l.stelmach@samsung.com>
Fri, 24 Feb 2017 15:08:14 +0000 (16:08 +0100)
Run systemd-journald with the hat ("^") Smack label.

The journal daemon needs global read access to gather information
about the services spawned by systemd. The hat label is intended
for this purpose. The journal daemon is the only part of the
System domain that needs read access to the User domain. Giving
the journal daemon the hat label means that we can remove the
System domain's read access to the User domain.

Change-Id: Ic22633f0c9d99c04f873be8a346786ea577d0370
Signed-off-by: Casey Schaufler <casey.schaufler@intel.com>
units/systemd-journald.service.in patch | blob | history

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 08ace8a..f3f34e1 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -21,6 +21,7 @@ Restart=always
 RestartSec=0
 NotifyAccess=all
 StandardOutput=null
+SmackProcessLabel=^
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
 WatchdogSec=3min
 FileDescriptorStoreMax=1024
Domain: System / System Framework;