Change the daemon to be non-root

author Sungbae Yoo <sungbae.yoo@samsung.com>

Thu, 3 May 2018 04:30:58 +0000 (13:30 +0900)

committer Sungbae Yoo <sungbae.yoo@samsung.com>

Thu, 3 May 2018 04:31:34 +0000 (13:31 +0900)
author Sungbae Yoo <sungbae.yoo@samsung.com>
Thu, 3 May 2018 04:30:58 +0000 (13:30 +0900)
committer Sungbae Yoo <sungbae.yoo@samsung.com>
Thu, 3 May 2018 04:31:34 +0000 (13:31 +0900)
diff --git a/packaging/audit-trail.spec b/packaging/audit-trail.spec

index 99bee3e0eaf8694c271f7b16389c0d0cc10500e9..5e0f677eca6283a5cb89108c04e096d2fc609d53 100755 (executable)
--- a/packaging/audit-trail.spec
+++ b/packaging/audit-trail.spec
@@ -13,7 +13,7 @@ BuildRequires: pkgconfig(glib-2.0)
  BuildRequires: pkgconfig(cynara-client)
  BuildRequires: pkgconfig(capi-base-common)
  
-%global service_user                   root
+%global service_user                   security_fw
  %global service_group                  security_fw
  %global service_smack_label            System
  
diff --git a/server/systemd/audit-trail.service.in b/server/systemd/audit-trail.service.in

index 2293ae940af51d79608cec7ddc1bb69c2a6480e7..04afc422bbf2a49cceb9350226a7aa4604377f40 100644 (file)
--- a/server/systemd/audit-trail.service.in
+++ b/server/systemd/audit-trail.service.in
@@ -6,11 +6,13 @@ Type=simple
  User=@SERVICE_USER@
  Group=@SERVICE_GROUP@
  SmackProcessLabel=@SERVICE_SMACK_LABEL@
-ExecStart=@BIN_DIR@/@PROJECT_NAME@-daemon -o 5000
+ExecStart=@BIN_DIR@/@PROJECT_NAME@-daemon
  Restart=on-failure
  ExecReload=/bin/kill -HUP $MAINPID
  CapabilityBoundingSet=~CAP_MAC_ADMIN
  CapabilityBoundingSet=~CAP_MAC_OVERRIDE
+Capabilities=cap_audit_control,cap_audit_write=i
+SecureBits=keep-caps
  
  [Install]
  WantedBy=multi-user.target
author	Sungbae Yoo <sungbae.yoo@samsung.com>
	Thu, 3 May 2018 04:30:58 +0000 (13:30 +0900)
committer	Sungbae Yoo <sungbae.yoo@samsung.com>
	Thu, 3 May 2018 04:31:34 +0000 (13:31 +0900)
packaging/audit-trail.spec		patch \| blob \| history
server/systemd/audit-trail.service.in		patch \| blob \| history