# Run systemd-journald with the hat ("^") Smack label.
#
# The journal daemon needs global read access to gather information
# about the services spawned by systemd. The hat label is intended
# for this purpose. The journal daemon is the only part of the
# System domain that needs read access to the User domain. Giving
# the journal daemon the hat label means that we can remove the
# System domain's read access to the User domain and we can avoid
# hard-coding a specific label name for that domain.
#
# Original author: Casey Schaufler <casey@schaufler-ca.com>
#
# This is considered a configuration change and thus distro specific.
[Service]
SmackProcessLabel=^