From ccf384ca0f1cabe37e07e752df95ddb1e017a7ef Mon Sep 17 00:00:00 2001 From: Casey Schaufler Date: Thu, 19 Dec 2013 16:49:28 -0800 Subject: [PATCH 7/9] tizen-smack: Runs systemd-journald with ^ Run systemd-journald with the hat ("^") Smack label. The journal daemon needs global read access to gather information about the services spawned by systemd. The hat label is intended for this purpose. The journal daemon is the only part of the System domain that needs read access to the User domain. Giving the journal daemon the hat label means that we can remove the System domain's read access to the User domain. Upstream-Status: Inappropriate [configuration] Change-Id: Ic22633f0c9d99c04f873be8a346786ea577d0370 Signed-off-by: Casey Schaufler --- units/systemd-journald.service.in | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index a3540c6..745dd84 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -20,8 +20,10 @@ Restart=always RestartSec=0 NotifyAccess=all StandardOutput=null +SmackProcessLabel=^ -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE WatchdogSec=1min +FileDescriptorStoreMax=1024 # Increase the default a bit in order to allow many simultaneous # services being run since we keep one fd open per service. -- 1.8.4.5