blob: dd2c6542ed1281f0159811e27fcb58bba3a023b7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
From ccf384ca0f1cabe37e07e752df95ddb1e017a7ef Mon Sep 17 00:00:00 2001
From: Casey Schaufler <casey@schaufler-ca.com>
Date: Thu, 19 Dec 2013 16:49:28 -0800
Subject: [PATCH 7/9] tizen-smack: Runs systemd-journald with ^
Run systemd-journald with the hat ("^") Smack label.
The journal daemon needs global read access to gather information
about the services spawned by systemd. The hat label is intended
for this purpose. The journal daemon is the only part of the
System domain that needs read access to the User domain. Giving
the journal daemon the hat label means that we can remove the
System domain's read access to the User domain.
Upstream-Status: Inappropriate [configuration]
Change-Id: Ic22633f0c9d99c04f873be8a346786ea577d0370
Signed-off-by: Casey Schaufler <casey.schaufler@intel.com>
---
units/systemd-journald.service.in | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index a3540c6..745dd84 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -20,8 +20,10 @@ Restart=always
RestartSec=0
NotifyAccess=all
StandardOutput=null
+SmackProcessLabel=^
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
WatchdogSec=1min
+FileDescriptorStoreMax=1024
# Increase the default a bit in order to allow many simultaneous
# services being run since we keep one fd open per service.
--
1.8.4.5
|
