summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2015-01-18 15:05:40 -0500
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2015-01-22 01:14:53 -0500
commita48a62a1af02aec4473c9deed98dd5b89d210f93 (patch)
tree6430c67afb3521718a43cce66be9def85bd8664b
parent50d9e46dbb8400d4570781728c63b151d9ca982b (diff)
tmpfiles: use ACL magic on journal directories
-rw-r--r--README11
-rw-r--r--configure.ac1
-rw-r--r--tmpfiles.d/systemd.conf.m48
3 files changed, 12 insertions, 8 deletions
diff --git a/README b/README
index fa95433ecb..c72209262e 100644
--- a/README
+++ b/README
@@ -178,14 +178,9 @@ USERS AND GROUPS:
During runtime, the journal daemon requires the
"systemd-journal" system group to exist. New journal files will
be readable by this group (but not writable), which may be used
- to grant specific users read access.
-
- It is also recommended to grant read access to all journal
- files to the system groups "wheel" and "adm" with a command
- like the following in the post installation script of the
- package:
-
- # setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
+ to grant specific users read access. In addition, system
+ groups "wheel" and "adm" will be given read-only access to
+ journal files using systemd-tmpfiles.service.
The journal gateway daemon requires the
"systemd-journal-gateway" system user and group to
diff --git a/configure.ac b/configure.ac
index 18a439eb59..6bd095cf33 100644
--- a/configure.ac
+++ b/configure.ac
@@ -666,6 +666,7 @@ if test "x${have_acl}" != xno ; then
if test "x$have_acl" = xyes ; then
ACL_LIBS="-lacl"
AC_DEFINE(HAVE_ACL, 1, [ACL available])
+ M4_DEFINES="$M4_DEFINES -DHAVE_ACL"
else
have_acl=no
fi
diff --git a/tmpfiles.d/systemd.conf.m4 b/tmpfiles.d/systemd.conf.m4
index ad05f43334..b447b01f58 100644
--- a/tmpfiles.d/systemd.conf.m4
+++ b/tmpfiles.d/systemd.conf.m4
@@ -26,9 +26,17 @@ d /run/log 0755 root root -
z /run/log/journal 2755 root systemd-journal - -
Z /run/log/journal/%m ~2750 root systemd-journal - -
+m4_ifdef(`HAVE_ACL',``
+a+ /run/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x
+A+ /run/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x
+'')m4_dnl
z /var/log/journal 2755 root systemd-journal - -
z /var/log/journal/%m 2755 root systemd-journal - -
+m4_ifdef(`HAVE_ACL',``
+a+ /var/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x
+A+ /var/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x
+'')m4_dnl
d /var/lib/systemd 0755 root root -
d /var/lib/systemd/coredump 0755 root root 3d