diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2015-01-18 15:05:40 -0500 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2015-01-22 01:14:53 -0500 |
commit | a48a62a1af02aec4473c9deed98dd5b89d210f93 (patch) | |
tree | 6430c67afb3521718a43cce66be9def85bd8664b | |
parent | 50d9e46dbb8400d4570781728c63b151d9ca982b (diff) |
tmpfiles: use ACL magic on journal directories
-rw-r--r-- | README | 11 | ||||
-rw-r--r-- | configure.ac | 1 | ||||
-rw-r--r-- | tmpfiles.d/systemd.conf.m4 | 8 |
3 files changed, 12 insertions, 8 deletions
@@ -178,14 +178,9 @@ USERS AND GROUPS: During runtime, the journal daemon requires the "systemd-journal" system group to exist. New journal files will be readable by this group (but not writable), which may be used - to grant specific users read access. - - It is also recommended to grant read access to all journal - files to the system groups "wheel" and "adm" with a command - like the following in the post installation script of the - package: - - # setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ + to grant specific users read access. In addition, system + groups "wheel" and "adm" will be given read-only access to + journal files using systemd-tmpfiles.service. The journal gateway daemon requires the "systemd-journal-gateway" system user and group to diff --git a/configure.ac b/configure.ac index 18a439eb59..6bd095cf33 100644 --- a/configure.ac +++ b/configure.ac @@ -666,6 +666,7 @@ if test "x${have_acl}" != xno ; then if test "x$have_acl" = xyes ; then ACL_LIBS="-lacl" AC_DEFINE(HAVE_ACL, 1, [ACL available]) + M4_DEFINES="$M4_DEFINES -DHAVE_ACL" else have_acl=no fi diff --git a/tmpfiles.d/systemd.conf.m4 b/tmpfiles.d/systemd.conf.m4 index ad05f43334..b447b01f58 100644 --- a/tmpfiles.d/systemd.conf.m4 +++ b/tmpfiles.d/systemd.conf.m4 @@ -26,9 +26,17 @@ d /run/log 0755 root root - z /run/log/journal 2755 root systemd-journal - - Z /run/log/journal/%m ~2750 root systemd-journal - - +m4_ifdef(`HAVE_ACL',`` +a+ /run/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x +A+ /run/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x +'')m4_dnl z /var/log/journal 2755 root systemd-journal - - z /var/log/journal/%m 2755 root systemd-journal - - +m4_ifdef(`HAVE_ACL',`` +a+ /var/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x +A+ /var/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x +'')m4_dnl d /var/lib/systemd 0755 root root - d /var/lib/systemd/coredump 0755 root root 3d |