mirror of
https://github.com/systemd/systemd.git
synced 2024-11-04 13:51:24 +03:00
f2a474aea8
systemd-journald check the cgroup id to support rate limit option for every messages. so journald should be available to access cgroup node in each process send messages to journald. In system using SMACK, cgroup node in proc is assigned execute label as each process's execute label. so if journald don't want to denied for every process, journald should have all of access rule for all process's label. It's too heavy. so we could give special smack label for journald te get all accesses's permission. '^' label. When assign '^' execute smack label to systemd-journald, systemd-journald need to add CAP_MAC_OVERRIDE capability to get that smack privilege. so I want to notice this information and set default capability to journald whether system use SMACK or not. because that capability affect to only smack enabled kernel
29 lines
1.0 KiB
SYSTEMD
29 lines
1.0 KiB
SYSTEMD
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Journal Service
|
|
Documentation=man:systemd-journald.service(8) man:journald.conf(5)
|
|
DefaultDependencies=no
|
|
Requires=systemd-journald.socket
|
|
After=systemd-journald.socket systemd-journald-dev-log.socket syslog.socket
|
|
Before=sysinit.target
|
|
|
|
[Service]
|
|
Sockets=systemd-journald.socket systemd-journald-dev-log.socket
|
|
ExecStart=@rootlibexecdir@/systemd-journald
|
|
Restart=always
|
|
RestartSec=0
|
|
NotifyAccess=all
|
|
StandardOutput=null
|
|
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
|
|
WatchdogSec=1min
|
|
|
|
# Increase the default a bit in order to allow many simultaneous
|
|
# services being run since we keep one fd open per service.
|
|
LimitNOFILE=16384
|