From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Sun, 18 Jan 2015 20:05:40 +0000 (-0500)
Subject: tmpfiles: use ACL magic on journal directories
X-Git-Tag: v219~369
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=a48a62a1af02aec4473c9deed98dd5b89d210f93

tmpfiles: use ACL magic on journal directories
---

diff --git a/README b/README
index fa95433ec..c72209262 100644
--- a/README
+++ b/README
@@ -178,14 +178,9 @@ USERS AND GROUPS:
         During runtime, the journal daemon requires the
         "systemd-journal" system group to exist. New journal files will
         be readable by this group (but not writable), which may be used
-        to grant specific users read access.
-
-        It is also recommended to grant read access to all journal
-        files to the system groups "wheel" and "adm" with a command
-        like the following in the post installation script of the
-        package:
-
-        # setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
+        to grant specific users read access. In addition, system
+        groups "wheel" and "adm" will be given read-only access to
+        journal files using systemd-tmpfiles.service.
 
         The journal gateway daemon requires the
         "systemd-journal-gateway" system user and group to
diff --git a/configure.ac b/configure.ac
index 18a439eb5..6bd095cf3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -666,6 +666,7 @@ if test "x${have_acl}" != xno ; then
         if test "x$have_acl" = xyes ; then
                 ACL_LIBS="-lacl"
                 AC_DEFINE(HAVE_ACL, 1, [ACL available])
+                M4_DEFINES="$M4_DEFINES -DHAVE_ACL"
         else
                 have_acl=no
         fi
diff --git a/tmpfiles.d/systemd.conf.m4 b/tmpfiles.d/systemd.conf.m4
index ad05f4333..b447b01f5 100644
--- a/tmpfiles.d/systemd.conf.m4
+++ b/tmpfiles.d/systemd.conf.m4
@@ -26,9 +26,17 @@ d /run/log 0755 root root -
 
 z /run/log/journal 2755 root systemd-journal - -
 Z /run/log/journal/%m ~2750 root systemd-journal - -
+m4_ifdef(`HAVE_ACL',``
+a+ /run/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x
+A+ /run/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x
+'')m4_dnl
 
 z /var/log/journal 2755 root systemd-journal - -
 z /var/log/journal/%m 2755 root systemd-journal - -
+m4_ifdef(`HAVE_ACL',``
+a+ /var/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x
+A+ /var/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x
+'')m4_dnl
 
 d /var/lib/systemd 0755 root root -
 d /var/lib/systemd/coredump 0755 root root 3d