fix systemd tmpfiles ACL warnings in daemon log

After systemd was upversioned as part of PIKE rebase, its tmpfiles configuration file changed. The new tmpfiles configuration (/usr/lib/tmpfiles/systemd.conf) introduced a few new ACLs that tries to give group "adm" access to log directories, but group "adm" doesn't exist in TC system. This patch fixed the warnings the same as the original by replacing group "adm" with "wrs_protected" in systemd tmpfiles configuration. Change-Id: I39972ed41b299be5a3b6482ec2fba176c0742ded Signed-off-by: Andy Ning <andy.ning@windriver.com>
2018-04-02 11:51:57 -04:00 · 2018-04-02 11:51:57 -04:00 · ae3017bd63
commit ae3017bd63
parent 6e66c1965b
7 changed files with 73 additions and 8 deletions
--- a/extended/systemd/centos/meta_patches/0010-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
+++ b/extended/systemd/centos/meta_patches/0010-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
@ -1,8 +1,7 @@
 From e188f1148982166624ae72f8fac70775a2bc8d73 Mon Sep 17 00:00:00 2001
 From: Scott Little <scott.little@windriver.com>
 Date: Mon, 2 Oct 2017 17:53:00 -0400
-Subject: [PATCH 09/10] WRS:
- 0010-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
+Subject: 0010-fix-ACL-warnings-from-systemd-tmpfiles-set.patch

 ---
 SPECS/systemd.spec | 1 +
@ -16,7 +15,7 @@ index 33f3128..a8e1846 100644
 Patch0503: 0503-Configure-journald-to-forward-to-syslog.patch
 Patch0504: 0504-Configure-journald-rate-limit.patch
 Patch0505: 0505-remove-id-sas-path-symlink.patch
-+Patch0506: 0506-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
+Patch0506: 0506-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
 
 %global num_patches %{lua: c=0; for i,p in ipairs(patches) do c=c+1; end; print(c);}
 
--- a/extended/systemd/centos/meta_patches/0011-Add-patch-for-moving-vartmp-to-tmpfs.patch
+++ b/extended/systemd/centos/meta_patches/0011-Add-patch-for-moving-vartmp-to-tmpfs.patch
@ -14,7 +14,7 @@ index a8e1846..e36e410 100644
@@ -545,6 +545,7 @@ Patch0503: 0503-Configure-journald-to-forward-to-syslog.patch
 Patch0504: 0504-Configure-journald-rate-limit.patch
 Patch0505: 0505-remove-id-sas-path-symlink.patch
- Patch0506: 0506-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
+ Patch0506: 0506-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
 +Patch0507: 0507-move-vartmp-to-tmpfs.patch
 
 %global num_patches %{lua: c=0; for i,p in ipairs(patches) do c=c+1; end; print(c);}
--- a/extended/systemd/centos/meta_patches/0012-Add-patch-for-restricting-tmpfs-size.patch
+++ b/extended/systemd/centos/meta_patches/0012-Add-patch-for-restricting-tmpfs-size.patch
@ -1,7 +1,7 @@
 From 508f3f3f6b114fe081cc2c0594912fd6451d1045 Mon Sep 17 00:00:00 2001
 From: Kam Nasim <kam.nasim@windriver.com>
 Date: Thu, 12 Oct 2017 18:22:33 -0400
-Subject: [PATCH] meta patch for restricting tmpfs size
+Subject: meta patch for restricting tmpfs size

 ---
 SPECS/systemd.spec | 1 +
@ -13,7 +13,7 @@ index 9e5ac92..66df00b 100644
 +++ b/SPECS/systemd.spec
@@ -462,6 +462,7 @@ Patch0504: 0504-Configure-journald-rate-limit.patch
 Patch0505: 0505-remove-id-sas-path-symlink.patch
- Patch0506: 0506-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
+ Patch0506: 0506-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
 Patch0507: 0507-move-vartmp-to-tmpfs.patch
 +Patch0508: 0508-set-a-1GB-size-restriction-on-tpmfs.patch
 
--- a/extended/systemd/centos/meta_patches/0013-fix-systemd-tmpfiles-ACL-warnings.patch
+++ b/extended/systemd/centos/meta_patches/0013-fix-systemd-tmpfiles-ACL-warnings.patch
@ -0,0 +1,24 @@
+From 9c5837d4d7a60653e418157e3a9552ddcc36d29e Mon Sep 17 00:00:00 2001
+From: Andy Ning <andy.ning@windriver.com>
+Date: Wed, 28 Mar 2018 14:20:39 -0400
+Subject: fix systemd tmpfiles ACL warnings
+
+---
+ SPECS/systemd.spec | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec
+index 55e44a5..f1dea1e 100644
+--- a/SPECS/systemd.spec
+++ b/SPECS/systemd.spec
+@@ -547,6 +547,7 @@ Patch0505: 0505-remove-id-sas-path-symlink.patch
+ Patch0506: 0506-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
+ Patch0507: 0507-move-vartmp-to-tmpfs.patch
+ Patch0508: 0508-set-a-1GB-size-restriction-on-tpmfs.patch
+Patch0509: 0509-fix-systemd-tmpfiles-ACL-warnings.patch
+ 
+ %global num_patches %{lua: c=0; for i,p in ipairs(patches) do c=c+1; end; print(c);}
+ 
+-- 
+1.8.3.1
+
--- a/extended/systemd/centos/meta_patches/PATCH_ORDER
+++ b/extended/systemd/centos/meta_patches/PATCH_ORDER
@ -5,6 +5,7 @@
 0007-Add-patch-for-journald-config.patch
 0008-Add-patch-for-journald-config-rate-limit.patch
 0009-Add-patch-to-remove-ID_SAS_PATH-rule.patch
-0010-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
+0010-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
 0011-Add-patch-for-moving-vartmp-to-tmpfs.patch
 0012-Add-patch-for-restricting-tmpfs-size.patch
+0013-fix-systemd-tmpfiles-ACL-warnings.patch
--- a/extended/systemd/centos/patches/0506-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
+++ b/extended/systemd/centos/patches/0506-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
@ -1,7 +1,7 @@
 From 65c3c74fd119db0309d68430ed89652666c884d5 Mon Sep 17 00:00:00 2001
 From: systemd team <systemd-maint@redhat.com>
 Date: Tue, 10 Oct 2017 17:06:10 -0400
-Subject: [PATCH] CGTS-7466 fix ACL warnings from systemd tmpfiles set
+Subject: fix ACL warnings from systemd tmpfiles set

 ---
 tmpfiles.d/systemd.conf.m4 | 8 ++++----
--- a/extended/systemd/centos/patches/0509-fix-systemd-tmpfiles-ACL-warnings.patch
+++ b/extended/systemd/centos/patches/0509-fix-systemd-tmpfiles-ACL-warnings.patch
@ -0,0 +1,41 @@
+From be01680d0b1df9d88e173cd2ee3eb60295bcdd47 Mon Sep 17 00:00:00 2001
+From: Andy Ning <andy.ning@windriver.com>
+Date: Wed, 28 Mar 2018 14:06:57 -0400
+Subject: fix systemd tmpfiles ACL warnings
+
+systemd tmpfiles configuration file append ACLs to journal log
+directories/files to give access permissions to no-exist group "adm",
+causing systemd-tmpfiles-setup service to generate ACL parsing warnings.
+
+The patch fixed these warnings by replacing group "adm" with "wrs_protected".
+This also gives wrs_protected group members (including wrsroot) access to
+journal logs.
+
+Note: this issue has been fixed before PIKE rebase. After the rebase the
+original fix is no longer enough.
+---
+ tmpfiles.d/systemd.conf.m4 | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tmpfiles.d/systemd.conf.m4 b/tmpfiles.d/systemd.conf.m4
+index d984912..cdf0bf1 100644
+--- a/tmpfiles.d/systemd.conf.m4
+++ b/tmpfiles.d/systemd.conf.m4
+@@ -35,11 +35,11 @@ z /var/log/journal 2755 root systemd-journal - -
+ z /var/log/journal/%m 2755 root systemd-journal - -
+ z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
+ m4_ifdef(`HAVE_ACL',``
+-a+ /var/log/journal    - - - - d:group:adm:r-x,d:group:wheel:r-x
+-a+ /var/log/journal    - - - - group:adm:r-x,group:wheel:r-x
+a+ /var/log/journal    - - - - d:group:wrs_protected:r-x,d:group:wheel:r-x
+a+ /var/log/journal    - - - - group:wrs_protected:r-x,group:wheel:r-x
+ a+ /var/log/journal/%m - - - - d:group:wrs_protected:r-x,d:group:wheel:r-x
+ a+ /var/log/journal/%m - - - - group:wrs_protected:r-x,group:wheel:r-x
+-a+ /var/log/journal/%m/system.journal - - - - group:adm:r--,group:wheel:r--
+a+ /var/log/journal/%m/system.journal - - - - group:wrs_protected:r--,group:wheel:r--
+ '')m4_dnl
+ 
+ d /var/lib/systemd 0755 root root -
+-- 
+1.8.3.1
+