Bug 1570359

Summary: RFE: convert systemd scriptlets to use systemd-tmpfiles and drop dependency on acl
Product: [Fedora] Fedora Reporter: Tomasz Kłoczko <kloczko.tomasz>
Component: systemdAssignee: systemd-maint
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dtardon, lnykryn, msekleta, s, systemd-maint, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-23 16:53:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomasz Kłoczko 2018-04-22 09:51:47 UTC
In recent systemd release in %post has been aded:

# Apply ACL to the journal directory
setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ &>/dev/null || :

and acl package has been added to Requires.
Looks like systemd  package is less and less flexible.
It not only requires use journald but now forces to use filesystem with enabled acls.

Comment 1 Tomasz Kłoczko 2018-04-22 09:56:54 UTC
Another aspect of this change is that instead adding such hacks in %post rpm should be be able to handle %acl() the same way as it is not possible to use %caps()
Method chosen to start use acl IMO it is kind of dirty hack. Any issues with acl will be not reported on "rpm -V systemd"

Comment 2 Zbigniew Jędrzejewski-Szmek 2018-04-23 06:52:47 UTC
systemd has been using acls since a long long time (probably not at the very beginning, but since around the time journald was first introduced). Various systemd binaries link to libacl, so libacl (which is bigger) was already required. I guess we could avoid the dependency on acl by converting that scriptlet to call systemd-tmpfiles instead. I'd be happy to take a patch for that.

Comment 3 Tomasz Kłoczko 2018-04-23 08:54:15 UTC
I've not been asking is systemd using libacl or not.
I've been pointing on growing list of dependencies :)
That is first.

Second thing. I've one more time looked at setfacl params and looks like it gives the access to two groups: wheel and adm to allow change directory below /var/log/journal/
I don't see anything which is using ATM adm group.
IMO this setfacl can be dropped as it is only about access to the directories below. Something like root:wheel/750 should be OK.

Comment 4 Jan Synacek 2018-04-24 10:13:34 UTC
"Requires(post): acl" has been in the spec file since 2013.

Comment 5 Zbigniew Jędrzejewski-Szmek 2018-04-24 10:16:55 UTC
adm is a group traditionally used to give access to logs to "helper admins" and such. It doesn't have to be used internally in the distribution to be useful.

Comment 6 Tomasz Kłoczko 2018-04-24 11:54:36 UTC
> adm is a group traditionally used to give access to logs to "helper admins" and such.

Yes, traditionally but on Solaris ..
Just try to have look on content of /var/log you will find that none of the files/directories are owned by adm group.
In other words this facl "fixes" imaginary issue.

Comment 7 Zbigniew Jędrzejewski-Szmek 2018-04-24 12:26:19 UTC
Seems to work here:
$ groups
guest
$ journalctl -b --system|wc
0 0 0
...
$ groups
guest adm
$ journalctl -b --system|wc
  32181  402852 4150713