Bug 1570359 - RFE: convert systemd scriptlets to use systemd-tmpfiles and drop dependency on acl
Summary: RFE: convert systemd scriptlets to use systemd-tmpfiles and drop dependency o...
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-22 09:51 UTC by Tomasz Kłoczko
Modified: 2020-11-03 18:53 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Type: Bug

Attachments (Terms of Use)

Description Tomasz Kłoczko 2018-04-22 09:51:47 UTC
In recent systemd release in %post has been aded:

# Apply ACL to the journal directory
setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ &>/dev/null || :

and acl package has been added to Requires.
Looks like systemd  package is less and less flexible.
It not only requires use journald but now forces to use filesystem with enabled acls.

Comment 1 Tomasz Kłoczko 2018-04-22 09:56:54 UTC
Another aspect of this change is that instead adding such hacks in %post rpm should be be able to handle %acl() the same way as it is not possible to use %caps()
Method chosen to start use acl IMO it is kind of dirty hack. Any issues with acl will be not reported on "rpm -V systemd"

Comment 2 Zbigniew Jędrzejewski-Szmek 2018-04-23 06:52:47 UTC
systemd has been using acls since a long long time (probably not at the very beginning, but since around the time journald was first introduced). Various systemd binaries link to libacl, so libacl (which is bigger) was already required. I guess we could avoid the dependency on acl by converting that scriptlet to call systemd-tmpfiles instead. I'd be happy to take a patch for that.

Comment 3 Tomasz Kłoczko 2018-04-23 08:54:15 UTC
I've not been asking is systemd using libacl or not.
I've been pointing on growing list of dependencies :)
That is first.

Second thing. I've one more time looked at setfacl params and looks like it gives the access to two groups: wheel and adm to allow change directory below /var/log/journal/
I don't see anything which is using ATM adm group.
IMO this setfacl can be dropped as it is only about access to the directories below. Something like root:wheel/750 should be OK.

Comment 4 Jan Synacek 2018-04-24 10:13:34 UTC
"Requires(post): acl" has been in the spec file since 2013.

Comment 5 Zbigniew Jędrzejewski-Szmek 2018-04-24 10:16:55 UTC
adm is a group traditionally used to give access to logs to "helper admins" and such. It doesn't have to be used internally in the distribution to be useful.

Comment 6 Tomasz Kłoczko 2018-04-24 11:54:36 UTC
> adm is a group traditionally used to give access to logs to "helper admins" and such.

Yes, traditionally but on Solaris ..
Just try to have look on content of /var/log you will find that none of the files/directories are owned by adm group.
In other words this facl "fixes" imaginary issue.

Comment 7 Zbigniew Jędrzejewski-Szmek 2018-04-24 12:26:19 UTC
Seems to work here:
$ groups
$ journalctl -b --system|wc
0 0 0
$ groups
guest adm
$ journalctl -b --system|wc
  32181  402852 4150713

Note You need to log in before you can comment on or make changes to this bug.