From d428dd6ac9a56e7b3421fb8ef3aac9937a4a2e62 Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Wed, 4 May 2016 01:29:11 +0200
Subject: tmpfiles: don't set the x bit for volatile system journal when ACL
 support is enabled (#3079)

When ACL support is enabled, systemd-tmpfiles-setup service sets the following
ACL entries to the volatile system journal:

   $ getfacl /run/log/journal/*/system.journal
   getfacl: Removing leading '/' from absolute path names
   # file: run/log/journal/xxx/system.journal
   # owner: root
   # group: systemd-journal
   user::rwx
   group::r--
   group:wheel:r-x
   group:adm:r-x
   mask::r-x
   other::---

This patch makes sure that the exec bit is not set anymore for the volatile
system journals.
---
 tmpfiles.d/systemd.conf.m4 | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'tmpfiles.d')

diff --git a/tmpfiles.d/systemd.conf.m4 b/tmpfiles.d/systemd.conf.m4
index 150dab1e5b..2cd58e9121 100644
--- a/tmpfiles.d/systemd.conf.m4
+++ b/tmpfiles.d/systemd.conf.m4
@@ -30,14 +30,17 @@ m4_ifdef(`HAVE_ACL',`m4_dnl
 m4_ifdef(`ENABLE_ADM_GROUP',`m4_dnl
 m4_ifdef(`ENABLE_WHEEL_GROUP',``
 a+ /run/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x
-A+ /run/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x
+a+ /run/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x
+a+ /run/log/journal/%m/*.journal* - - - - group:adm:r--,group:wheel:r--
 '',``
 a+ /run/log/journal/%m - - - - d:group:adm:r-x
-A+ /run/log/journal/%m - - - - group:adm:r-x
+a+ /run/log/journal/%m - - - - group:adm:r-x
+a+ /run/log/journal/%m/*.journal* - - - - group:adm:r--
 '')',`m4_dnl
 m4_ifdef(`ENABLE_WHEEL_GROUP',``
 a+ /run/log/journal/%m - - - - d:group:wheel:r-x
-A+ /run/log/journal/%m - - - - group:wheel:r-x
+a+ /run/log/journal/%m - - - - group:wheel:r-x
+a+ /run/log/journal/%m/*.journal* - - - - group:wheel:r--
 '')')')m4_dnl
 
 z /var/log/journal 2755 root systemd-journal - -
-- 
cgit v1.2.1