On Tue, Jul 19, 2022, at 12:24 PM, Lennart Poettering wrote:
by something like this:
<snip>
ExecStart=/usr/bin/systemd-tmpfiles --create -
StandardInputText=f /run/sysctl.d/01-coreos-printk.conf - - - - kernel.printk 4
</snip>
Benefits: no shell, single process forked, no explicit selinux stuff,
or explicit mkdir, and other MACs will be honoured too if they exist.
Unfortunately doesn't work today since:
[ 243.300955] audit: type=1400 audit(1658251774.506:317): avc: denied { getattr } for
pid=1801 comm="systemd-sysctl"
path="/run/sysctl.d/01-coreos-printk.conf" dev="tmpfs" ino=934
scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=file permissive=1
But yes, I will look at getting that added to policy.
(FTR there was also a missing `=` in the sysctl text)