From f4665664c4ff69a3666fabc220535fced1544fa8 Mon Sep 17 00:00:00 2001 From: Guillaume Douézan-Grard Date: Sun, 1 Mar 2020 21:43:24 +0100 Subject: units: disable ProtectKernelLogs for machined machined needs access to the host mount namespace to propagate bind mounts created with the "machinectl bind" command. However, the "ProtectKernelLogs" directive relies on mount namespaces to make the kernel ring buffer inaccessible. This commit removes the "ProtectKernelLogs=yes" directive from machined service file introduced in 6168ae5. Closes #14559. --- units/systemd-machined.service.in | 1 - 1 file changed, 1 deletion(-) (limited to 'units/systemd-machined.service.in') diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index fa344d487d..3db0281f81 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -24,7 +24,6 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes ProtectHostname=yes -ProtectKernelLogs=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictRealtime=yes SystemCallArchitectures=native -- cgit v1.2.3