From ae3017bd6352111e8794a81e0c7cd44e31da8c84 Mon Sep 17 00:00:00 2001
From: Andy Ning <andy.ning@windriver.com>
Date: Mon, 2 Apr 2018 11:51:57 -0400
Subject: [PATCH] fix systemd tmpfiles ACL warnings in daemon log

After systemd was upversioned as part of PIKE rebase, its tmpfiles
configuration file changed.  The new tmpfiles configuration
(/usr/lib/tmpfiles/systemd.conf) introduced a few new ACLs that
tries to give group "adm" access to log directories, but group "adm" doesn't
exist in TC system.

This patch fixed the warnings the same as the original by replacing group "adm"
with "wrs_protected" in systemd tmpfiles configuration.

Change-Id: I39972ed41b299be5a3b6482ec2fba176c0742ded
Signed-off-by: Andy Ning <andy.ning@windriver.com>
---
 ...L-warnings-from-systemd-tmpfiles-set.patch |  5 +--
 ...Add-patch-for-moving-vartmp-to-tmpfs.patch |  2 +-
 ...Add-patch-for-restricting-tmpfs-size.patch |  4 +-
 ...13-fix-systemd-tmpfiles-ACL-warnings.patch | 24 +++++++++++
 .../systemd/centos/meta_patches/PATCH_ORDER   |  3 +-
 ...L-warnings-from-systemd-tmpfiles-set.patch |  2 +-
 ...09-fix-systemd-tmpfiles-ACL-warnings.patch | 41 +++++++++++++++++++
 7 files changed, 73 insertions(+), 8 deletions(-)
 create mode 100644 extended/systemd/centos/meta_patches/0013-fix-systemd-tmpfiles-ACL-warnings.patch
 create mode 100644 extended/systemd/centos/patches/0509-fix-systemd-tmpfiles-ACL-warnings.patch

diff --git a/extended/systemd/centos/meta_patches/0010-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch b/extended/systemd/centos/meta_patches/0010-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
index 7e2c3dff8..e87521fb1 100644
--- a/extended/systemd/centos/meta_patches/0010-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
+++ b/extended/systemd/centos/meta_patches/0010-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
@@ -1,8 +1,7 @@
 From e188f1148982166624ae72f8fac70775a2bc8d73 Mon Sep 17 00:00:00 2001
 From: Scott Little <scott.little@windriver.com>
 Date: Mon, 2 Oct 2017 17:53:00 -0400
-Subject: [PATCH 09/10] WRS:
- 0010-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
+Subject: 0010-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
 
 ---
  SPECS/systemd.spec | 1 +
@@ -16,7 +15,7 @@ index 33f3128..a8e1846 100644
  Patch0503: 0503-Configure-journald-to-forward-to-syslog.patch
  Patch0504: 0504-Configure-journald-rate-limit.patch
  Patch0505: 0505-remove-id-sas-path-symlink.patch
-+Patch0506: 0506-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
++Patch0506: 0506-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
  
  %global num_patches %{lua: c=0; for i,p in ipairs(patches) do c=c+1; end; print(c);}
  
diff --git a/extended/systemd/centos/meta_patches/0011-Add-patch-for-moving-vartmp-to-tmpfs.patch b/extended/systemd/centos/meta_patches/0011-Add-patch-for-moving-vartmp-to-tmpfs.patch
index 108b616b0..37abec7e6 100644
--- a/extended/systemd/centos/meta_patches/0011-Add-patch-for-moving-vartmp-to-tmpfs.patch
+++ b/extended/systemd/centos/meta_patches/0011-Add-patch-for-moving-vartmp-to-tmpfs.patch
@@ -14,7 +14,7 @@ index a8e1846..e36e410 100644
 @@ -545,6 +545,7 @@ Patch0503: 0503-Configure-journald-to-forward-to-syslog.patch
  Patch0504: 0504-Configure-journald-rate-limit.patch
  Patch0505: 0505-remove-id-sas-path-symlink.patch
- Patch0506: 0506-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
+ Patch0506: 0506-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
 +Patch0507: 0507-move-vartmp-to-tmpfs.patch
  
  %global num_patches %{lua: c=0; for i,p in ipairs(patches) do c=c+1; end; print(c);}
diff --git a/extended/systemd/centos/meta_patches/0012-Add-patch-for-restricting-tmpfs-size.patch b/extended/systemd/centos/meta_patches/0012-Add-patch-for-restricting-tmpfs-size.patch
index 9b89c3b5c..375e7f11c 100644
--- a/extended/systemd/centos/meta_patches/0012-Add-patch-for-restricting-tmpfs-size.patch
+++ b/extended/systemd/centos/meta_patches/0012-Add-patch-for-restricting-tmpfs-size.patch
@@ -1,7 +1,7 @@
 From 508f3f3f6b114fe081cc2c0594912fd6451d1045 Mon Sep 17 00:00:00 2001
 From: Kam Nasim <kam.nasim@windriver.com>
 Date: Thu, 12 Oct 2017 18:22:33 -0400
-Subject: [PATCH] meta patch for restricting tmpfs size
+Subject: meta patch for restricting tmpfs size
 
 ---
  SPECS/systemd.spec | 1 +
@@ -13,7 +13,7 @@ index 9e5ac92..66df00b 100644
 +++ b/SPECS/systemd.spec
 @@ -462,6 +462,7 @@ Patch0504: 0504-Configure-journald-rate-limit.patch
  Patch0505: 0505-remove-id-sas-path-symlink.patch
- Patch0506: 0506-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
+ Patch0506: 0506-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
  Patch0507: 0507-move-vartmp-to-tmpfs.patch
 +Patch0508: 0508-set-a-1GB-size-restriction-on-tpmfs.patch
  
diff --git a/extended/systemd/centos/meta_patches/0013-fix-systemd-tmpfiles-ACL-warnings.patch b/extended/systemd/centos/meta_patches/0013-fix-systemd-tmpfiles-ACL-warnings.patch
new file mode 100644
index 000000000..5bdcdc321
--- /dev/null
+++ b/extended/systemd/centos/meta_patches/0013-fix-systemd-tmpfiles-ACL-warnings.patch
@@ -0,0 +1,24 @@
+From 9c5837d4d7a60653e418157e3a9552ddcc36d29e Mon Sep 17 00:00:00 2001
+From: Andy Ning <andy.ning@windriver.com>
+Date: Wed, 28 Mar 2018 14:20:39 -0400
+Subject: fix systemd tmpfiles ACL warnings
+
+---
+ SPECS/systemd.spec | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec
+index 55e44a5..f1dea1e 100644
+--- a/SPECS/systemd.spec
++++ b/SPECS/systemd.spec
+@@ -547,6 +547,7 @@ Patch0505: 0505-remove-id-sas-path-symlink.patch
+ Patch0506: 0506-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
+ Patch0507: 0507-move-vartmp-to-tmpfs.patch
+ Patch0508: 0508-set-a-1GB-size-restriction-on-tpmfs.patch
++Patch0509: 0509-fix-systemd-tmpfiles-ACL-warnings.patch
+ 
+ %global num_patches %{lua: c=0; for i,p in ipairs(patches) do c=c+1; end; print(c);}
+ 
+-- 
+1.8.3.1
+
diff --git a/extended/systemd/centos/meta_patches/PATCH_ORDER b/extended/systemd/centos/meta_patches/PATCH_ORDER
index 092239b06..85b292fe3 100644
--- a/extended/systemd/centos/meta_patches/PATCH_ORDER
+++ b/extended/systemd/centos/meta_patches/PATCH_ORDER
@@ -5,6 +5,7 @@
 0007-Add-patch-for-journald-config.patch
 0008-Add-patch-for-journald-config-rate-limit.patch
 0009-Add-patch-to-remove-ID_SAS_PATH-rule.patch
-0010-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
+0010-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
 0011-Add-patch-for-moving-vartmp-to-tmpfs.patch
 0012-Add-patch-for-restricting-tmpfs-size.patch
+0013-fix-systemd-tmpfiles-ACL-warnings.patch
diff --git a/extended/systemd/centos/patches/0506-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch b/extended/systemd/centos/patches/0506-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
index 2238eb2b4..17f33fd0e 100644
--- a/extended/systemd/centos/patches/0506-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
+++ b/extended/systemd/centos/patches/0506-CGTS-7466-fix-ACL-warnings-from-systemd-tmpfiles-set.patch
@@ -1,7 +1,7 @@
 From 65c3c74fd119db0309d68430ed89652666c884d5 Mon Sep 17 00:00:00 2001
 From: systemd team <systemd-maint@redhat.com>
 Date: Tue, 10 Oct 2017 17:06:10 -0400
-Subject: [PATCH] CGTS-7466 fix ACL warnings from systemd tmpfiles set
+Subject: fix ACL warnings from systemd tmpfiles set
 
 ---
  tmpfiles.d/systemd.conf.m4 | 8 ++++----
diff --git a/extended/systemd/centos/patches/0509-fix-systemd-tmpfiles-ACL-warnings.patch b/extended/systemd/centos/patches/0509-fix-systemd-tmpfiles-ACL-warnings.patch
new file mode 100644
index 000000000..7e36c388e
--- /dev/null
+++ b/extended/systemd/centos/patches/0509-fix-systemd-tmpfiles-ACL-warnings.patch
@@ -0,0 +1,41 @@
+From be01680d0b1df9d88e173cd2ee3eb60295bcdd47 Mon Sep 17 00:00:00 2001
+From: Andy Ning <andy.ning@windriver.com>
+Date: Wed, 28 Mar 2018 14:06:57 -0400
+Subject: fix systemd tmpfiles ACL warnings
+
+systemd tmpfiles configuration file append ACLs to journal log
+directories/files to give access permissions to no-exist group "adm",
+causing systemd-tmpfiles-setup service to generate ACL parsing warnings.
+
+The patch fixed these warnings by replacing group "adm" with "wrs_protected".
+This also gives wrs_protected group members (including wrsroot) access to
+journal logs.
+
+Note: this issue has been fixed before PIKE rebase. After the rebase the
+original fix is no longer enough.
+---
+ tmpfiles.d/systemd.conf.m4 | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tmpfiles.d/systemd.conf.m4 b/tmpfiles.d/systemd.conf.m4
+index d984912..cdf0bf1 100644
+--- a/tmpfiles.d/systemd.conf.m4
++++ b/tmpfiles.d/systemd.conf.m4
+@@ -35,11 +35,11 @@ z /var/log/journal 2755 root systemd-journal - -
+ z /var/log/journal/%m 2755 root systemd-journal - -
+ z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
+ m4_ifdef(`HAVE_ACL',``
+-a+ /var/log/journal    - - - - d:group:adm:r-x,d:group:wheel:r-x
+-a+ /var/log/journal    - - - - group:adm:r-x,group:wheel:r-x
++a+ /var/log/journal    - - - - d:group:wrs_protected:r-x,d:group:wheel:r-x
++a+ /var/log/journal    - - - - group:wrs_protected:r-x,group:wheel:r-x
+ a+ /var/log/journal/%m - - - - d:group:wrs_protected:r-x,d:group:wheel:r-x
+ a+ /var/log/journal/%m - - - - group:wrs_protected:r-x,group:wheel:r-x
+-a+ /var/log/journal/%m/system.journal - - - - group:adm:r--,group:wheel:r--
++a+ /var/log/journal/%m/system.journal - - - - group:wrs_protected:r--,group:wheel:r--
+ '')m4_dnl
+ 
+ d /var/lib/systemd 0755 root root -
+-- 
+1.8.3.1
+