journald-audit: do not control kernel auditing by non-default namespace instances...

The kernel (thus system-wide) auditing should not be controlled by
non-default namespace instances, unless explicitly requested.

diff --git a/man/journald.conf.xml b/man/journald.conf.xml
index 30132bcffc55784c00076bcd02f8467ad9ac9a2d..1a68ba869850d0d7be01a4b744eb7d4444ccfa4d 100644 (file)
--- a/man/journald.conf.xml
+++ b/man/journald.conf.xml
@@ -482,7 +482,7 @@
         kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
         disable it, leaving the previous state unchanged.  This means if another tool turns on auditing even
         if <command>systemd-journald</command> left it off, it will still collect the generated
-        messages. Defaults to on.</para>
+        messages. Defaults to on in the default journal namespace, and unset otherwise.</para>
 
         <para>Note that this option does not control whether <command>systemd-journald</command> collects
         generated audit records, it just controls whether it tells the kernel to generate them. If you need

diff --git a/src/journal/journald-config.c b/src/journal/journald-config.c
index 58d86b507b9b677b6f0af8bded25489fb806223a..c266833b035493f20fa5bb56b3a13a0c65074b34 100644 (file)
--- a/src/journal/journald-config.c
+++ b/src/journal/journald-config.c
@@ -49,7 +49,9 @@ static void manager_set_defaults(Manager *m) {
         /* By default, only read from /dev/kmsg if are the main namespace */
         m->read_kmsg = !m->namespace;
 
-        m->set_audit = true;
+        /* By default, kernel auditing is enabled by the main namespace instance, and not controlled by
+         * non-default namespace instances. */
+        m->set_audit = m->namespace ? -1 : true;
 
         m->sync_interval_usec = DEFAULT_SYNC_INTERVAL_USEC;