From: Yu Watanabe Date: Sun, 13 Jul 2025 06:21:50 +0000 (+0900) Subject: journald-audit: do not control kernel auditing by non-default namespace instances... X-Git-Tag: v258-rc1~34^2~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3941032c6c5cd1e573904caf2d9557610ffc4f50;p=thirdparty%2Fsystemd.git journald-audit: do not control kernel auditing by non-default namespace instances by default The kernel (thus system-wide) auditing should not be controlled by non-default namespace instances, unless explicitly requested. --- diff --git a/man/journald.conf.xml b/man/journald.conf.xml index 30132bcffc5..1a68ba86985 100644 --- a/man/journald.conf.xml +++ b/man/journald.conf.xml @@ -482,7 +482,7 @@ kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor disable it, leaving the previous state unchanged. This means if another tool turns on auditing even if systemd-journald left it off, it will still collect the generated - messages. Defaults to on. + messages. Defaults to on in the default journal namespace, and unset otherwise. Note that this option does not control whether systemd-journald collects generated audit records, it just controls whether it tells the kernel to generate them. If you need diff --git a/src/journal/journald-config.c b/src/journal/journald-config.c index 58d86b507b9..c266833b035 100644 --- a/src/journal/journald-config.c +++ b/src/journal/journald-config.c @@ -49,7 +49,9 @@ static void manager_set_defaults(Manager *m) { /* By default, only read from /dev/kmsg if are the main namespace */ m->read_kmsg = !m->namespace; - m->set_audit = true; + /* By default, kernel auditing is enabled by the main namespace instance, and not controlled by + * non-default namespace instances. */ + m->set_audit = m->namespace ? -1 : true; m->sync_interval_usec = DEFAULT_SYNC_INTERVAL_USEC;