Firejail: Better output options for the tracelog (e.g. console, logfile, journald)
There are one or two issues which mention trying to get --tracelog to log blacklist violations on systemd systems, but as far as I can tell no-one has managed to get this to work. At any rate, the assumption that syslog "just works" as a frontend (or backend) to journald does not appear to be true on Arch systems (at least).
Is there a particular reason why syslog is being used for logging when most Linux systems are now using systemd/journald? AFAICT, the only major distros not using systemd (by default) are Gentoo and Slackware.
When trying to create/debug a profile, I'd prefer to be able to log these violations to the console, or, failing that, to a logfile. Only once the profile has stabilized would I want the logs to go somewhere more persistent.
Assuming you want to keep the --tracelog flag for backwards compatibility, how about a new option to select the transport/appender/sink to log blacklist violations to e.g.:
- --tracelog-to=stdout
- --tracelog-to=stderr
- --tracelog-to=syslog (default)
- --tracelog-to=journald
chocolateboy
All 7 comments
Output options aside, are you saying that violations on Arch aren't logged to journald?
Because I can run the following command on Arch and Fedora and have it appear in journalctl -f
$ firejail --private --tracelog --blacklist=/etc/hosts nano /etc/hosts
$ journalctl -f
SkewedZeppelin
on 23 Feb 2018
are you saying that violations on Arch aren't logged to journald?
Yes, they're not logged on my system.
I can run the following command and have it appear in journalctl -f
That isn't logged on my system. Are you using syslog-ng? Or rsyslog?
chocolateboy
on 23 Feb 2018
@chocolateboy neither, I never did any extra configuration of logging on my Arch install, nor do I have those packages installed. And like I said it also works out of box on Fedora (which also doesn't have those packages). Its been that way for a while afaik.
SkewedZeppelin
on 23 Feb 2018
journald should automatically retrieve messages going to syslog. Do you use any other syslog application?
Vincent43
on 23 Feb 2018
@SkewedZeppelin, @Vincent43 You're right. Thanks for the clue! I've managed to trigger a violation and can confirm it's logged to the journal. I've crossed out that paragraph.
The rest of the request still stands :-)
chocolateboy
on 23 Feb 2018
There's no harm in using syslog, though, since that retains compatibility with non-systemd systems _and_ works just fine with systemd/journald.
chiraag-nataraj
on 29 Mar 2018
@chiraag-nataraj Thanks. :+1: I'm closing this.
As suggested, I'd still like the option to log to the console or — failing that — to a logfile, but if anyone else wants that, it's probably best raised in a new issue that isn't muddied by the syslog-compatibility discussion since that seems to be working as intended.
chocolateboy
on 29 Mar 2018
Related issues
ghost
·
3Comments
Vincent43
·
3Comments
crass
·
3Comments
dandelionred
·
3Comments
SkewedZeppelin
·
3Comments
Most helpful comment
There's no harm in using syslog, though, since that retains compatibility with non-systemd systems _and_ works just fine with systemd/journald.