e434130d0b
Containers did not have *systemd-journald-audit.socket* in *additionalUpstreamSystemUnits*, which meant that the unit was not provided. However the *wantedBy* was added without any additional check, therefore creating an empty unit with just the *WantedBy* on *boot.isContainer* machines. This caused `systemd-analyze verify` to fail: ```text systemd-journald-audit.socket: Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing. systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting. systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting. ``` The upstream unit already contains the following, which should make it safe to include regardless: ```ini [Unit] ConditionSecurity=audit ConditionCapability=CAP_AUDIT_READ ``` For reference, this popped up in the context of #[360426](https://redirect.github.com/NixOS/nixpkgs/issues/360426) as well as #[407696](https://redirect.github.com/NixOS/nixpkgs/pull/407696). Co-authored-by: Bruce Toll <4109762+tollb@users.noreply.github.com> Signed-off-by: benaryorg <binary@benary.org>
5.7 KiB
5.7 KiB