github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1785] Better output options for the tracelog (e.g. console, logfile, journald) #1208

New issue

Closed

opened 2026-05-05 07:39:27 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented

2026-05-05 07:39:27 -06:00

Owner

Originally created by @chocolateboy on GitHub (Feb 23, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1785

There are one or two issues which mention trying to get --tracelog to log blacklist violations on systemd systems, but as far as I can tell no-one has managed to get this to work. At any rate, the assumption that syslog "just works" as a frontend (or backend) to journald does not appear to be true on Arch systems (at least).

Is there a particular reason why syslog is being used for logging when most Linux systems are now using systemd/journald? AFAICT, the only major distros not using systemd (by default) are Gentoo and Slackware.

When trying to create/debug a profile, I'd prefer to be able to log these violations to the console, or, failing that, to a logfile. Only once the profile has stabilized would I want the logs to go somewhere more persistent.

Assuming you want to keep the --tracelog flag for backwards compatibility, how about a new option to select the transport/appender/sink to log blacklist violations to e.g.:

--tracelog-to=stdout
--tracelog-to=stderr
--tracelog-to=syslog (default)
--tracelog-to=journald

Originally created by @chocolateboy on GitHub (Feb 23, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1785 <s>There are [one](https://github.com/netblue30/firejail/issues/433) or [two](https://github.com/netblue30/firejail/issues/496) issues which mention trying to get `--tracelog` to log blacklist violations on systemd systems, but as far as I can tell no-one has managed to get this to work. At any rate, the assumption that syslog "just works" as a frontend (or backend) to journald does not appear to be true on Arch systems (at least).</s> Is there a particular reason why syslog is being used for logging when most Linux systems are now using systemd/journald? AFAICT, the only major distros not using systemd (by default) are Gentoo and Slackware. When trying to create/debug a profile, I'd prefer to be able to log these violations to the console, or, failing that, to a logfile. Only once the profile has stabilized would I want the logs to go somewhere more persistent. Assuming you want to keep the `--tracelog` flag for backwards compatibility, how about a new option to select the transport/appender/sink to log blacklist violations to e.g.: * --tracelog-to=stdout * --tracelog-to=stderr * --tracelog-to=syslog (default) * --tracelog-to=journald

gitea-mirror

2026-05-05 07:39:27 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 07:39:31 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Feb 23, 2018):

Output options aside, are you saying that violations on Arch aren't logged to journald?

Because I can run the following command on Arch and Fedora and have it appear in journalctl -f

$ firejail --private --tracelog --blacklist=/etc/hosts nano /etc/hosts

$ journalctl -f
[time] [hostname] firejail[28194]: blacklist violation - sandbox 8500, exe nano, syscall open, path /etc/hosts

@SkewedZeppelin commented on GitHub (Feb 23, 2018): Output options aside, are you saying that violations on Arch aren't logged to journald? Because I can run the following command on Arch and Fedora and have it appear in `journalctl -f` ``` $ firejail --private --tracelog --blacklist=/etc/hosts nano /etc/hosts ``` ``` $ journalctl -f [time] [hostname] firejail[28194]: blacklist violation - sandbox 8500, exe nano, syscall open, path /etc/hosts ```

gitea-mirror commented

2026-05-05 07:39:34 -06:00

Author

Owner

@chocolateboy commented on GitHub (Feb 23, 2018):

are you saying that violations on Arch aren't logged to journald?

Yes, they're not logged on my system.

I can run the following command and have it appear in journalctl -f

That isn't logged on my system. Are you using syslog-ng? Or rsyslog?

@chocolateboy commented on GitHub (Feb 23, 2018): > are you saying that violations on Arch aren't logged to journald? Yes, they're not logged on my system. > I can run the following command and have it appear in journalctl -f That isn't logged on my system. Are you using syslog-ng? Or rsyslog?

gitea-mirror commented

2026-05-05 07:39:35 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Feb 23, 2018):

@chocolateboy neither, I never did any extra configuration of logging on my Arch install, nor do I have those packages installed. And like I said it also works out of box on Fedora (which also doesn't have those packages). Its been that way for a while afaik.

@SkewedZeppelin commented on GitHub (Feb 23, 2018): @chocolateboy neither, I never did any extra configuration of logging on my Arch install, nor do I have those packages installed. And like I said it also works out of box on Fedora (which also doesn't have those packages). Its been that way for a while afaik.

gitea-mirror commented

2026-05-05 07:39:37 -06:00

Author

Owner

@Vincent43 commented on GitHub (Feb 23, 2018):

journald should automatically retrieve messages going to syslog. Do you use any other syslog application?

@Vincent43 commented on GitHub (Feb 23, 2018): `journald` should automatically retrieve messages going to syslog. Do you use any other syslog application?

gitea-mirror commented

2026-05-05 07:39:39 -06:00

Author

Owner

@chocolateboy commented on GitHub (Feb 23, 2018):

@SkewedZeppelin, @Vincent43 You're right. Thanks for the clue! I've managed to trigger a violation and can confirm it's logged to the journal. I've crossed out that paragraph.

The rest of the request still stands :-)

@chocolateboy commented on GitHub (Feb 23, 2018): @SkewedZeppelin, @Vincent43 You're right. Thanks for the clue! I've managed to trigger a violation and can confirm it's logged to the journal. I've crossed out that paragraph. The rest of the request still stands :-)

gitea-mirror commented

2026-05-05 07:39:41 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Mar 29, 2018):

There's no harm in using syslog, though, since that retains compatibility with non-systemd systems and works just fine with systemd/journald.

@chiraag-nataraj commented on GitHub (Mar 29, 2018): There's no harm in using syslog, though, since that retains compatibility with non-systemd systems _and_ works just fine with systemd/journald.

gitea-mirror commented

2026-05-05 07:39:43 -06:00

Author

Owner

@chocolateboy commented on GitHub (Mar 29, 2018):

@chiraag-nataraj Thanks. 👍 I'm closing this.

As suggested, I'd still like the option to log to the console or — failing that — to a logfile, but if anyone else wants that, it's probably best raised in a new issue that isn't muddied by the syslog-compatibility discussion since that seems to be working as intended.

@chocolateboy commented on GitHub (Mar 29, 2018): @chiraag-nataraj Thanks. :+1: I'm closing this. As suggested, I'd still like the option to log to the console or — failing that — to a logfile, but if anyone else wants that, it's probably best raised in a new issue that isn't muddied by the syslog-compatibility discussion since that seems to be working as intended.

gitea-mirror referenced this issue

2026-05-05 10:09:37 -06:00

[PR #1208] [MERGED] fix baloo_file.profile (x11 isolation) #3880

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1208

No description provided.

Rows
Columns