units: set capability bounding set for syslog services

TODO

@@ -25,12 +25,18 @@ F15:
 * don't trim empty cgroups
   https://bugzilla.redhat.com/show_bug.cgi?id=678555
 
-* drop cap bounding set in logger, hostnamed, readahead, ...
-
 * make anaconda write timeout=0 for encrypted devices
 
+* Fix assert http://lists.freedesktop.org/archives/systemd-devel/2011-April/001910.html
+
 Features:
 
+* maybe lower default timeout to 2min?
+
+* GC unreferenced jobs (such as .device jobs)
+
+* support wildcard expansion in ListeStream= and friends
+
 * Add ListenSpecial to .socket units for /proc/kmsg and similar friends?
 
 * avoid DefaultStandardOutput=syslog to have any effect on StandardInput=socket services
@@ -205,6 +211,8 @@ Features:
 
 * allow runtime changing of log level and target
 
+* drop cap bounding set in readahead and other services
+
 External:
 
 * udisks should not use udisks-part-id, instead use blkid. also not probe /dev/loopxxx

units/systemd-kmsg-syslogd.service.in

@@ -16,3 +16,4 @@ ExecStart=@rootlibexecdir@/systemd-kmsg-syslogd
 NotifyAccess=all
 StandardOutput=null
 Sockets=syslog.socket
+CapabilityBoundingSet=CAP_DAC_OVERRIDE

units/systemd-logger.service.in

@@ -17,3 +17,4 @@ After=syslog.socket
 ExecStart=@rootlibexecdir@/systemd-logger
 NotifyAccess=all
 StandardOutput=null
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SETUID CAP_SETGID