From 6b13e14788ddabb244b290d933c7b2d163b6bb46 Mon Sep 17 00:00:00 2001
From: Richard Laager <rlaager@wiktel.com>
Date: Thu, 10 May 2018 15:23:15 -0500
Subject: [PATCH] Ubuntu 18.04: Enable ACLs on /var/log

journald ideally wants ACL support on /var/log.

Reported-by: https://www.reddit.com/user/Jahara
---
 Ubuntu-18.04-Root-on-ZFS.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Ubuntu-18.04-Root-on-ZFS.md b/Ubuntu-18.04-Root-on-ZFS.md
index e5819dc..f803999 100644
--- a/Ubuntu-18.04-Root-on-ZFS.md
+++ b/Ubuntu-18.04-Root-on-ZFS.md
@@ -138,7 +138,7 @@ With ZFS, it is not normally necessary to use a mount command (either `mount` or
     # zfs create -o mountpoint=/root                        rpool/home/root
     # zfs create -o canmount=off -o setuid=off  -o exec=off rpool/var
     # zfs create -o com.sun:auto-snapshot=false             rpool/var/cache
-    # zfs create                                            rpool/var/log
+    # zfs create -o acltype=posixacl -o xattr=sa            rpool/var/log
     # zfs create                                            rpool/var/spool
     # zfs create -o com.sun:auto-snapshot=false -o exec=on  rpool/var/tmp
 
@@ -155,7 +155,7 @@ With ZFS, it is not normally necessary to use a mount command (either `mount` or
     # zfs create -o com.sun:auto-snapshot=false \
                  -o mountpoint=/var/lib/nfs                 rpool/var/nfs
 
-The primary goal of this dataset layout is to separate the OS from user data. This allows the root filesystem to be rolled back without rolling back user data such as logs (in `/var/log`). This will be especially important if/when a `beadm` or similar utility is integrated. Since we are creating multiple datasets anyway, it is trivial to add some restrictions (for extra security) at the same time. The `com.sun.auto-snapshot` setting is used by some ZFS snapshot utilities to exclude transient data.
+The primary goal of this dataset layout is to separate the OS from user data. This allows the root filesystem to be rolled back without rolling back user data such as logs (in `/var/log`). This will be especially important if/when a `beadm` or similar utility is integrated. Since we are creating multiple datasets anyway, it is trivial to add some restrictions (for extra security) at the same time. The `com.sun.auto-snapshot` setting is used by some ZFS snapshot utilities to exclude transient data. [We enable POSIX ACLs on /var/log for journald.](https://askubuntu.com/questions/970886/journalctl-says-failed-to-search-journal-acl-operation-not-supported)
 
 3.4  For LUKS installs only: