[apparmor] What's the right way to enforce program in systemd service?
intrigeri
intrigeri at debian.org
Tue Aug 12 08:23:14 UTC 2014
Hi,
Christian Boltz wrote (11 Aug 2014 21:53:40 GMT) :
> It looks unnecessary to me - the dependencies should already enforce
> loading all AppArmor profiles before any daemons are started (at least
> it works on openSUSE that way).
... and, if a given system-wide daemon needs a specific profile that
doesn't match the program's path (e.g. see system_tor in Debian), then
systemd v210 adds support for running that service with an explicitly
defined profile.
> That all said - currently I use the good old initscript even with
> systemd. Having a systemd unit to load all profiles would be nice (and
> would solve some annoying problems) - is someone interested in writing
> one? ;-)
There's been discussion about it on the systemd ML ~2-3 months ago,
and also on #apparmor at about the same time, but IIRC nobody summed
up this discussion on the list. IIRC, Marc Deslauriers, among others,
had interesting ideas on this topic. I think one of the key points
here is how to early load those profiles that really need it, e.g.
things that Ubuntu loads via Upstart (dhcp client, ntp).
Cheers,
--
intrigeri
More information about the AppArmor
mailing list