[pkg-apparmor] Bug#782700: Please drop $remote_fs init.d dependency to allow running early

[Martin Pitt]

Hello,

Michael Biebl [2015-04-16 15:22 +0200]:
> While we are that topic, I think it would be better to not pull apparmor
> specifics into ifup at .service and networking.service, but rather have
> apparmor ship a native .service file and specify the correct orderings,
> maybe by hooking up in network-pre.target.

Yes, fully agreed. I mostly did that in [1] to get an unintrusive fix
for the freeze, i. e. tuning the autogenerated unit.

But in Jessie+1 it would be really good if we got rid of rcS init.d
scripts entirely.

> Then again, I'm not too familiar with AppArmor: Is every service, which
> wants to be confined by apparmor supposed to declare a
> After=apparmor.service in its service file?

I don't think this is practical TBH. A MAC system might have profiles
for pretty much every binary in the system, so every service could
potentially be covered. Thus it's best to load and apply the profiles
as early as possible. I know that there's work going on to teach
systemd pid 1 about native loading of the profiles even before it
starts any unit; but that isn't done yet. Until then we can just
ensure that it runs before everything which has profiles and is a
potential security issue.

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20150416/8d69ff0b/attachment.sig>