[pkg-apparmor] Bug#796589: apparmor: Has init script in runlevel S but no matching service file
intrigeri
intrigeri at debian.org
Wed Aug 26 15:45:12 UTC 2015
Hi,
here are my initial notes and (incomplete) drafts, partly inspired by
OpenSuSe's unit. I think we'll need at least two units. That's kind of
blocked by the ongoing discussion on /usr and click-specific
bits, though.
sys-kernel-security.mount
=========================
[Unit]
Description=Security File System
Documentation=XXX
DefaultDependencies=no
ConditionPathExists=/sys/kernel/security
[Mount]
What=none
Where=/sys/kernel/security
Type=securityfs
apparmor-load-policy.service
============================
[Unit]
Description=Load AppArmor profiles
DefaultDependencies=no
# Load policy before bringing up the first network interface,
# to be able to confine processes that access the network early,
# such as dhclient:
Wants=network-pre.target
Before=network-pre.target
# ... however, let's not add an exagerated Before=basic.target
# or Before=sysinit.target, meant to ensure that the policy for basic system
# services is applied: in most case that's not needed, and it is prone
# to introducing dependency loops
# (https://wiki.debian.org/Teams/pkg-systemd/rcSMigration).
# Instead, basic system services that should be confined with AppArmor
# should add an After=apparmor.service, just like it's done already e.g.
# by networking.service (Debian -specific) and libvirtd.service.
After=local-fs.target systemd-journald-audit.socket
RequiresMountsFor=/sys/kernel/security
# XXX: do we need to do anything at shutdown?
# If yes, then add Conflicts=shutdown.target and Before=shutdown.target,
# or we won't be gracefully stopped on shutdown due to DefaultDependencies=no.
ConditionSecurity=apparmor
ConditionPathIsReadWrite=/sys/kernel/security/apparmor/.load
ConditionVirtualization=!container
# do not perform start/stop/reload actions when running from the Ubuntu liveCD:
ConditionPathExists=!/rofs/etc/apparmor.d
Documentation=man:apparmor(7)
Documentation=http://wiki.apparmor.net/
[Service]
Type=oneshot
ExecStart=XXX
ExecReload=XXX
ExecRestart=XXX
ExecStop=XXX
RemainAfterExit=yes
# XXX: if we do anything else than trivially loading policy in ExecStart=,
# then we may need to add RequiresMountsFor=/usr (see the corresponding discussion
# on Debian#782700); hopefully it won't be the case, as it would almost
# certainly break the "/usr on a remote filesystem" use case, e.g. because
# of our Before=network-pre.target.
[Install]
WantedBy=multi-user.target
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list