[pkg-apparmor] Bug#796589: apparmor: Has init script in runlevel S but no matching service file

[Felipe Sateler]

Control: tags -1 patch

On Sat, 22 Aug 2015 17:04:38 -0300 fsateler at debian.org wrote:
> Hi,
>
> Your package apparmor has an initscript that is enabled in runlevel
> S, but it does not provide a corresponding systemd service unit.

Please find attached a unit that wraps the currently existing init
script. Proper integration (which I understand is being worked on) can
be added later.

I added a RequiresMountsFor=/var/lib because the init script tries to
read and write to /var. Unfortunately, because /var can be
remote-mounted, this can cause a dependency loop if the network is
brought up later in the boot process (ie, by a service with
DefaultDependencies=yes). Thus we cannot reasonably restrict apparmor
to start Before=sysinit.target without possibly introducing dependency
loops. If the /var dependency is optional, then please drop the
RequiresMountsFor, and add Before=sysinit.target so that all normal
services start properly contained.

Also, apparmor init script is not stopped on shutdown (and thus I did
not add a Conflicts on shutdown.target), you might want to consider
dropping the ExecStop in that case.

Result is untested (other than build-install), as I have no idea how
to test a security module is working ok.

Saludos
-------------- next part --------------
diff -Nru apparmor-2.10/debian/apparmor.service apparmor-2.10/debian/apparmor.service
--- apparmor-2.10/debian/apparmor.service	1969-12-31 21:00:00.000000000 -0300
+++ apparmor-2.10/debian/apparmor.service	2016-06-06 19:22:31.000000000 -0400
@@ -0,0 +1,16 @@
+[Unit]
+Description=AppArmor initialization
+After=local-fs.target
+ConditionVirtualization=!container
+ConditionSecurity=apparmor
+RequiresMountsFor=/var/lib
+DefaultDependencies=no
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/etc/init.d/apparmor start
+ExecStop=/etc/init.d/apparmor stop
+ExecReload=/etc/init.d/apparmor reload
+
+[Install]
+WantedBy=sysinit.target
diff -Nru apparmor-2.10/debian/changelog apparmor-2.10/debian/changelog
--- apparmor-2.10/debian/changelog	2016-03-29 17:30:38.000000000 -0300
+++ apparmor-2.10/debian/changelog	2016-06-06 19:12:08.000000000 -0400
@@ -1,3 +1,11 @@
+apparmor (2.10-4.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Add a systemd unit wrapping the init script.
+    Closes: #796589
+
+ -- Felipe Sateler <fsateler at debian.org>  Mon, 06 Jun 2016 19:11:31 -0400
+
 apparmor (2.10-4) unstable; urgency=medium
 
   * Team upload.
diff -Nru apparmor-2.10/debian/control apparmor-2.10/debian/control
--- apparmor-2.10/debian/control	2016-01-25 18:33:08.000000000 -0300
+++ apparmor-2.10/debian/control	2016-06-06 19:24:06.000000000 -0400
@@ -16,7 +16,8 @@
     libpam-dev,
     texlive-latex-base, texlive-latex-recommended,
     python-all-dev, python, python3-all-dev, python3,
-    perl (>= 5.8.0), liblocale-gettext-perl, pkg-config
+    perl (>= 5.8.0), liblocale-gettext-perl, pkg-config,
+    dh-systemd
 Standards-Version: 3.9.6
 Homepage: http://apparmor.net/
 Vcs-Bzr: https://anonscm.debian.org/bzr/collab-maint/apparmor
diff -Nru apparmor-2.10/debian/rules apparmor-2.10/debian/rules
--- apparmor-2.10/debian/rules	2015-08-28 13:57:01.000000000 -0300
+++ apparmor-2.10/debian/rules	2016-06-06 19:23:48.000000000 -0400
@@ -11,7 +11,7 @@
 export PYTHON_VERSIONS=python3
 
 %:
-	dh $@ --with=python2,python3,apache2
+	dh $@ --with=python2,python3,apache2,systemd
 
 
 override_dh_auto_configure: