[pkg-apparmor] Bug#796589: apparmor: Has init script in runlevel S but no matching service file
Christian Boltz
apparmor-debian at cboltz.de
Wed Jun 15 11:38:10 UTC 2016
Hello,
[intentionally not replying to the bug - pkg-apparmor is enough for this mail]
Am Freitag, 10. Juni 2016, 22:26:10 CEST schrieb intrigeri:
> Andreas Henriksson wrote (09 Jun 2016 13:54:49 GMT) :
> > Would be nice to see this bug report resolved quite soon!
>
> Right. Thanks for the great systemd integration work you folks are
> doing. I don't want AppArmor to block this work too much.
> Thanks Felipe for the patch!
>
> > Please tell me if there's anything I can help out with to
> > get this resolved ASAP.
>
> I'm adding this to the list of what I'll try to work on during DebCamp
> (2016-06-23 to 2016-07-01).
Is there a chance that you'll also work on the profile repo? ;-)
If yes, ask Steve to provide an up-to-date git version of lp:apparmor-
profiles - he test-converted it several months ago, but since then the
bzr version changed again.
> I'll first try Felipe's patch, and then
> may spend some time working on a nicer unit file. I'd love to work on
> this with others, remotely if needed, so if you're interested, let me
> know! :)
You might also want to look at the openSUSE apparmor.service. It's just
a wrapper around the old initscript, so the most interesting thing are
probably the dependencies.
https://build.opensuse.org/package/view_file/security:apparmor/apparmor/apparmor.service?expand=1
We'll see if you can grab something from the openSUSE service file or if
you tell me that I need to integrate something from the Debian service
file ;-)
BTW: systemd maps
systemctl foo restart
to
systemctl foo stop ; systemctl foo start
which means using "systemctl restart apparmor" will remove the AppArmor
confinement from running processes :-(
"systemctl reload apparmor" of course works as expected, but you should
be aware that restart is a very bad idea.
I tried to convince systemd upstream to implement a ExecRestart= option
which could be used to override the default stop/start behaviour, but
they aren't willing to implement it. (And I'm not the first one who
asked for this.)
At least the discussion was sometimes entertaining [1], see
https://lists.freedesktop.org/archives/systemd-devel/2016-May/036574.html
Regards,
Christian Boltz
[1] I'd really have enjoyed it if the outcome didn't mean that
accidentially using "restart" instead of "reload" makes the system
insecure...
--
<coolo> ancor: oh, sorry. you can't know yet: coolo is always right
[from #opensuse-project]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20160615/e55db066/attachment.sig>
More information about the pkg-apparmor-team
mailing list