[pkg-apparmor] Bug#923367: AppArmor: Profile for journald
Jörg Sommer
joerg at jo-so.de
Thu Mar 7 23:33:47 GMT 2019
intrigeri hat am Do 07. Mär, 21:41 (+0100) geschrieben:
> Jörg Sommer:
> > But journald starts before the AppArmor profiles get loaded.
>
> I would suggest trying to use the AppArmorProfile= directive in the
> journald unit. I suspect it'll fail because some other stuff (normally
> set up by apparmor.service) is not ready yet at the time journald
> starts, but it'll be interesting to know what that stuff is and
> possibly we can set it up earlier.
These are the profiles itself. They get loaded by apparmor.service.
> E.g. some of the work currently
> done by apparmor.service could be moved to another service, that
> starts earlier in the boot process.
That's difficult, because apparmor.service depends on local-fs.target and
journald get started very early before any filesystem is available.
The other difficult process would be systemd itself. You can only apply an
apparmor profile by restarting the process.
Do you know if Fedora or Suse have done something similar?
Regards Jörg
--
“It's been said you aren't a real UNIX system administrator until you've
edited a sendmail.cf file. It's also been said that you are crazy if you
attempted to do so twice.”
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20190308/d789731b/attachment-0001.sig>
More information about the pkg-apparmor-team
mailing list