Bug#760526: Enable AppArmor support (using libapparmor)
Michael scherer
misc at zarb.org
Sun Oct 12 01:23:22 BST 2014
On Sun, Oct 12, 2014 at 01:40:29AM +0200, Michael scherer wrote:
> So, investigating the problem.
>
> The issue is that :
>
> ReadOnlyDirectories = /
>
> make aa_change_onexec fail with
>
> Oct 11 23:22:25 test-debian systemd[1985]: Failed at step APPARMOR spawning /usr/bin/tor: Read-only file system
>
> ( once there is proper reporting ). I suspect the issue is upstream, with the ordering of readonly vs apparmor.
>
> Adding :
>
> ReadWriteDirectories = /proc
>
> Seems to fix the issue as well. I am trying to see if I can fix properly upstream by moving around
> apparmor support in the source code.
So there is a catch-22. If we set the profile before the mount, it fail with :
Oct 12 00:13:40 test-debian systemd[1121]: Failed at step NAMESPACE spawning /usr/bin/tor: No such file or directory
If we set it after, it fail with the previous error. I think someone need to see with upstream apparmor
people about the proper way to do that. I will try to see on systemd-devel if someone know why it fail like this.
--
Michael Scherer
More information about the Pkg-systemd-maintainers
mailing list